Added openwith.exe

2018-05-02 15:46:59 +02:00 · 2018-05-02 15:46:59 +02:00 · c94e409c4b
parent 8605b6557a
commit c94e409c4b
4 changed files with 51 additions and 7 deletions
--- a/LOLBins.md
+++ b/LOLBins.md
@ -37,6 +37,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Netsh.exe](OSBinaries/Netsh.md)    
 [Nltest.exe](OSBinaries/Nltest.md)    
 [Odbcconf.exe](OSBinaries/Odbcconf.md)     
+[Openwith.exe](OSBinaries/Openwith.md)     
 [Pcalua.exe](OSBinaries/Pcalua.md)    
 [Pcwrun.exe](OSBinaries/Pcwrun.md)    
 [Powershell.exe](OSBinaries/Powershell.md)     
--- a/OSBinaries/Msdt.md
+++ b/OSBinaries/Msdt.md
@ -3,18 +3,21 @@
 * Functions: Execute

 ```
-Open .diagcab package
+Open .diagcab package   
+
+msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE    
 ```

 Acknowledgements:
-* ?
+*Matt harr0ey - @harr0ey

 Code sample:
-*
+* https://gist.github.com/homjxi0e/3f35212db81b9375b7906031a40c6d87    

 Resources:
 * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/    
 * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/  
+* https://twitter.com/harr0ey/status/991338229952598016   
 

 Full path:
--- a/OSBinaries/Openwith.md
+++ b/OSBinaries/Openwith.md
@ -0,0 +1,31 @@
+## Openwith.exe
+
+* Functions: Execute
+
+```
+OpenWith.exe /c C:\test.hta   
+
+OpenWith.exe /c C:\testing.msi    
+```
+
+Acknowledgements:
+* Matt harr0ey - @harr0ey
+
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/harr0ey/status/991670870384021504
+
+Full path:
+```
+c:\windows\system32\Openwith.exe
+c:\windows\sysWOW64\Openwith.exe
+```
+
+Notes:
+
+
+Detection:
+
+ 
--- a/OSBinaries/Xwizard.md
+++ b/OSBinaries/Xwizard.md
@ -1,19 +1,24 @@
 ## Xwizard.exe

-* Functions: DLL hijack
+* Functions: DLL hijack, Execute

 ```
-xwizard.exe
+xwizard.exe     
+
+xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}    
 ```

 Acknowledgements:
 * Adam - @Hexacorn
+* Nick Tyrer - @nicktyrer

 Code sample:
-* 
+* https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5

 Resources:
 * http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+* https://www.youtube.com/watch?v=LwDHX7DVHWU
+* https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5

 Full path:
 ```
@ -22,9 +27,13 @@ c:\windows\sysWOW32\xwizard.exe
 ```

 Notes:
-Need to copy out xwizard.exe to a user controlled folder. 
+DLL hijack/Sideloading needs to copy out xwizard.exe to a user controlled folder. 
 If you add your own version of xwizard.dll it will execute when you start xwizard.exe.

+Xwizard RunWizard requires you to import registry keys that points to external SCT file.
+
+
+