Adjustments
parent
88a2f34899
commit
cde3fc7f7f
|
@ -8,6 +8,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
||||||
[Atbroker.exe](OSBinaries/Atbroker.md)
|
[Atbroker.exe](OSBinaries/Atbroker.md)
|
||||||
[Cmstp.exe](OSBinaries/Cmstp.md)
|
[Cmstp.exe](OSBinaries/Cmstp.md)
|
||||||
[Control.exe](OSBinaries/Control.md)
|
[Control.exe](OSBinaries/Control.md)
|
||||||
|
[Dfsvc.exe](OSBinaries/Dfsvc.md)
|
||||||
[Forfiles.exe](OSBinaries/Forfiles.md)
|
[Forfiles.exe](OSBinaries/Forfiles.md)
|
||||||
[Ieexec.exe](OSBinaries/Ieexec.md)
|
[Ieexec.exe](OSBinaries/Ieexec.md)
|
||||||
[Ie4unit.exe](OSBinaries/Ie4unit.md)
|
[Ie4unit.exe](OSBinaries/Ie4unit.md)
|
||||||
|
|
|
@ -6,5 +6,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
||||||
# OS SCRIPTS
|
# OS SCRIPTS
|
||||||
|
|
||||||
[Cl_invocation.ps1](OSScripts/Cl_invocation.md)
|
[Cl_invocation.ps1](OSScripts/Cl_invocation.md)
|
||||||
[Pubprn.vbs](OSScripts/Pubprn.md)
|
[Manage-bde.vbs](OSScripts/Manage-bde.md)
|
||||||
[Slmgr.vbs](OSScripts/Slmgr.md)
|
[Slmgr.vbs](OSScripts/Slmgr.md)
|
||||||
|
[Pubprn.vbs](OSScripts/Pubprn.md)
|
||||||
|
[Winrm.vbs](OSScripts/Winrm.md)
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
## Dfsvc.exe
|
||||||
|
|
||||||
|
* Functions: Execute
|
||||||
|
|
||||||
|
```
|
||||||
|
Missing Example
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* Casey Smith - @subtee
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
## Manage-bde.wsf
|
||||||
|
|
||||||
|
* Functions: Execute
|
||||||
|
|
||||||
|
```
|
||||||
|
set comspec=C:\windows\system32\calc.exe
|
||||||
|
cscript C:\windows\system32\manage-bde.wsf
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* Jimmy - @bophops
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
|
||||||
|
* https://twitter.com/bohops/status/980659399495741441
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\manage-bde.wsf
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,7 @@ Code sample:
|
||||||
Resources:
|
Resources:
|
||||||
* https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
|
* https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
|
||||||
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
||||||
|
* https://github.com/enigma0x3/windows-operating-system-archaeology
|
||||||
|
|
||||||
Full path:
|
Full path:
|
||||||
```
|
```
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
## Winrm.vbs
|
||||||
|
|
||||||
|
* Functions: Execute
|
||||||
|
|
||||||
|
```
|
||||||
|
winrm quickconfig
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* Matt Nelson - @enigma0x3
|
||||||
|
* Casey Smith - @subtee
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* Missing Code sample
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
||||||
|
* https://www.youtube.com/watch?v=3gz1QmiMhss
|
||||||
|
* https://github.com/enigma0x3/windows-operating-system-archaeology
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
C:\windows\system32\winrm.vbs
|
||||||
|
C:\windows\SysWOW64\winrm.vbs
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Some specific details about the binary file.
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue