MITRE ATT4CK - T1132 - Data Encoding
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
๐ฃ Jabber | $. |
Variable declaration (UTF-16) |
TVq |
๐บ Television | MZ |
MZ header |
UEs |
๐ฌ Upper East Side | PK |
ZIP, Office documents |
SUVY |
๐ SUV | IEX |
PowerShell Invoke Expression |
| 01:06:52>> pc_prep -sharedlib | |
| [01:06:52] ID: 2744 'python' started [target: z0.0.0.20] | |
| - Possible payloads: | |
| - 0) - Quit | |
| - 1) - Standard TCP (i386-winnt Level3 sharedlib) | |
| - 2) - HTTP Proxy (i386-winnt Level3 sharedlib) | |
| - 3) - Standard TCP (x64-winnt Level3 sharedlib) | |
| - 4) - HTTP Proxy (x64-winnt Level3 sharedlib) | |
| - 5) - Standard TCP Generic (i386-winnt Level4 sharedlib) | |
| - 6) - HTTP Proxy Generic (i386-winnt Level4 sharedlib) |
| #!/usr/bin/python | |
| from impacket import smb | |
| from struct import pack | |
| import os | |
| import sys | |
| import socket | |
| ''' | |
| EternalBlue exploit for Windows 8 and 2012 by sleepya | |
| The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
credit: @GossiTheDog: "If you want to setup FUZZBUNCH (the Equation exploit framework) you need Win7 VM + Python 2.6 + Pywin 2.6, then python fb.py for shell"
h/t @x0rz @DEYCrypt @hackerfantastic
context: https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
writeup: https://www.trustedsec.com/blog/equation-group-dump-analysis-full-rce-win7-fully-patched-cobalt-strike/
decrypted files: https://github.com/x0rz/EQGRP_Lost_in_Translation