Before yesterdayHexacorn Ltd
Desperate downloader lolbin
I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown [β¦]
Beyond good olβ Run key, Part 131
This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated [β¦]
Misre-presentation host
PresentationHost.exe is a known LOLBIN so I approached it with a caution. To my surprise, I discovered that it accepts a number of command line arguments: Embedding β running as [β¦]
Yet another secret of hosts file
In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals. Turns [β¦]
DownLOLoloaders
The previous posts about hosts files build a foundation for the trick I wanted to cover in this post. Most of native LOLBINish downloaders are already known (certutil, BITS, etc.). [β¦]
Beyond good olβ Run key, Part 132
This is a very unpromising persistence mechanism relying on environment variables (again). Combing through OpenSSL source code I came across two variables that it relies on and they are described [β¦]
Event ID 7039 β outβ¦pid a pid
This event is not very well explained on the internet, so I took a liberty of describing it below: The event message is as follows: A service process other than [β¦]
Beyond good olβ Run key, Part 133
Java programs compiled into executable form using launch4j have a few interesting features that make them a good target for both persistence and LOLBIN-ish activities. When the executable starts it [β¦]
ELF sections stats
If you follow my blog you may know that I have dedicated a lot of time building a very comprehensive list of PE Sections, Today I realized that I never [β¦]
Yara & maldoc pics
Update It took only a few minutes for @0xkyle to point me to Halogen project. Nice one! Old post This is a little trick that you may find handy for [β¦]
Playing CAPAeira with Yara rules
Writing Yara rules is easy. Writing good Yara rules is β¦ testing β both as an adjective and a verb. There is a class of Yara rules β the one [β¦]
FTP.EXE Lolbin v2
@0gtweetβs tweet inspired me to look at lolbin stuff again (as it is often the case). Soβ¦ everyone knows we can use ftp.exe as a lolbin and using COMSPEC trick [β¦]
Gup \o/ bin
Notepad ++ comes with a built-in Updater called GUP typically located here: c:\Program Files (x86)\Notepad++\updater\GUP.exe It is a generic downloader that accepts a range of command line arguments, and while [β¦]
Throwing LOLBIN a tar ball
This post summarizes some of the findings I posted on Twitter the other day. While looking at Windows version of tar.exe I discovered that it includes lots of undocumented command [β¦]
SleepStudy logs
Update After I posted it, Bryan linked to this article which explains how to generate SleepStudy report. Thx! Old Post A few days ago I came across ETL logs I [β¦]
Debug Environment Variable are \o/
Looking at the list of debug environment variables one can immediately spot a lot of room for abuse. One can hypothesize that setting e.g. _NT_SYMBOL_PATH, _NT_ALT_SYMBOL_PATH, _NT_SYMBOL_PROXY, SRCSRV_INI_FILE to point [β¦]
Non-debugging uses of CDB
Catching up with another tweet from 3 months ago. VMWare Workstation installs cdb.exe debugger for you β you can play around with its features if you happen to find it [β¦]
Beyond good olβ Run key, Part 134
This one is for historical reasons, primarily. Old Adobe Photoshop/ImageReady used to have a feature called βJump toβ which is neatly described here. The feature was implemented via a simple [β¦]