From 64cceca4843b64ecf045943ce9fdbbadb8fe0310 Mon Sep 17 00:00:00 2001
From: Mohannad Raafat <62453654+para0x0dise@users.noreply.github.com>
Date: Thu, 31 Oct 2024 23:57:16 +0300
Subject: [PATCH] Update lolbas.py

---
 modules/signatures/windows/lolbas.py | 44 +++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/modules/signatures/windows/lolbas.py b/modules/signatures/windows/lolbas.py
index c4965089..fec8ff02 100644
--- a/modules/signatures/windows/lolbas.py
+++ b/modules/signatures/windows/lolbas.py
@@ -481,7 +481,7 @@ class LOLBAS_ExecuteBinaryViaInternetExplorerExporter(Signature):
     def __init__(self, *args, **kwargs):
         Signature.__init__(self, *args, **kwargs)
         self.detected = False
-        self.blacklistedNames = ["mozcrt19.dll", "mozsqlite3.dll", "sqlite3.dll"]
+        self.blacklistedNames = ("mozcrt19.dll", "mozsqlite3.dll", "sqlite3.dll")
         self.whitelistedDirectories = [
             "\\program files (x86)\\",
             "\\program files\\",
@@ -568,3 +568,45 @@ def run(self):
                 return True
 
         return False
+
+class LOLBAS_ExecuteBinaryViaPcalua(Signature):
+    name = "execute_binary_via_pcalua"
+    description = "Attempts to execute a binary using Microsoft Program Compatibility Assistant binary"
+    severity = 3
+    categories = ["bypass", "execution"]
+    authors = ["@para0x0dise"]
+    minimum = "1.2"
+    ttps = ["T1218"]
+    references = ["https://lolbas-project.github.io/lolbas/Binaries/Pcalua/"]
+    evented = True
+
+    def run(self):
+        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if "pcalua.exe" in lower and "-a" in lower and not "-d" in lower:
+                self.data.append({"command": cmdline})
+                return True
+
+        return False
+
+class LOLBAS_ExecuteBinaryViaCDB(Signature):
+    name = "execute_binary_via_pcalua"
+    description = "Attempts to execute a binary using Microsoft Windows Debugging utility cdb.exe"
+    severity = 3
+    categories = ["bypass", "execution"]
+    authors = ["@para0x0dise"]
+    minimum = "1.2"
+    ttps = ["T1218"]
+    references = ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"]
+    evented = True
+
+    def run(self):
+        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if "cdb.exe" in lower and any(arg in lower for arg in ("-cf", "-c", "-pd")):
+                self.data.append({"command": cmdline})
+                return True
+
+        return False
\ No newline at end of file