5 more Microsoft 'exploitable' opportunities #275
Description
I was revisiting my old article on 'ExpLoading' (cheesy name I know) and thought I'd have a explore to see if they're still there and if there where any new observations
the original one I have in this project 'workfolders' is still present, altho I have seen enterprise security stop it but
- GatherNetworkInfo
- wsl.exe (new method to those listed)
- iediagcmd.exe
- main.cpl
- sysdm.cpl
have utility
GatherNetworkInfo is a vbs file resident to system32, so no need for the full path, no need to add the vbs (environment variable) when invoked from a user controlled folder (explained in the blogpost https://thecontractor.io/blog/exploading/ ) allows you to control the location that the search order takes place in, as is with all these listed, similar to workfolders.exe, so gathernetworkinfo will create opportunities for cmd.exe, powershell.exe, powercfg.exe,sc.exe,reg.exe and netsh.exe
wsl.exe using this method will search for wslhost.exe
iediagcmd.exe using this method will search for ipconfig.exe,route.exe,netsh.exe and make cab.exe
main.cpl using this method will search for MOUSE.DLL
system.cpl using this method will search for SystemPropertiesComputerName.exe
I'm sorry I don't have time to fill out all the information but I thought I'd share these findings, on the basis that it's an easy repeatable method to search for, where no real advanced skills are needed, handy for getting people interested too
https://youtu.be/ZhuwkT2E8Pw - visual guide to repeat (only 2 or less curse-words)