Top Tweets for #dailyscriptlet
Windows logs are fun, but you want to know how the guts of malware work, @James_inthe_box, @Ledtech3, @pmelson are great follows.
@ItsReallyNick 's feed and #DailyScriptlet tag are also illuminating.
@TrustedSec @JamesHovious @Oddvarmoe Nice @Oddvarmoe! You might also enjoy this thread and specifically the presentation by @matthewdunwoody & @danielhbohannon including some π₯ #squiblydoo evasion: https://t.co/t7TtoGDp4F
Also I have some public gists to make a crazy evasive #DailyScriptlet for the SCT itself.
Detection time!
Before continuing, please watch @matthewdunwoody & @danielhbohannon's recent talk on resilient detections:
https://t.co/IqS6S6Xro9
I'll wait.
Ok, now - if you have access to it, use PE metadata. Moving a file retains its InternalName/OriginalFilename/ProductName.
π₯π #DailyScriptlet POC:
1οΈβ£ Uses "conditional comments" to evade dynamic/sandbox execution
2οΈβ£ Injects into notepad
3οΈβ£ 0xβπ
79fcc7a42820b4765bb01ac0b8be5f7d
VT (9/57): https://t.co/I8xUIScjw6
π£οΈ "What are conditional comments?"
I'm glad you asked...
@securitydoggo @James_inthe_box @malwrhunterteam
341857d9cfc49c2c908ecdfbd50c0a7f HTA hot off the press with zero VT scan detections, XSL link is live, domain registered 30 Aug. #DailyScriptlet
@DissectMalware @HybridAnalysis We always try to have some challenges at #UMDCTF that resemble what happens in the real world, lots of inspiration from @ItsReallyNickβs #dailyscriptlet
Since Feb 7, I've seen 5+ new COM objects per day that fall into this specific #DailyScriptlet/DailySwearlet formatting, all with unique download links and part of a large, untargeted campaign.
At ~7 static VT detections each, we can do better. Yara rule in next tweet @cyb3rops
Today's #DailyScriptlet author was detected as a pottymouth by our innovative detection platform #SwearEngine from @stvemillertime π.
Nothing targeted, the trash talk leads to a trashy upload drop delivering anyone's malz.
π€¬ uploaded 1 hr ago (7/57): https://t.co/QRyyX2LFa8
Today's #DailyScriptlet author was detected as a pottymouth by our innovative detection platform #SwearEngine from @stvemillertime π.
Nothing targeted, the trash talk leads to a trashy upload drop delivering anyone's malz.
π€¬ uploaded 1 hr ago (7/57): https://t.co/QRyyX2LFa8
#DailyScriptlet be damned. This is possibly the most useful tweet I've ever seen from @ItsReallyNick.
@matthewdunwoody Years ago I used an email address that was something like:
https://t.co/89zsYzPrvH.gov@gmail[.]com
Bypassed most crappy sign up checks for government or school account.
Finally an interesting #DailyScriptlet TTP we've been looking for but hadn't seen: Base64-encoding the full scriptlet. π΅π»ββοΈ
This one, uploaded 3 hours ago, evades all static detection (0/57), except this tweet?
How DO you launch an encoded scriptlet? π§π¬
https://t.co/z3gytADxe2
#DailyScriptlet update: @subTee your #squiblydoo branding dreams have come true. AV-only vendors now have explicit, long-form AV detection names:
π‘οΈ BitDefender: "Exploit.LNK-Squiblydoo.Gen" (most licensed AV engine)
π‘οΈ ClamAV: "Xml.Malware.Squiblydoo"
π: https://t.co/VrysWYp4at
Should you *actually* interactively step through static #DailyScriptlet decoding every time with @GCHQ's #CyberChef?
βοΈπ¬
But is it fun?
β
π
Shellcode loader .SCT β‘οΈ Stage 2 shellcode URL in a few seconds with saved recipes
ππ¨π»βπ»: hxxp://shop.strust[.]club/6rqC (still live!)
Sad to see widespread, lazy attacker #DailyScriptlet infrastructure re-used for so long.
This stuff is extraordinarily bland but if it was caught everywhere, the domain wouldn't be used for 3+ months of Purchase Order phishing payloads
9confederatex[.]ml: https://t.co/l11RDPEM9V
![ItsReallyNick's tweet photo. Sad to see widespread, lazy attacker #DailyScriptlet infrastructure re-used for so long.
This stuff is extraordinarily bland but if it was caught everywhere, the domain wouldn't be used for 3+ months of Purchase Order phishing payloads
9confederatex[.]ml: https://t.co/l11RDPEM9V https://t.co/Pn5X0nYQFP](https://pbs.twimg.com/media/DqurBB7UUAE8l1V.jpg)
![ItsReallyNick's tweet photo. Sad to see widespread, lazy attacker #DailyScriptlet infrastructure re-used for so long.
This stuff is extraordinarily bland but if it was caught everywhere, the domain wouldn't be used for 3+ months of Purchase Order phishing payloads
9confederatex[.]ml: https://t.co/l11RDPEM9V https://t.co/Pn5X0nYQFP](https://pbs.twimg.com/media/Dquq_XeUwAAB0lc.jpg)
If only everyone would make it this easy.
#DailyScriptlet author making #threatintel straightforward by using MD5 for filenames. Keep ππ» it ππ» up ππ»
"https://t.co/1L7HU7YwNx" (2/57): https://t.co/rqLfKfdEMm
"https://t.co/vjJ2udlJre" (30/68): https://t.co/x04BELsBIN
@subTee @JohnLaTwC @danielhbohannon @matthewdunwoody Eventually would have gotten to it in my #DailyScriptlet review of all SCT content (SCT_scriptlet_collector)... but I keep getting scooped by that pesky @JohnLaTwC
Also: what does Dr.Web know about VBS that we don't?? I'm pretty sure this is JS...
@JohnLaTwC @MITREattack @stromcoffee Can't pass up another #DailyScriptlet LIVE Meetup - I'll see you there! Looking forward to your talk.
#DailyScriptlet TIP: sometimes it helps to pre-process scripts for readability when eyeballing them.
You can do this with bash's "sed" command, as a @GCHQ #CyberChef recipe, or even with find & replace.
Pic 1: BEFORE
s/></>\n</g
s/;/;\n/g
s/{/{\n\t/g
s/}/\n}/g
Pic 2: AFTER
This phishing doc may not have a nation state hardware implant in it,
but it *does* have an embedded super, micro INF file and a Base64-encoded #DailyScriptlet
π§ Drops C:\ProgramData\golangSource.ini
^looking pretty Muddy π₯½
Links to the file & extracted contents below.
Outlook Ruler/homepage persistence FTW!
"This has been patched but we still see it leveraged b/c most orgs haven't applied patch"
Just by obtaining user email creds you can get code execution on victim machine using something like a COM scriptlet #DailyScriptlet
#FireEyeSummit
This #DailyScriptlet bypass starts off great: masquerading as a GIF file.
πUploaded 1 hour ago.
First time I've seen that anywhere... other than my February tweet: https://t.co/G5o5CG8HWk π
Ok so a creative - though derivative - start.
But then it goes to absolute sloptown...
The COM object within this malicious .LNK is today's #DailyScriptlet
1β£ LNK matched on @Grotezinfosec's BSides Perth @yararules
2β£ LNK contains PDF + embedded EXE + scriptlet. Also non-standard π header: https://t.co/t4vYUYh8YQ
3β£ @virusbay_io decode: https://t.co/WTtsz3RNeU
@Grotezinfosec @cyb3rops @0dayforensics @codingo_ @BSidesPer @Malwageddon @Delbs27 Nice rule. What'd you make of this one with the non-standard LNK header?
@virustotal: https://t.co/Bdk26atnOy
@virusbay_io: https://t.co/d9zYuyECKz
Your header bytes were loose enough to capture it, though it appears to differ from the full MS-SHLLINK file specs.
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers