Top Tweets for #DailyScriptlet
Windows logs are fun, but you want to know how the guts of malware work, @James_inthe_box, @Ledtech3, @pmelson are great follows.
@ItsReallyNick 's feed and #DailyScriptlet tag are also illuminating.
@TrustedSec @JamesHovious @Oddvarmoe Nice @Oddvarmoe! You might also enjoy this thread and specifically the presentation by @matthewdunwoody & @danielhbohannon including some π₯ #squiblydoo evasion: https://t.co/t7TtoGDp4F
Also I have some public gists to make a crazy evasive #DailyScriptlet for the SCT itself.
Detection time!
Before continuing, please watch @matthewdunwoody & @danielhbohannon's recent talk on resilient detections:
https://t.co/IqS6S6Xro9
I'll wait.
Ok, now - if you have access to it, use PE metadata. Moving a file retains its InternalName/OriginalFilename/ProductName.
π₯π #DailyScriptlet POC:
1οΈβ£ Uses "conditional comments" to evade dynamic/sandbox execution
2οΈβ£ Injects into notepad
3οΈβ£ 0xβπ
79fcc7a42820b4765bb01ac0b8be5f7d
VT (9/57): https://t.co/I8xUIScjw6
π£οΈ "What are conditional comments?"
I'm glad you asked...
@securitydoggo @James_inthe_box @malwrhunterteam
341857d9cfc49c2c908ecdfbd50c0a7f HTA hot off the press with zero VT scan detections, XSL link is live, domain registered 30 Aug. #DailyScriptlet
@DissectMalware @HybridAnalysis We always try to have some challenges at #UMDCTF that resemble what happens in the real world, lots of inspiration from @ItsReallyNickβs #dailyscriptlet
Since Feb 7, I've seen 5+ new COM objects per day that fall into this specific #DailyScriptlet/DailySwearlet formatting, all with unique download links and part of a large, untargeted campaign.
At ~7 static VT detections each, we can do better. Yara rule in next tweet @cyb3rops
Today's #DailyScriptlet author was detected as a pottymouth by our innovative detection platform #SwearEngine from @stvemillertime π.
Nothing targeted, the trash talk leads to a trashy upload drop delivering anyone's malz.
π€¬ uploaded 1 hr ago (7/57): https://t.co/QRyyX2LFa8
Today's #DailyScriptlet author was detected as a pottymouth by our innovative detection platform #SwearEngine from @stvemillertime π.
Nothing targeted, the trash talk leads to a trashy upload drop delivering anyone's malz.
π€¬ uploaded 1 hr ago (7/57): https://t.co/QRyyX2LFa8
#DailyScriptlet be damned. This is possibly the most useful tweet I've ever seen from @ItsReallyNick.
@matthewdunwoody Years ago I used an email address that was something like:
https://t.co/89zsYzPrvH.gov@gmail[.]com
Bypassed most crappy sign up checks for government or school account.
Finally an interesting #DailyScriptlet TTP we've been looking for but hadn't seen: Base64-encoding the full scriptlet. π΅π»ββοΈ
This one, uploaded 3 hours ago, evades all static detection (0/57), except this tweet?
How DO you launch an encoded scriptlet? π§π¬
https://t.co/z3gytADxe2
#DailyScriptlet update: @subTee your #squiblydoo branding dreams have come true. AV-only vendors now have explicit, long-form AV detection names:
π‘οΈ BitDefender: "Exploit.LNK-Squiblydoo.Gen" (most licensed AV engine)
π‘οΈ ClamAV: "Xml.Malware.Squiblydoo"
π: https://t.co/VrysWYp4at
Should you *actually* interactively step through static #DailyScriptlet decoding every time with @GCHQ's #CyberChef?
βοΈπ¬
But is it fun?
β
π
Shellcode loader .SCT β‘οΈ Stage 2 shellcode URL in a few seconds with saved recipes
ππ¨π»βπ»: hxxp://shop.strust[.]club/6rqC (still live!)
Sad to see widespread, lazy attacker #DailyScriptlet infrastructure re-used for so long.
This stuff is extraordinarily bland but if it was caught everywhere, the domain wouldn't be used for 3+ months of Purchase Order phishing payloads
9confederatex[.]ml: https://t.co/l11RDPEM9V
![ItsReallyNick's tweet photo. Sad to see widespread, lazy attacker #DailyScriptlet infrastructure re-used for so long.
This stuff is extraordinarily bland but if it was caught everywhere, the domain wouldn't be used for 3+ months of Purchase Order phishing payloads
9confederatex[.]ml: https://t.co/l11RDPEM9V https://t.co/Pn5X0nYQFP](https://pbs.twimg.com/media/DqurBB7UUAE8l1V.jpg)
![ItsReallyNick's tweet photo. Sad to see widespread, lazy attacker #DailyScriptlet infrastructure re-used for so long.
This stuff is extraordinarily bland but if it was caught everywhere, the domain wouldn't be used for 3+ months of Purchase Order phishing payloads
9confederatex[.]ml: https://t.co/l11RDPEM9V https://t.co/Pn5X0nYQFP](https://pbs.twimg.com/media/Dquq_XeUwAAB0lc.jpg)
If only everyone would make it this easy.
#DailyScriptlet author making #threatintel straightforward by using MD5 for filenames. Keep ππ» it ππ» up ππ»
"https://t.co/1L7HU7YwNx" (2/57): https://t.co/rqLfKfdEMm
"https://t.co/vjJ2udlJre" (30/68): https://t.co/x04BELsBIN
@subTee @JohnLaTwC @danielhbohannon @matthewdunwoody Eventually would have gotten to it in my #DailyScriptlet review of all SCT content (SCT_scriptlet_collector)... but I keep getting scooped by that pesky @JohnLaTwC
Also: what does Dr.Web know about VBS that we don't?? I'm pretty sure this is JS...
@JohnLaTwC @MITREattack @stromcoffee Can't pass up another #DailyScriptlet LIVE Meetup - I'll see you there! Looking forward to your talk.
#DailyScriptlet TIP: sometimes it helps to pre-process scripts for readability when eyeballing them.
You can do this with bash's "sed" command, as a @GCHQ #CyberChef recipe, or even with find & replace.
Pic 1: BEFORE
s/></>\n</g
s/;/;\n/g
s/{/{\n\t/g
s/}/\n}/g
Pic 2: AFTER
This phishing doc may not have a nation state hardware implant in it,
but it *does* have an embedded super, micro INF file and a Base64-encoded #DailyScriptlet
π§ Drops C:\ProgramData\golangSource.ini
^looking pretty Muddy π₯½
Links to the file & extracted contents below.
Outlook Ruler/homepage persistence FTW!
"This has been patched but we still see it leveraged b/c most orgs haven't applied patch"
Just by obtaining user email creds you can get code execution on victim machine using something like a COM scriptlet #DailyScriptlet
#FireEyeSummit
This #DailyScriptlet bypass starts off great: masquerading as a GIF file.
πUploaded 1 hour ago.
First time I've seen that anywhere... other than my February tweet: https://t.co/G5o5CG8HWk π
Ok so a creative - though derivative - start.
But then it goes to absolute sloptown...
The COM object within this malicious .LNK is today's #DailyScriptlet
1β£ LNK matched on @Grotezinfosec's BSides Perth @yararules
2β£ LNK contains PDF + embedded EXE + scriptlet. Also non-standard π header: https://t.co/t4vYUYh8YQ
3β£ @virusbay_io decode: https://t.co/WTtsz3RNeU
@Grotezinfosec @cyb3rops @0dayforensics @codingo_ @BSidesPer @Malwageddon @Delbs27 Nice rule. What'd you make of this one with the non-standard LNK header?
@virustotal: https://t.co/Bdk26atnOy
@virusbay_io: https://t.co/d9zYuyECKz
Your header bytes were loose enough to capture it, though it appears to differ from the full MS-SHLLINK file specs.
Last Seen Hashtags on Sotwe
diapers
Seen from United States
ensestmontaj
Seen from Germany
92i beurette
Seen from France
gaysmp
Seen from Indonesia
hoejabi
Seen from Switzerland
teenagegirls nolimit video
Seen from Switzerland
chinesegirl
Seen from United States
Exchange2026
Seen from Spain
ζ€εγγ°
Seen from Korea
εΎ‘ε§
Seen from Singapore
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers