Trickbot COVID macro lure via MSFT: ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593
test.js
eval("WScript.CreateObject(\"WScript.Shell\").Run(\"calc.exe\");");
Trickbot COVID macro lure via MSFT: ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593
test.js
eval("WScript.CreateObject(\"WScript.Shell\").Run(\"calc.exe\");");
// | |
// main.m | |
// EndpointSecurityDemo | |
// | |
// Created by Omar Ikram on 17/06/2019 - macOS Catalina 10.15 Beta 1 (19A471t) | |
// Updated by Omar Ikram on 15/08/2019 - macOS Catalina 10.15 Beta 5 (19A526h) | |
// Updated by Omar Ikram on 01/12/2019 - macOS Catalina 10.15 (19A583) | |
// Updated by Omar Ikram on 31/01/2021 - macOS Big Sur 11.1 (20C69) | |
// Updated by Omar Ikram on 07/05/2021 - macOS Big Sur 11.3.1 (20E241) | |
// Updated by Omar Ikram on 04/07/2021 - macOS Monterey 12 Beta 2 (21A5268h) |
function Collect-SOData | |
{ | |
param | |
( | |
[Parameter(Mandatory = $true)] | |
[string] | |
$FilePath | |
) | |
$hostname = $env:COMPUTERNAME |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <sys/stat.h> | |
#include <unistd.h> | |
#include <mach/mach.h> | |
#include <mach/mach_vm.h> | |
#include <dlfcn.h> | |
#include <objc/runtime.h> | |
#include <dlfcn.h> | |
#include <stdio.h> | |
#include <unistd.h> | |
#include <sys/types.h> | |
#include <mach/mach.h> | |
#include <mach/error.h> | |
#include <errno.h> | |
#include <stdlib.h> | |
#include <sys/sysctl.h> | |
#include <sys/mman.h> |
-------------------------------------------------------------------------------- | |
<WinProcess "smss.exe" pid 368 at 0x5306908L> | |
64 | |
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000 | |
-------------------------------------------------------------------------------- | |
<WinProcess "csrss.exe" pid 472 at 0x5306e48L> | |
64 | |
Interfaces : | |
Endpoints : |
#requires -version 5 | |
<# | |
The things you find on Google searching for specific GUIDs... | |
Known Keyword friendly names: | |
"UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328" | |
"UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664" | |
"UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832" | |
"UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648" |
logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
# logman stop dotNetTrace -ets | |
# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
# I got the process ID by running a procmon trace | |
$TargetProcessId = 8256 |
<Sysmon schemaversion="4.1"> | |
<!-- Capture all hashes --> | |
<HashAlgorithms>*</HashAlgorithms> | |
<EventFiltering> | |
<!-- Event ID 1 == Process Creation. --> | |
<ProcessCreate onmatch="include"> | |
<Image name="Calculator Rule" condition="end with">Calculator.exe</Image> | |
</ProcessCreate> | |
</EventFiltering> | |
</Sysmon> |