Wietze
Wietze
Note: this PR is not ready for merging yet. E.g. the following command: ```bash tools/sigmac --target=sql --config sysmon rules/windows/registry_event/sysmon_comhijack_sdclt.yml ``` Generates: ```SQL SELECT * FROM eventlog WHERE (EventID IN ("12",...
Using 7b208e8021a935b39edd58cc2996595c0135f722 as a base, I have checked all LOLBAS entries on a default installation on Windows 11 (21H2). As you might expect, most entries that worked on Windows 10...
For every entry relying on a DLL with an entry point, it would be good if we could also record the corresponding ordinal. For example, `comsvcs.dll` can be used to...
When trying to validate the behaviour described in [devtoolslauncher.yml ](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml) (#46) I have been unable to find the executable in question. The tweet suggests it is either Visual Studio Code...
Tested on Windows 11, can confirm it works as described.  
Are you planning on supporting the new transparency options introduced in Windows 10, 1803?
A significant number of download LOLBAS entries will download the payload to a random folder under `%LOCALAPPDATA%\Microsoft\Windows\INetCache`. Because the location is hard (if not impossible) to predict, obtaining the payload...
First of all, thank you for sharing this project with the community. I wanted to pull the latest version via Docker Hub, however it appears your user and project are...