Add new Proxy Execution techniques for dxcap.exe and cmstp.exe#489
Open
ghosts621 wants to merge 4 commits intoLOLBAS-Project:masterfrom
Open
Add new Proxy Execution techniques for dxcap.exe and cmstp.exe#489ghosts621 wants to merge 4 commits intoLOLBAS-Project:masterfrom
ghosts621 wants to merge 4 commits intoLOLBAS-Project:masterfrom
Conversation
Hi team, Thank you for this awesome project! I am submitting a new execution technique for an existing LOLBin (`dxcap.exe`). **Description of the new finding:** When executing `dxcap.exe` with the `-usage` flag, it attempts to load and execute `Xperf.exe` (which is typically installed via the Windows ADK and is not present by default). By copying `dxcap.exe` to a user-writable directory (e.g., `%TEMP%`) and placing a malicious payload named `Xperf.exe` alongside it, `dxcap.exe` will natively execute the payload via Search Order Hijacking. **Key Points:** * **Privileges:** Standard User (No Admin required). * **Category:** Execute / Proxy Execution. * **POC:** I have included a Gist link with a PowerShell POC demonstrating the execution using `calc.exe` as the hijacked payload. I have appended the new command, detection IOCs, and my Gist link to the existing `dxcap.yml` file. Let me know if you need any changes. Thanks!
Added a new execution technique for cmstp.exe using registry modification. By setting the 'CmstpExtensionDll' value under 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe', cmstp.exe will pass this data directly to LoadLibrary when executed with the '/nf' flag. This enables proxy execution / DLL sideloading of an arbitrary DLL.
….yml Resolved the duplicate filename error from the GitHub Actions check. Merged the new proxy execution command (Search Order Hijacking), IOCs, and acknowledgements into the existing yml/OtherMSBinaries/Dxcap.yml file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi team,
This PR introduces two new execution techniques I found:
1. dxcap.exe (Search Order Hijacking / Proxy Execution)
Executing
dxcap.exe -usageattempts to loadXperf.exe. By copyingdxcap.exeto a user-writable directory (e.g.,%TEMP%) and placing a payload namedXperf.exealongside it, we achieve proxy execution with standard User privileges.2. cmstp.exe (DLL Sideloading via Registry)
By setting the
CmstpExtensionDllregistry value underHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe, runningcmstp.exe /nfwill read this registry value and pass it directly toLoadLibrary. This allows for arbitrary DLL sideloading (Requires Admin).Both POCs (via Gist links), detection IOCs, and my Acknowledgement handle have been added to their respective YML files.
Let me know if you need any adjustments. Thanks!