| using System; | |
| using System.EnterpriseServices; | |
| using System.Runtime.InteropServices; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| using System.Collections; | |
| using System.Collections.Generic; |
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
This is still a new situation. There is a lot we don't know. We don't know if there are more possible exploit paths. We only know about this one path. Please update your systems regardless.
This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
| XZ Backdoor symbol deobfuscation. Updated as i make progress |
| #This script checks if all AD-relevant SRV-Records exist in DNS. Also it looks for netlogon.dns and the A-Record for the DC. | |
| $Domain = (Get-ADDomain).DNSRoot | |
| $DCName = (Get-ADDomainController).Name | |
| $msdcs = (Get-DnsServerResourceRecord -ZoneName _msdcs.$Domain -RRType Srv) | |
| $ARR = (Get-DnsServerResourceRecord -ZoneName $Domain -RRType A) | |
| $PDC = [string] "_ldap._tcp.pdc" | |
| $GC = [string] "_ldap._tcp.gc" | |
| $KDC = [string] "_kerberos._tcp.dc" | |
| $DC = [string] "_ldap._tcp.dc" |
| <# | |
| This is an attempt at a script to provision a DC VM in a disposable testlab | |
| This will also set the DC as authoritative time source, DHCP, and DNS server | |
| Windows Server® 2012 and 2012 R2 Core Network Guide | |
| https://gallery.technet.microsoft.com/Windows-Server-2012-and-7c5fe8ea | |
| #> | |
| # rename the computer and reboot, this isn't needed if using Vagrant | |
| #Rename-Computer -NewName newhost -Restart -Force |
| <?xml version='1.0'?> | |
| <data> | |
| <circle> | |
| <radius>12</radius> | |
| </circle> | |
| <circle> | |
| <radius>37.5</radius> | |
| </circle> | |
| </data> |
| primes = [ 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, | |
| 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, | |
| 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, | |
| 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, | |
| 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, | |
| 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, | |
| 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, | |
| 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, | |
| 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, | |
| 467, 479, 487, 491, 499, 503, 509, 521, 523, 541, |
| def modular_sqrt(a, p): | |
| def legendre_symbol(a, p): | |
| """ Compute the Legendre symbol a|p using | |
| Euler's criterion. p is a prime, a is | |
| relatively prime to p (if p divides | |
| a, then a|p = 0) | |
| Returns 1 if a has a square root modulo | |
| p, -1 otherwise. |