{"id":4334,"date":"2017-10-04T21:56:31","date_gmt":"2017-10-04T21:56:31","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4334"},"modified":"2018-03-25T18:53:37","modified_gmt":"2018-03-25T18:53:37","slug":"running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/10\/04\/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-2\/","title":{"rendered":"Running programs via Proxy &#038; jumping on a EDR-bypass trampoline, Part 2"},"content":{"rendered":"<p><strong>Update<\/strong><\/p>\n<p>After my post <a href=\"https:\/\/twitter.com\/wzod\">Zod<\/a> contacted me with this mike-dropping link: <a href=\"https:\/\/github.com\/api0cradle\/UltimateAppLockerByPassList\/blob\/master\/README.md\">Ultimate AppLocker ByPass List<\/a>. Really lots of good stuff there! Thx Zod!<\/p>\n<p><strong>Old Post<\/strong><\/p>\n<p>In the <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/05\/01\/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline\/\">first part<\/a> I listed a couple of examples of programs that may be used as a proxy to launch other programs. In the meantime, <a href=\"https:\/\/twitter.com\/subTee\">subTee<\/a> kicked off a very <a href=\"https:\/\/twitter.com\/subTee\/status\/884641188690747392\">interesting thread<\/a> on Twitter listing a number of signed .exe binaries that can be used as a proxy to load a DLL. Yesterday I came across a few cool posts by <a href=\"https:\/\/twitter.com\/0rbz_\">@0rbz_<\/a>. This in return reminded me of my first post and I decided to add a few more proxy\/living off the land ideas.<\/p>\n<p>There is a number of signed .exe that can be used to load other .exes or .dlls and as a result &#8211; break standard EDR detection rules, or bypass some whitelisting. This may sometimes involve copying the signed binary to your folder in order to sideload your DLL (PlugX is a very good example, funnily enough &#8211; in many cases they don&#8217;t even need to bring a signed .exe and fetch one that is typically present on the system).<\/p>\n<p>Here is the list:<\/p>\n<ul>\n<li>AppVLP.exe &#8211; to launch .exe\n<ul>\n<li>From this <a href=\"https:\/\/twitter.com\/0rbz_\/status\/915330892637331456\">Tweet<\/a> by <a href=\"https:\/\/twitter.com\/0rbz_\">@0rbz_<\/a><\/li>\n<li>Just run C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe &lt;exename&gt;<\/li>\n<\/ul>\n<\/li>\n<li>pcalua.exe\n<ul>\n<li>From this <a href=\"https:\/\/twitter.com\/0rbz_\/status\/912491288104140801\">Tweet<\/a> by <a href=\"https:\/\/twitter.com\/0rbz_\">@0rbz_<\/a> and mentioned on this <a href=\"https:\/\/forums.techguy.org\/threads\/weird-pcalua-exe-startup-tasks-can-i-disable-these.1090666\/\">forum<\/a><\/li>\n<li>Just run C:\\windows\\system32\\pcalua.exe -a &lt;exename&gt;<\/li>\n<\/ul>\n<\/li>\n<li>odbcconf.exe &#8211; to load .dll\n<ul>\n<li>From this <a href=\"https:\/\/twitter.com\/subTee\/status\/789459826367606784\">Tweet<\/a> by\u00a0 <a href=\"https:\/\/twitter.com\/subTee\">subTee<\/a><\/li>\n<li>odbcconf.exe \/f my.rsp<\/li>\n<\/ul>\n<\/li>\n<li>odbcad32.exe &#8211; to load .dll via GUI\n<ul>\n<li>drop c:\\windows\\system32\\&lt;dllfile&gt;<\/li>\n<li>run odbcad32.exe<\/li>\n<li>go to Tracing Tab<\/li>\n<li>choose Custom Trace DLL<\/li>\n<li>hit Start Tracing Now<br \/>\n<a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/odbccp32.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4338\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/odbccp32.png\" alt=\"\" width=\"500\" height=\"354\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/odbccp32.png 594w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/odbccp32-300x213.png 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<li>WinMail.exe &#8211; to load .dll\n<ul>\n<li>copy c:\\Program Files\\Windows Mail\\WinMail.exe to your folder<\/li>\n<li>name your DLL &#8216;msoe.dll&#8217;<\/li>\n<li>launch one of these\n<ul>\n<li>WinMail.exe \/identcatalog<\/li>\n<li>WinMail.exe \/identfileslist:foo<\/li>\n<li>WinMail.exe \/identfile:foo<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>xwizard.exe &#8211; to load .dll\n<ul>\n<li>From my previous <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/07\/31\/the-wizard-of-x-oppa-plugx-style\/\">post<\/a><\/li>\n<li>copy c:\\WINDOWS\\system32\\xwizard.exe to your folder<\/li>\n<li>name your DLL &#8216;xwizards.dll&#8217;<\/li>\n<li>run xwizard.exe with at least two arguments<\/li>\n<\/ul>\n<\/li>\n<li>java.exe &#8211; to load .dll\n<ul>\n<li>From my previous <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/09\/27\/beyond-good-ol-run-key-part-65\/\">post<\/a><\/li>\n<li>run java -agentlib:&lt;dllname&gt;<br \/>\nor<\/li>\n<li>run java -agentpath:&lt;dllname_with_dll_extension&gt;<\/li>\n<\/ul>\n<\/li>\n<li>any other phantom \/ sideloaded dlls &#8211; to load .dll\n<ul>\n<li>e.g. just google for &#8220;<a href=\"https:\/\/www.google.com\/search?q=site%3Ahttp%3A%2F%2Fhexacorn.com+phantom+dll\">site:https:\/\/hexacorn.com phantom dll<\/a>&#8220;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>If you know of any other tricks like this, please let me know. Thanks!<\/p>\n<p>p.s. as I was about to post it, Huntress Labs just <a href=\"https:\/\/medium.com\/huntresslabs\/abusing-trusted-applications-a719219220f\">published<\/a> yet another cool technique using WseClientSvc.exe passthru.exe calc.exe!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update After my post Zod contacted me with this mike-dropping link: Ultimate AppLocker ByPass List. Really lots of good stuff there! Thx Zod! Old Post In the first part I listed a couple of examples of programs that may be &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/10\/04\/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,52,46,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4334"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4334"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4334\/revisions"}],"predecessor-version":[{"id":4343,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4334\/revisions\/4343"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}