Gibson> Download Garbage
  • Statement of purpose
  • Techniques
    • Intelligence Gathering
      • O365 Tenant ID
      • Internal domain enumeration
      • O365 email enumeration
      • Passive nmap (smap)
      • Large IP list handling
      • Host Enumeration
    • Initial Access
      • Mail scanning
      • VBA
    • Execution
      • DLL Hijacking
      • Windows LOLBINS
        • DLLs - LOLBIN Execution
        • Executables - LOLBIN Execution
        • Scripts - LOLBIN Execution
    • Privilege Escalation
      • Windows
        • Initial Enumeration
      • Linux
    • Defense Evasion
      • Clear windows event logs
      • Bypassing proxies and firewalls
      • Microsoft Windows Defender
    • Credential Access
      • Extract credentials from LSASS dump
      • Extract credentials from registry hives
      • LSA secrets extraction
      • Dumping LSASS.exe
      • Dumping registry hives
      • Dump the domain (Domain Controllers)
      • Browser cookies & passwords
      • Wi-Fi passwords
      • Clipboard
    • Infrastructure
    • Web application testing
      • XSS - Cross site scripting
        • Weaponising XSS
    • Other
      • Buffer Overflow resources
        • Buffer Overflow Python Template
        • Buffer Overflow Python Fuzzer
      • C Reverse Shell
      • Creating Tiered Storage in Windows 10
      • Default Credentials
    • Red Team Infrastructure
      • Cobalt Strike Team Server
      • Pre-redirector (free domains!)
      • HTTPS Redirector
      • Multi functional WebApp
      • Malleable C2 profiles
      • Gophish Docker reverse proxy
    • Malware
  • Tools
    • Tools
Powered by GitBook
On this page
  • ForFiles
  • Program Compatibility Assistant
  • SyncAppvPublishingServer

Was this helpful?

  1. Techniques
  2. Execution
  3. Windows LOLBINS

Executables - LOLBIN Execution

LOLBINs that can be used to execute Windows executables.

PreviousDLLs - LOLBIN ExecutionNextScripts - LOLBIN Execution

Last updated 4 years ago

Was this helpful?

ForFiles

Privileges required: User OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Mitre:

Executes payload.exe since there is a match for notepad.exe in the c:\windows\System32 folder.

forfiles /p c:\windows\system32 /m notepad.exe /c C:\Tools\payload.exe
/p - path to search
/m - search mask
/c - command to run

Findfiles can also be used to execute ADS. Mitre: 

forfiles /p c:\windows\system32 /m notepad.exe /c "C:\Tools\notpayload.exe:payload.exe"

Program Compatibility Assistant

Privileges required: User OS: Windows 7, Windows 8, Windows 8.1, Windows 10 Mitre: Used for running programs with incompatabilities with the installed version of Windows. Can be used to run a binary in a new process tree. 

pcalua.exe -a C:\Tools\payload.exe

SyncAppvPublishingServer

Privileges required: User OS: Windows 10 Mitre:

The SyncAppvPublishingServer initiates the Microsoft application virtualization (App-V) publishing refresh operation. However it can be used as a non-directly method to execute commands for evasion. In the example below the execution occurs from PowerShell and the “Start-Process” cmdlet is used to run the executable.

SyncAppvPublishingServer.vbs "n; Start-Process C:\Tools\payload.exe"

This technicque can be used to run any powershell commands without using powershell.exe.

SyncAppvPublishingServer.vbs "n; <Powershell command>"

T1218
T1096
T1202
T1218