Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Analysis
  • Microsoft OLE2 Files
  • Online Sandboxes
  • Creation
  • Evading Antivirus
  • Persistence
  • Drop Vectors
  • Windows Settings Shortcut RCE

Was this helpful?

  1. Various

Malware

PreviousNon-HackingNextForensics

Last updated 2 years ago

Was this helpful?

Analysis

Microsoft OLE2 Files

OLE2 is the format for Microsoft Office files. Use oletools to find macros and other things inside OLE files:

Online Sandboxes

For detecting/reversing malware try these online sandboxes:

Creation

Evading Antivirus

For hiding your executable from AV, shellter is better than msfvenom. Also you can use Veil along with iexpress.exe

You can use PS2EXE to convert a powershell script to an executable - makes it easy to download a payload from the internet and execute it.

Meta-twin is a tool that copies the metadata (including the signature, though it will no longer be valid) from an application to your payload. For example, before using this tool, 95% of antiviruses detected the PS2EXE executable as malware. After using this tool, the number dropped significantly (for example windows defender couldnt detect anymore)

Invoke-obfuscation is a powershell command obfuscator.

Persistence

To have persistence on a machine, you could use WMI-persistence from github. It uses WMI events for fileless persistence

Drop Vectors

Windows Settings Shortcut RCE

June 2018 - getting a victim to download and execute a Windows Settings Shortcut file leads to RCE. This can be placed in an Office file, as it’s new and thus not in the blacklist (it is, however, blocked from Microsoft office365 since 11. July 2018).

www.hybrid-analysis.com
www.reverse.it
https://cuckoosandbox.org/
Windows Settings Shortcuts Can Be Abused for Code Execution on Windows 10BleepingComputer
Logo
GitHub - decalage2/oletools: oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.GitHub
Logo