MD files generate from Script, and adjustments to readme

2025-07-26 20:22:24 +02:00 · 2018-09-14 15:48:52 +02:00
parent eef9e78be8
commit c949e100bd
221 changed files with 2729 additions and 158 deletions
--- a/OtherBinaries/AcroRd32.exe.md
+++ b/OtherBinaries/AcroRd32.exe.md
@@ -0,0 +1,16 @@
+## AcroRd32.exe
+* Functions: Execute
+```
+
+Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
+Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/997997818362155008
+   
+* Full path:   
+  * C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken  
+   
--- a/OtherBinaries/AcroRd32.yml
+++ b/OtherBinaries/AcroRd32.yml
@@ -1,16 +0,0 @@
---
-Name: AcroRd32.exe
-Description: Execute
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
-    Description: Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
-Full Path:
-  - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
-Code Sample: []
-Detection: []
-Resources:
-  - https://twitter.com/pabraeken/status/997997818362155008
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
--- a/OtherBinaries/Gpup.exe.md
+++ b/OtherBinaries/Gpup.exe.md
@@ -0,0 +1,16 @@
+## Gpup.exe
+* Functions: Execute
+```
+
+Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
+Execute another command through gpup.exe (Notepad++ binary).
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/997892519827558400
+   
+* Full path:   
+  * C:\Program Files (x86)\Notepad++\updater\gpup.exe    
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken  
+   
--- a/OtherBinaries/Gpup.yml
+++ b/OtherBinaries/Gpup.yml
@@ -1,16 +0,0 @@
---
-Name: Gpup.exe
-Description: Execute
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
-    Description: Execute another command through gpup.exe (Notepad++ binary).
-Full Path:
-  - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe    '
-Code Sample: []
-Detection: []
-Resources:
-  - https://twitter.com/pabraeken/status/997892519827558400
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
--- a/OtherBinaries/Nlnotes.exe.md
+++ b/OtherBinaries/Nlnotes.exe.md
@@ -0,0 +1,17 @@
+## Nlnotes.exe
+* Functions: Execute
+```
+
+NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
+Run PowerShell via LotusNotes.
+```
+   
+* Resources:   
+  * https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
+  * https://twitter.com/HanseSecure/status/995578436059127808
+   
+* Full path:   
+  * C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
+   
+* Notes: Thanks to Daniel Bohannon - @danielhbohannon  
+   
--- a/OtherBinaries/Nlnotes.yml
+++ b/OtherBinaries/Nlnotes.yml
@@ -1,17 +0,0 @@
---
-Name: Nlnotes.exe
-Description: Execute
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
-    Description: Run PowerShell via LotusNotes.
-Full Path:
-  - C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
-Code Sample: []
-Detection: []
-Resources:
-  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
-  - https://twitter.com/HanseSecure/status/995578436059127808
-Notes: Thanks to Daniel Bohannon - @danielhbohannon
--- a/OtherBinaries/Notes.exe.md
+++ b/OtherBinaries/Notes.exe.md
@@ -0,0 +1,17 @@
+## Notes.exe
+* Functions: Execute
+```
+
+Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
+Run PowerShell via LotusNotes.
+```
+   
+* Resources:   
+  * https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
+  * https://twitter.com/HanseSecure/status/995578436059127808
+   
+* Full path:   
+  * C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
+   
+* Notes: Thanks to Daniel Bohannon - @danielhbohannon  
+   
--- a/OtherBinaries/Notes.yml
+++ b/OtherBinaries/Notes.yml
@@ -1,17 +0,0 @@
---
-Name: Notes.exe
-Description: Execute
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
-    Description: Run PowerShell via LotusNotes.
-Full Path:
-  - C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
-Code Sample: []
-Detection: []
-Resources:
-  - https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
-  - https://twitter.com/HanseSecure/status/995578436059127808
-Notes: Thanks to Daniel Bohannon - @danielhbohannon
--- a/OtherBinaries/Nvudisp.exe.md
+++ b/OtherBinaries/Nvudisp.exe.md
@@ -0,0 +1,31 @@
+## Nvudisp.exe
+* Functions: Execute, Copy, Add registry, Create shortcut, kill process
+```
+
+Nvudisp.exe System calc.exe
+Execute calc.exe as a subprocess.
+
+Nvudisp.exe Copy test.txt,test-2.txt
+Copy fila A to file B.
+
+Nvudisp.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
+Add/Edit a Registry key value.
+
+Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\"
+Create shortcut file.
+
+Nvudisp.exe KillApp calculator.exe
+Kill a process.
+
+Nvudisp.exe Run foo
+Run process
+```
+   
+* Resources:   
+  * http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
+   
+* Full path:   
+  * C:\windows\system32\nvuDisp.exe
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken  
+   
--- a/OtherBinaries/Nvudisp.yml
+++ b/OtherBinaries/Nvudisp.yml
@@ -1,26 +0,0 @@
---
-Name: Nvudisp.exe
-Description: Execute, Copy, Add registry, Create shortcut, kill process
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: Nvudisp.exe System calc.exe
-    Description: Execute calc.exe as a subprocess.
-  - Command: Nvudisp.exe Copy test.txt,test-2.txt
-    Description: Copy fila A to file B.
-  - Command: Nvudisp.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
-    Description: Add/Edit a Registry key value.
-  - Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\"
-    Description: Create shortcut file.
-  - Command: Nvudisp.exe KillApp calculator.exe
-    Description: Kill a process.
-  - Command: Nvudisp.exe Run foo
-    Description: ?
-Full Path:
-  - C:\windows\system32\nvuDisp.exe
-Code Sample: []
-Detection: []
-Resources:
-  - http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
--- a/OtherBinaries/Nvuhda6.exe.md
+++ b/OtherBinaries/Nvuhda6.exe.md
@@ -0,0 +1,31 @@
+## Nvuhda6.exe
+* Functions: Execute, Copy, Add registry, Create shortcut, kill process
+```
+
+nvuhda6.exe System calc.exe
+Execute calc.exe as a subprocess.
+
+nvuhda6.exe Copy test.txt,test-2.txt
+Copy fila A to file B.
+
+nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
+Add/Edit a Registry key value
+
+nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\"
+Create shortcut file.
+
+nvuhda6.exe KillApp calc.exe
+Kill a process.
+
+nvuhda6.exe Run foo
+Run process
+```
+   
+* Resources:   
+  * http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
+   
+* Full path:   
+  * Missing
+   
+* Notes: Thanks to Adam - @hexacorn  
+   
--- a/OtherBinaries/Nvuhda6.yml
+++ b/OtherBinaries/Nvuhda6.yml
@@ -1,26 +0,0 @@
---
-Name: Nvuhda6.exe
-Description: Execute, Copy, Add registry, Create shortcut, kill process
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: nvuhda6.exe System calc.exe
-    Description: Execute calc.exe as a subprocess.
-  - Command: nvuhda6.exe Copy test.txt,test-2.txt
-    Description: Copy fila A to file B.
-  - Command: nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
-    Description: Add/Edit a Registry key value
-  - Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\"
-    Description: Create shortcut file.
-  - Command: nvuhda6.exe KillApp calc.exe
-    Description: Kill a process.
-  - Command: nvuhda6.exe Run foo
-    Description: ?
-Full Path:
-  - ?
-Code Sample: []
-Detection: []
-Resources:
-  - http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
-Notes: Thanks to Adam - @hexacorn
--- a/OtherBinaries/ROCCAT_Swarm.exe.md
+++ b/OtherBinaries/ROCCAT_Swarm.exe.md
@@ -0,0 +1,16 @@
+## ROCCAT_Swarm.exe
+* Functions: Execute
+```
+
+Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
+Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/994213164484001793
+   
+* Full path:   
+  * C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken  
+   
--- a/OtherBinaries/ROCCAT_Swarm.yml
+++ b/OtherBinaries/ROCCAT_Swarm.yml
@@ -1,16 +0,0 @@
---
-Name: ROCCAT_Swarm.exe
-Description: Execute
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
-    Description: Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
-Full Path:
-  - C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
-Code Sample: []
-Detection: []
-Resources:
-  - https://twitter.com/pabraeken/status/994213164484001793
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
--- a/OtherBinaries/Setup.exe.md
+++ b/OtherBinaries/Setup.exe.md
@@ -0,0 +1,16 @@
+## Setup.exe
+* Functions: Execute
+```
+
+Run Setup.exe
+Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/994381620588236800
+   
+* Full path:   
+  * C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken  
+   
--- a/OtherBinaries/Setup.yml
+++ b/OtherBinaries/Setup.yml
@@ -1,16 +0,0 @@
---
-Name: Setup.exe
-Description: Execute
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: Run Setup.exe
-    Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
-Full Path:
-  - C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
-Code Sample: []
-Detection: []
-Resources:
-  - https://twitter.com/pabraeken/status/994381620588236800
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
--- a/OtherBinaries/Usbinst.exe.md
+++ b/OtherBinaries/Usbinst.exe.md
@@ -0,0 +1,16 @@
+## Usbinst.exe
+* Functions: Execute
+```
+
+Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
+Execute calc.exe through DefaultInstall Section Directive in INF file.
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/993514357807108096
+   
+* Full path:   
+  * C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken  
+   
--- a/OtherBinaries/Usbinst.yml
+++ b/OtherBinaries/Usbinst.yml
@@ -1,16 +0,0 @@
---
-Name: Usbinst.exe
-Description: Execute
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
-    Description: Execute calc.exe through DefaultInstall Section Directive in INF file.
-Full Path:
-  - C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
-Code Sample: []
-Detection: []
-Resources:
-  - https://twitter.com/pabraeken/status/993514357807108096
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
--- a/OtherBinaries/VBoxDrvInst.exe.md
+++ b/OtherBinaries/VBoxDrvInst.exe.md
@@ -0,0 +1,16 @@
+## VBoxDrvInst.exe
+* Functions: Persistence
+```
+
+VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
+Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
+```
+   
+* Resources:   
+  * https://twitter.com/pabraeken/status/993497996179492864
+   
+* Full path:   
+  * C:\Program Files\Oracle\VirtualBox Guest Additions
+   
+* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken  
+   
--- a/OtherBinaries/VBoxDrvInst.yml
+++ b/OtherBinaries/VBoxDrvInst.yml
@@ -1,16 +0,0 @@
---
-Name: VBoxDrvInst.exe
-Description: Persistence
-Author: ''
-Created: '2018-05-25'
-Categories: []
-Commands:
-  - Command: VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
-    Description: Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
-Full Path:
-  - C:\Program Files\Oracle\VirtualBox Guest Additions
-Code Sample: []
-Detection: []
-Resources:
-  - https://twitter.com/pabraeken/status/993497996179492864
-Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken