Examples.md

Spartacus Examples

Contents

I want to...

• Find applications that are vulnerable to DLL Hijacking
• Find applications that are vulnerable to COM Hijacking
• Parse an existing SysInternals Process Monitor Log
• Create Visual Studio solutions for all the vulnerable DLLs identified
• Make the output to include all DLLs even if they are in a privileged directory (ie C:\Windows)
• Scan the local device for misconfigured COM objects
• View the exports for a DLL
• Create a proxy for a specific DLL
• Run my implant outside of DllMain, use Ghidra and pre-generated prototypes to create function definitions
• Only proxy specific functions from the DLL, and forward the rest
• Create a certificate to self-sign DLLs
  • But I can't be bothered to fill in the Subject/Issuer fields myself
• Sign a DLL

Examples

I want to find applications that are vulnerable to DLL Hijacking

Spartacus.exe --mode dll --procmon "C:\SysInternals\ProcMon64.exe" --pml "C:\Output\ProcMonOutput.pml" --csv "C:\Output\VulnerableDLLs.csv" --verbose

I want to find applications that are vulnerable to COM Hijacking

Spartacus.exe --mode com --verbose --procmon "C:\SysInternals\ProcMon64.exe" --pml "C:\Output\ProcMonOutput.pml" --csv "C:\Output\VulnerableCOM.csv"

I want to parse an existing SysInternals Process Monitor Log

Spartacus.exe --mode dll --existing --pml "C:\Output\ProcMonOutput.pml" --csv "C:\Output\VulnerableDLLs.csv" --verbose

I want to create Visual Studio solutions for all the vulnerable DLLs identified

Add --solution "C:\Output\VisualStudioProjects" to I want to find applications that are vulnerable to DLL Hijacking.

I want the output to include all DLLs even if they are in a privileged directory (ie C:\Windows)

Add --all to I want to find applications that are vulnerable to DLL Hijacking.

I want to scan the local device for misconfigured COM objects

Spartacus.exe --mode com --verbose --acl --csv "C:\Output\MisconfiguredCOM.csv"

I want to view the exports for a DLL

Spartacus.exe --mode proxy --action exports --dll "C:\Windows\System32\version.dll" --prototypes "./Assets/prototypes.csv" --verbose

I want to create a proxy for a specific DLL

Spartacus.exe --mode proxy --action default --dll "C:\Windows\System32\version.dll" --solution "C:\Output\VisualStudioProjects" --prototypes "./Assets/prototypes.csv" --verbose

I don't want to run my implant from DllMain, use Ghidra and pre-generated prototypes to create function definitions

Spartacus.exe --mode proxy --action default --dll "C:\Windows\System32\amsi.dll" --ghidra "C:\Ghidra\support\analyzeHeadless.bat" --solution "C:\Output\AmsiSolution" --prototypes "./Assets/prototypes.csv" --verbose

Only proxy specific functions from the DLL, and forward the rest

Spartacus.exe --mode proxy --action default --dll "C:\Windows\System32\amsi.dll" --ghidra "C:\Ghidra\support\analyzeHeadless.bat" --solution "C:\Output\AmsiSolution" --only "FunctionA" --prototypes "./Assets/prototypes.csv" --verbose

I want to create a certificate to self-sign DLLs

Spartacus.exe --mode sign --action generate --pfx "C:\Output\certificate.pfx" --password "Welcome1" --not-before "2022-12-31 00:00:02" --not-after "2026-01-01 00:00:03" --issuer "CN=Microsoft" --subject "CN=Microsoft" --verbose

I can't be bothered to fill in the Subject/Issuer fields myself

Spartacus.exe --mode sign --action generate --pfx "C:\Output\certificate.pfx" --password "Welcome1" --not-before "2022-12-31 00:00:55" --not-after "2026-01-01 00:00:01" --copy-from C:\Windows\System32\version.dll --verbose

I want to sign a DLL

Spartacus.exe --mode sign --action sign --pfx "C:\Output\certificate.pfx" --password "Welcome1" --path "C:\Input\MyFakeVersion.dll" --algorithm SHA256 --verbose