Skip to content

A curated collection of Living off the Land (LotL) attack demonstrations where trusted binaries go rogue, because if it didn’t launch calc.exe, did it even happen?

License

Notifications You must be signed in to change notification settings

Logisek/CalcOrItDidntHappen

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Calc Or It Didn't Happen

This repo showcases practical PoCs using LOLBAS techniques to execute commands without dropping malware. Whether you're a red teamer, researcher, or just here for the chaos, you’ll find "weaponized" LOL moments and harmless-looking binaries doing suspiciously powerful things or not.

💻 Built for demos.

🎩 Powered by misused trust.

🔍 Monitored by defenders (hopefully).

💣 Triggered by AddInUtil, msbuild, certutil, and friends.


RED

AddinUtil

.NET Tool used for updating cache files for Microsoft Office Add-Ins.

python3 AddinUtil.py

Aspnet_Compiler

ASP.NET Compilation Tool

python3 Aspnet_Compiler.py

AppInstaller

Tool used for installation of AppX/MSIX applications on Windows 10

python3 AppInstaller.py

Schtasks

Schedule periodic tasks

python3 Schtasks.py

Atbroker

Assistive Technology (AT)

Administrative Privileges Required

python3 Atbroker.py

Bitsadmin

Used for managing background intelligent transfer

python3 Bitsadmin.py

CertOC

Used for installing certificates. Included in Windows Server

python3 CertOC.py

Certutil

Windows binary used for handling certificates

Administrative Privileges Required

python3 Certutil.py

Fodhelper

Manage optional features in Windows

python3 Fodhelper.py

Control

Binary used to launch controlpanel items in Windows

python3 Control.py

Csc

Binary file used by .NET Framework to compile C# code

python3 Csc.py

Advpack

Utility for installing software and drivers with rundll32.exe

python Advpack.py

Forfiles

Selects and executes a command on a file or set of files. This command is useful for batch processing.

python Forfiles.py

BLUE

Microsoft Intune Configuration - Blocking Unwanted Executables

  • Microsoft Intune admin center -> Devices -> Configuration -> New Policy
    • Assignment: Devices only, NOT users.
    • Platform: Windows 10 and later
    • Policy Type: Custom
    • Add OMA-URI Settings rule

OMA-URI

  • The {Grouping} field can be assigned any string value, allowing users to create and define custom groups as needed.
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{GROUPING}/EXE/Policy

Basic XML String Value sample

  • The following XML rules represent a basic ruleset and should be carefully reviewed and enhanced to meet your organizational requirements before applying them to your Intune OMA-URI policy.
  <RuleCollection Type="Exe" EnforcementMode="NotConfigured">
    <FilePathRule Id="{GUID}" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="{GUID}" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="{GUID}" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
    <FilePublisherRule Id="{GUID}" Name="ADDINUTIL.EXE, in MICROSOFT® .NET FRAMEWORK, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® .NET FRAMEWORK" BinaryName="ADDINUTIL.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>

Create AppLockerPolicy XML files

Create your AppLocker policy in a lab machine via secpol.msc or GPO, export to XML, and deploy it.

  • Windows Key + R
  • secpol.msc
  • Application Control Policies -> AppLocker -> Executable Rules -> Create new Rule
    • Permissions Action: Deny
    • Conditions: Publisher
  • Right click on AppLocker -> Export Policy

Useful links


About

A curated collection of Living off the Land (LotL) attack demonstrations where trusted binaries go rogue, because if it didn’t launch calc.exe, did it even happen?

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published