βBasic Tricks
LOLBins
Using LOLBins we can bypass some protections and execute malicious payloads.
Alternate Data Streams
Execute a .EXE
file stored as an Alternate Data Stream (ADS)
.EXE
file stored as an Alternate Data Stream (ADS)Download and save a PS1 file to an Alternate Data Stream (ADS).
Add content to an Alternate Data Stream (ADS).
Execute evil.dll which is stored in an Alternate Data Stream (ADS).
Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).
Using DLLs & macros
We can create a DLL containing a Metasploit payload and then run it on the victim system via the rundll32.exe available in all versions of Windows. This is often available, even with SRP enabled, as it is located in C:\Windows and is not restricted by default in many SRP deployments. Scripts and macro payloads are also valuable. Macros especially tend to be allowed for complicated forms and other Office document functionality.
After we execute the command rundll32.exe CALC.dll,DoesntExist, our DLL will be loaded into memory, and our embedded Metasploit payload will be run through the initialization code. The DoesntExist parameter needs to be included, but it does not have to be a real function exported by the DLL
example:
copy cmd.exe to another location with another name and windows screen saver file format then use rundll32.exe to execute the binary:
Using Payload Wrappers
we can use various open source payload wrappers that add an extra layer to msfvenom payloads. not much of an FUD payload, but still effective.
for example with unicorn tool:
or
System DLLs
we can use functions from system DLLs such as CMD screensaver.
Multi-level Execution
By using multiple levels of execution, it could be possible to stumble into one that is explicitly allowed or has special privileges. Here we see cmd.exe
running cscript.exe
, which runs a VBS script included with Windows. This script can be abused to run other things. A great side effect of using this script: it is signed by Microsoft, and therefore often explicitly allowed to run. Then the PowerShell process is started, using a β- Verb RunAsβ
argument which attempts to re-establish βHigh Integrityβ
context, essentially giving an administrative user back their administration rights.
we can do the same with powershell:
Evasion Tools and Frameworks
Runners & Crypters
Last updated