mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-30 16:54:00 +01:00
25 lines
749 B
Markdown
25 lines
749 B
Markdown
## Msdt.exe
|
|
* Functions: Execute
|
|
```
|
|
|
|
Open .diagcab package
|
|
|
|
|
|
msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
|
|
Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file.
|
|
```
|
|
|
|
* Resources:
|
|
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
|
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
|
* https://twitter.com/harr0ey/status/991338229952598016
|
|
|
|
* Full path:
|
|
* C:\Windows\System32\Msdt.exe
|
|
* C:\Windows\SysWOW64\Msdt.exe
|
|
|
|
* Notes: Thanks to:
|
|
See the Payloads folder for an example PCW8E57.xml file.
|
|
|
|
|