Nasreddine Bencherchali nasbench

I hereby claim:

To claim this, I am signing this object:

Microsoft.NodejsTools.PressAnyKey.exe LOLBIN

This binary can be used as a LOLBIN as described here.

The arguments number must be at least 3
The first first argument can be anything (instead of both, normal or abnormal). Since the switch clause doesn't specify a default case. And the flag variable is set to true before the check.
The second argument also can be anything and it will be written to the execution path with the contents being the PID of the process File.WriteAllText(args[1], process.Id.ToString());
The thrid argument is passed directly to ProcessStartInfo and is executed Process.Start(startInfo);. Hence anything can be called

This binary can be used as a LOLBIN as described here

The arguments flags are meaningless only the order is important. This means as long as you provide exactly 6 flags and their value the binary will still work. Here are the exact positions for reference:

// Usage: --file <fullyResolvedPath> --processId <processId> --dumpType <dumpType>

Here are the steps to follow in order to create a malicious CHM file. As used by APT37

Download the HTML Help Workshop (Htmlhelp.exe) from MSDN. If the link is dead you can use the archive version here
Once installed you should have a folder C:\Program Files (x86)\HTML Help Workshop and inside the Microsoft HTML Help Compiler (hhc.exe)
We need to create 3 files:
- Project File .hpp
- HTML File .htm
Table of Contents File .hhc

You can execute commands in the context of an AppX Package to gain access to it's virtualized resources (example virtualized registry keys or files)

	using System.Diagnostics;
	using Fiddler;

	[assembly: Fiddler.RequiredVersion("2.3.5.0")]

	namespace POCFiddlerDotNet
	{
	public class PersistencePOC : IFiddlerExtension
	{
	public PersistencePOC() { }

	<ADPlus Version='2'>
	<Settings>
	<Option> FullOnFirst </Option>
	<Runmode> Hang </Runmode>
	<!--
	If you want to run the binary and not dump anything.
	Then this can be any process as long as it's running
	-->
	<ProcessName> notepad.exe </ProcessName>
	<OutputDir>C:\temp\</OutputDir>

	as AdpDumpDir C:\logs\20220609_183403_Crash_Mode
	.logopen /t "${AdpDumpDir}\ADPlus_log.log"
	as AdpOutputDir C:\logs
	as AdpDumpDirEsc C:\\logs\\20220609_183403_Crash_Mode
	as AdpTimeStamp 20220609_183403
	*
	*----- OS and Time Information ----
	vertarget
	*
	*

	# Source: System.Management.Automation.dll
	# This list is used to determin if a ScriptBlock contains potential suspicious content
	# If a match is found an automatic 4104 with a "warning" level is generated.
	# https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs
	- "Add-Type"
	- "AddSecurityPackage"
	- "AdjustTokenPrivileges"
	- "AllocHGlobal"
	- "BindingFlags"
	- "Bypass"