From cde3fc7f7f7e6222dad23ac641aefc2e19e7f439 Mon Sep 17 00:00:00 2001 From: api0cradle Date: Wed, 18 Apr 2018 17:24:56 +0200 Subject: [PATCH] Adjustments --- LOLBins.md | 1 + LOLScripts.md | 8 +++++--- OSBinaries/Dfsvc.md | 30 ++++++++++++++++++++++++++++++ OSScripts/Manage-bde.md | 29 +++++++++++++++++++++++++++++ OSScripts/Pubprn.md | 1 + OSScripts/Winrm.md | 31 +++++++++++++++++++++++++++++++ 6 files changed, 97 insertions(+), 3 deletions(-) create mode 100644 OSBinaries/Dfsvc.md create mode 100644 OSScripts/Manage-bde.md create mode 100644 OSScripts/Winrm.md diff --git a/LOLBins.md b/LOLBins.md index c58ec55..b11b06e 100644 --- a/LOLBins.md +++ b/LOLBins.md @@ -8,6 +8,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge [Atbroker.exe](OSBinaries/Atbroker.md) [Cmstp.exe](OSBinaries/Cmstp.md) [Control.exe](OSBinaries/Control.md) +[Dfsvc.exe](OSBinaries/Dfsvc.md) [Forfiles.exe](OSBinaries/Forfiles.md) [Ieexec.exe](OSBinaries/Ieexec.md) [Ie4unit.exe](OSBinaries/Ie4unit.md) diff --git a/LOLScripts.md b/LOLScripts.md index b8dbac9..4366a8c 100644 --- a/LOLScripts.md +++ b/LOLScripts.md @@ -5,6 +5,8 @@ If you are missing from the acknowledgement, please let me know (I did not forge # OS SCRIPTS -[Cl_invocation.ps1](OSScripts/Cl_invocation.md) -[Pubprn.vbs](OSScripts/Pubprn.md) -[Slmgr.vbs](OSScripts/Slmgr.md) +[Cl_invocation.ps1](OSScripts/Cl_invocation.md) +[Manage-bde.vbs](OSScripts/Manage-bde.md) +[Slmgr.vbs](OSScripts/Slmgr.md) +[Pubprn.vbs](OSScripts/Pubprn.md) +[Winrm.vbs](OSScripts/Winrm.md) diff --git a/OSBinaries/Dfsvc.md b/OSBinaries/Dfsvc.md new file mode 100644 index 0000000..a2000e1 --- /dev/null +++ b/OSBinaries/Dfsvc.md @@ -0,0 +1,30 @@ +## Dfsvc.exe + +* Functions: Execute + +``` +Missing Example +``` + +Acknowledgements: +* Casey Smith - @subtee + +Code sample: +* + +Resources: +* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf + +Full path: +``` +C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe +C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe +C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe +``` + +Notes: + + + + diff --git a/OSScripts/Manage-bde.md b/OSScripts/Manage-bde.md new file mode 100644 index 0000000..1288154 --- /dev/null +++ b/OSScripts/Manage-bde.md @@ -0,0 +1,29 @@ +## Manage-bde.wsf + +* Functions: Execute + +``` +set comspec=C:\windows\system32\calc.exe +cscript C:\windows\system32\manage-bde.wsf +``` + +Acknowledgements: +* Jimmy - @bophops + +Code sample: +* + +Resources: +* https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 +* https://twitter.com/bohops/status/980659399495741441 + +Full path: +``` +c:\windows\system32\manage-bde.wsf +``` + +Notes: + + + + diff --git a/OSScripts/Pubprn.md b/OSScripts/Pubprn.md index 08e2d32..a3844c4 100644 --- a/OSScripts/Pubprn.md +++ b/OSScripts/Pubprn.md @@ -15,6 +15,7 @@ Code sample: Resources: * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology +* https://github.com/enigma0x3/windows-operating-system-archaeology Full path: ``` diff --git a/OSScripts/Winrm.md b/OSScripts/Winrm.md new file mode 100644 index 0000000..d6670ad --- /dev/null +++ b/OSScripts/Winrm.md @@ -0,0 +1,31 @@ +## Winrm.vbs + +* Functions: Execute + +``` +winrm quickconfig +``` + +Acknowledgements: +* Matt Nelson - @enigma0x3 +* Casey Smith - @subtee + +Code sample: +* Missing Code sample + +Resources: +* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology +* https://www.youtube.com/watch?v=3gz1QmiMhss +* https://github.com/enigma0x3/windows-operating-system-archaeology + +Full path: +``` +C:\windows\system32\winrm.vbs +C:\windows\SysWOW64\winrm.vbs +``` + +Notes: +Some specific details about the binary file. + + +