You are browsing the archive for LOLBins.

How to con your host?

May 25, 2020 in Living off the land, LOLBins

Good bye threat hunting configs and filters of the past. Microsoft introduced Windows Terminal and there is no way back.

While reading its actual source code today I noticed quite a lot of familiar code (I did poke around in conhost.exe code with Ida before), but then I stumbled upon an interesting bit that this post is all about.

The following command:

conhost.exe notepad.exe

doesn’t do anything on older version of Windows 10. However, the latest version (tested on 18363) has a little LOLBINish surprise:

So… go back to your config and remove filters on conhost.exe. Remember, hate the message, not the messenger 😉

Lolbin WOW Ltd

May 23, 2020 in Living off the land, LOLBins

It turns out there is one more lolbin one can create that is subject to constrains described previously. And not only that — there is one more extra limitation in this case: only the 32-bit version of this executable exhibits lolbin properties.

When you run 64-bit msra.exe on a 64-bit system, it just starts as it should. But if you run a 32-bit version, it will detect that it runs on a 64-bit system and will immediately launch the 64-bit version. So, same as in the previous example, we just change the windir to our own path, and c:\test\system32\msra.exe will be executed. Note that we enforce the 32-bit msra.exe to be ran by using a full path pointing to SysWOW64 directory:

set windir=c:\test & c:\windows\syswow64\msra.exe