⭕LOL Binaries
General Concept
Living Off the Land (LOL) binaries are the native Microsoft binary applications that are preinstalled on windows systems and are almost always available for us to use. these can be as simple as the echo command or be used for more advanced stuff like downloading and executing files, converting exe to cert or other interesting things that an attacker can leverage to bypass defense mechanisms.
Generally speaking, when we want a bin/reverse shell we go looking for the specific binaries that can download and execute our payloads. LOLBAS is a great collection of all known LOL binaries and we can search the collection for binaries with specific capabilities that we want by using a slash '/' and the name of the capability in the search bar for example /execute will show us all binaries that can execute code or scripts.
For Download
For Execute
Example Tools
Mshta.exe : Launch HTA attack via HTA Web Server of Metasploit
Rundll32.exe : Launch Rundll32 Attack via SMB Delivery of Metasploit
Regsvr32.exe : Launch Regsvr32 via Script Web Delivery of Metasploit
Certutil.exe : Launch MSbuild Attack via Msfvenom C# shellcode
Powershell.exe :
Launch cscript.exe via Powershell
Launch Batch File Attack via Powershell
Msiexec.exe : Launch msiexec attack via msfvenom
Mshta.exe
Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or VBScript with. You can interpret these files using the Microsoft MSHTA.exe tool.
Metasploit contain the “HTA Web Server” module which generates malicious hta file. This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed.
Rundll32.exe
Rundll32.exe is associated with Windows Operating System that allows you to invoke a function exported from a DLL, either 16-bit or 32-bit and store it in proper memory libraries.
Launch Rundll32 Attack via SMB Delivery of Metasploit
Metasploit also contain the “SMB Delivery” module which generates malicious dll file. This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.
Now run the malicious code through rundll32.exe on the victim machine (vulnerable to RCE) to obtain meterpreter sessions.
Regsvr32.exe
Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows.
Syntax:
RegSvr32.exe has the following command-line options:
/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with
/u, it calls dll to uninstall
/n – do not call DllRegisterServer; this option must be used with
/s – Silent; display no message boxes
Launch Regsvr32 via Script Web Delivery of Metasploit
This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection.
Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request a .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed
Certutil.exe
Certutil.exe is a command-line program that is installed as part of Certificate Services. We can use this tool to execute our malicious exe file in the target machine to get a meterpreter session.
Launch certutil Attack via Msfvenom
Generate a malicious executable (.exe) file with msfvenom and start multi/handler to get the reverse shell of the victim’s machine.
Now, to dump configuration information or shell.exe file files with certutil. you can follow below syntax:
Batch File
PowerShell allows the client to execute bat file.
Then execute the following command on the remote side to get netcat session.
Cscript
PowerShell allows the client to execute cscript.exe to run wsf, js and vbscript.
Then execute the following command on the remote side to get a meterpreter session.
Msiexec.exe
As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. The executable program that interprets packages and installs products is Msiexec.exe.
Last updated
