@MSAdministrator Hey Josh, what's up? The thread is compiled, don't hesitate to share it. Have a good read: threader.app/thread/1209477… #DailyScriptlet
English
Arama Sonuçları: "#DailyScriptlet"
20 sonuç
Windows logs are fun, but you want to know how the guts of malware work, @James_inthe_box, @Ledtech3, @pmelson are great follows.
@ItsReallyNick 's feed and #DailyScriptlet tag are also illuminating.
English
@TrustedSec @JamesHovious @Oddvarmoe Nice @Oddvarmoe! You might also enjoy this thread and specifically the presentation by @matthewdunwoody & @danielhbohannon including some 🔥 #squiblydoo evasion: twitter.com/ItsReallyNick/…
Also I have some public gists to make a crazy evasive #DailyScriptlet for the SCT itself.
Nick Carr@ItsReallyNick
Detection time! Before continuing, please watch @matthewdunwoody & @danielhbohannon's recent talk on resilient detections: twitter.com/danielhbohanno… I'll wait. Ok, now - if you have access to it, use PE metadata. Moving a file retains its InternalName/OriginalFilename/ProductName.
English
🔥🆕 #DailyScriptlet POC:
1️⃣ Uses "conditional comments" to evade dynamic/sandbox execution
2️⃣ Injects into notepad
3️⃣ 0x☕😉
79fcc7a42820b4765bb01ac0b8be5f7d
VT (9/57): virustotal.com/gui/file/07904…
🗣️ "What are conditional comments?"
I'm glad you asked...
English
@securitydoggo @James_inthe_box @malwrhunterteam
341857d9cfc49c2c908ecdfbd50c0a7f HTA hot off the press with zero VT scan detections, XSL link is live, domain registered 30 Aug. #DailyScriptlet
English
@ItsReallyNick @Hexacorn The maldoc was a #dailyscriptlet over a year ago and my original inspiration for detecting binary rename.
English
@DissectMalware @HybridAnalysis We always try to have some challenges at #UMDCTF that resemble what happens in the real world, lots of inspiration from @ItsReallyNick’s #dailyscriptlet
English
Since Feb 7, I've seen 5+ new COM objects per day that fall into this specific #DailyScriptlet/DailySwearlet formatting, all with unique download links and part of a large, untargeted campaign.
At ~7 static VT detections each, we can do better. Yara rule in next tweet @cyb3rops
Nick Carr@ItsReallyNick
Today's #DailyScriptlet author was detected as a pottymouth by our innovative detection platform #SwearEngine from @stvemillertime 😏. Nothing targeted, the trash talk leads to a trashy upload drop delivering anyone's malz. 🤬 uploaded 1 hr ago (7/57): virustotal.com/#/file/57edc7c…
English
RT ItsReallyNick: This #DailyScriptlet highlights the value in #DFIR hunting based on weak signals.
Are Base64-encoded MS Office Files (Compound File Binary Format) within scripts expected in your environment?
What about suspicious window movement and …
English
Today's #DailyScriptlet author was detected as a pottymouth by our innovative detection platform #SwearEngine from @stvemillertime 😏.
Nothing targeted, the trash talk leads to a trashy upload drop delivering anyone's malz.
🤬 uploaded 1 hr ago (7/57): virustotal.com/#/file/57edc7c…
English
Finally an interesting #DailyScriptlet TTP we've been looking for but hadn't seen: Base64-encoding the full scriptlet. 🕵🏻♂️
This one, uploaded 3 hours ago, evades all static detection (0/57), except this tweet?
How DO you launch an encoded scriptlet? 🧐😬
virustotal.com/#/file/2535a7b…
English
#DailyScriptlet update: @subTee your #squiblydoo branding dreams have come true. AV-only vendors now have explicit, long-form AV detection names:
🛡️ BitDefender: "Exploit.LNK-Squiblydoo.Gen" (most licensed AV engine)
🛡️ ClamAV: "Xml.Malware.Squiblydoo"
🔍: virustotal.com/intelligence/s…
English
Should you *actually* interactively step through static #DailyScriptlet decoding every time with @GCHQ's #CyberChef?
⁉️😬
But is it fun?
✅😍
Shellcode loader .SCT ➡️ Stage 2 shellcode URL in a few seconds with saved recipes
🐚👨🏻💻: hxxp://shop.strust[.]club/6rqC (still live!)
GIF
English
Sad to see widespread, lazy attacker #DailyScriptlet infrastructure re-used for so long.
This stuff is extraordinarily bland but if it was caught everywhere, the domain wouldn't be used for 3+ months of Purchase Order phishing payloads
9confederatex[.]ml: virustotal.com/#/domain/9conf…
English
If only everyone would make it this easy.
#DailyScriptlet author making #threatintel straightforward by using MD5 for filenames. Keep 👏🏻 it 👏🏻 up 👏🏻
"881d9cff79fc931b9fa3aac89a9e7b91.pe" (2/57): virustotal.com/#/file/881d9cf…
"5c155983bac428d1e22b3c21ce2db854.pe" (30/68): virustotal.com/#/file/5c15598…
English
@subTee @JohnLaTwC @danielhbohannon @matthewdunwoody Eventually would have gotten to it in my #DailyScriptlet review of all SCT content (SCT_scriptlet_collector)... but I keep getting scooped by that pesky @JohnLaTwC
Also: what does Dr.Web know about VBS that we don't?? I'm pretty sure this is JS...
English
@JohnLaTwC @MITREattack @stromcoffee Can't pass up another #DailyScriptlet LIVE Meetup - I'll see you there! Looking forward to your talk.
English
#DailyScriptlet TIP: sometimes it helps to pre-process scripts for readability when eyeballing them.
You can do this with bash's "sed" command, as a @GCHQ #CyberChef recipe, or even with find & replace.
Pic 1: BEFORE
s/></>\n</g
s/;/;\n/g
s/{/{\n\t/g
s/}/\n}/g
Pic 2: AFTER
English
This phishing doc may not have a nation state hardware implant in it,
but it *does* have an embedded super, micro INF file and a Base64-encoded #DailyScriptlet
💧 Drops C:\ProgramData\golangSource.ini
^looking pretty Muddy 🥽
Links to the file & extracted contents below.
English
Outlook Ruler/homepage persistence FTW!
"This has been patched but we still see it leveraged b/c most orgs haven't applied patch"
Just by obtaining user email creds you can get code execution on victim machine using something like a COM scriptlet #DailyScriptlet
#FireEyeSummit
English