LOLBAS-Project · wietze · Oct 1, 2024 · Oct 1, 2024
diff --git a/YML-Schema.yml b/YML-Schema.yml
@@ -74,6 +74,7 @@ mapping:
           "Path":
             type: str
             required: true
+            pattern: '^(([cC]:)\\([a-zA-Z0-9\-\_\. \(\)\<\>]+\\)*([a-zA-Z0-9_\-\.]+\.[a-z0-9]{3})|no default)$'
   "Code_Sample":
     type: seq
     required: false

diff --git a/yml/HonorableMentions/Code.yml b/yml/HonorableMentions/Code.yml
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1219
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: '%LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Programs\Microsoft VS Code\Code.exe'
   - Path: C:\Program Files\Microsoft VS Code\Code.exe
   - Path: C:\Program Files (x86)\Microsoft VS Code\Code.exe
 Detection:

diff --git a/yml/HonorableMentions/PowerShell.yml b/yml/HonorableMentions/PowerShell.yml
@@ -26,8 +26,8 @@ Commands:
     MitreID: T1059.001
     OperatingSystem: Windows 7 and up
 Full_Path:
-  - Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe'
-  - Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+  - Path: 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe'
+  - Path: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell
 Resources:

diff --git a/yml/OSBinaries/OneDriveStandaloneUpdater.yml b/yml/OSBinaries/OneDriveStandaloneUpdater.yml
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1105
     OperatingSystem: Windows 10
 Full_Path:
-  - Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
 Detection:
   - IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
   - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files

diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml
@@ -1,7 +1,7 @@
 ---
 Name: msedge_proxy.exe
 Full_Path:
-  - Path: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe
+  - Path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe
 Description: Microsoft Edge Browser
 Author: 'Mert Daş'
 Created: 2023-08-18

diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml
@@ -26,8 +26,7 @@ Commands:
     MitreID: T1216
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
-  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
+  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\<version>\bin\Pester.bat
 Code_Sample:
   - Code:
 Detection:

diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml
@@ -59,7 +59,7 @@ Commands:
     Tags:
       - Execute: WSH
 Full_Path:
-  - Path: No fixed path
+  - Path: no default
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml
   - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml

diff --git a/yml/OtherMSBinaries/Createdump.yml b/yml/OtherMSBinaries/Createdump.yml
@@ -12,10 +12,10 @@ Commands:
     MitreID: T1003
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
-  - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
-  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
+  - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\<version>\createdump.exe
+  - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\<version>\createdump.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml

diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1218
     OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files (x86)\Microsoft\DefaultPack\
+  - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
 Code_Sample:
   - Code:
 Detection:

diff --git a/yml/OtherMSBinaries/Devinit.yml b/yml/OtherMSBinaries/Devinit.yml
@@ -12,8 +12,8 @@ Commands:
     MitreID: T1218.007
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml
 Resources:

diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
 Full_Path:
-  - Path: N/A
+  - Path: no default
 Code_Sample:
   - Code:
 Detection:

diff --git a/yml/OtherMSBinaries/DumpMinitool.yml b/yml/OtherMSBinaries/DumpMinitool.yml
@@ -12,7 +12,7 @@ Commands:
     MitreID: T1003.001
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml

diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml
@@ -19,7 +19,7 @@ Commands:
     MitreID: T1059
     OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
-  - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
+  - Path: C:\Program Files\dotnet\sdk\<version>\FSharp\fsi.exe
   - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
 Code_Sample:
   - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1

diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml
@@ -19,10 +19,10 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe
 Code_Sample:
   - Code:
 Detection:

diff --git a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml
@@ -12,8 +12,8 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml

diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml
@@ -40,7 +40,7 @@ Commands:
     MitreID: T1218
     OperatingSystem: Windows 7 and up with Microsoft Teams installed
 Full_Path:
-  - Path: '%localappdata%\Microsoft\Teams\current\Squirrel.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Squirrel.exe'
 Code_Sample:
   - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
 Detection:

diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml
@@ -26,7 +26,7 @@ Commands:
     MitreID: T1218.015
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Teams.exe'
 Code_Sample:
   - Code: https://github.com/lltltk/LOLBAS-research/tree/master/Teams
 Detection:

diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml
@@ -96,7 +96,7 @@ Commands:
     MitreID: T1070
     OperatingSystem: Windows 7 and up with Microsoft Teams installed
 Full_Path:
-  - Path: '%localappdata%\Microsoft\Teams\update.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\update.exe'
 Code_Sample:
   - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
 Detection:

diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
@@ -12,9 +12,9 @@ Commands:
     MitreID: T1218
     OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\arm64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\UIAVerify\VisualUiaVerifyNative.exe
 Code_Sample:
   - Code:
 Detection:

diff --git a/yml/OtherMSBinaries/VsLaunchBrowser.yml b/yml/OtherMSBinaries/VsLaunchBrowser.yml
@@ -28,8 +28,8 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe
 Detection:
   - IOC: cmd.exe as sub-process of VSLaunchBrowser
   - IOC: URL on a VSLaunchBrowser command line

diff --git a/yml/OtherMSBinaries/devtunnels.yml b/yml/OtherMSBinaries/devtunnels.yml
@@ -12,8 +12,8 @@ Commands:
     MitreID: T1105
     OperatingSystem: Windows 10, Windows 11, MacOS
 Full_Path:
-  - Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\
-  - Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels
+  - Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\devtunnel.exe
+  - Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels\devtunnel.exe
 Detection:
   - IOC: devtunnel.exe binary spawned
   - IOC: '*.devtunnels.ms'

diff --git a/yml/OtherMSBinaries/xsd.yml b/yml/OtherMSBinaries/xsd.yml
@@ -14,7 +14,7 @@ Commands:
     Tags:
       - Download: INetCache
 Full_Path:
-  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\{version}\bin\NETFX {version} Tools\xsd.exe
+  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\<version>\bin\NETFX <version> Tools\xsd.exe
 Detection:
   - IOC: URL on a xsd.exe command line
   - IOC: xsd.exe making unexpected network connections or DNS requests