GPscript.exe – another LOLBin to the list

TL;DR - GPO scripts can be defined for user and started with GPScript.exe /Logon - Logonscripts do not show up in Autoruns.exe   I started to play around with GPscript.exe here the other day and found some interesting stuff and I want to have this documented for the future, so therefor I wrote this blogpost … Continue reading GPscript.exe – another LOLBin to the list

Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – Can also be executed from alternate data streams – Plant file on disk and run these commands to create persistence that triggers everytime someone … Continue reading Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

Persistence using RunOnceEx – Hidden from Autoruns.exe

TL;DR - Found a technique to execute DLL files without being detected by autoruns.exe at logon. - Requires administrator rights and does not belong in userland. - Run this to Exploit: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\messageBox64.dll"   RunOnceEx I finally had some time to do some unstructured research. With unstructured research I mean going after … Continue reading Persistence using RunOnceEx – Hidden from Autoruns.exe