PowerShell Obfuscation Detection Framework: Revoke-Obfuscation

Revoke-Obfuscation is an open-source PowerShell v3.0+ framework for detecting obfuscated PowerShell commands and scripts at scale. It relies on PowerShell’s AST Abstract Syntax Tree to rapidly extract thousands of features from any input PowerShell script and compare this feature vector against o...

A week in security (July 31 – August 6)

Last week we explored some basic PowerShell commands, dived into the new methods used by TrickBot, and wrote at length about the Magnitude exploit kit redirection chain. Our teams were busy at both BlackHat and DefCon, and outside of those famous hallways, we also took time to fire up some basic...

Intrusion Detection Avoidance Payload Generator: NPS_Payload

This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. Written by Larry Spohn @Spoonman1091 Payload written by Ben Mauch @Ben0xA aka dirtyben. This tool provides a way to generate a PowerShell payloa...

“The seismic network of the third generation”（CVE-2017-8464 several species using the method and prevention-vulnerability and early warning-the black bar safety net

As early as 6 May 13, Microsoft released patches to fix numbered CVE-2017-8464 vulnerability, a local user or a remote attacker can exploit this vulnerability to generate a specially crafted shortcut, and through a removable device or a remote shared way lead to remote code execution, Dating back...

Learning PowerShell: basic programs

In the previous posts we have looked at some elementary PowerShell concepts and we have constructed some basic commands to export and compare data. We did this by using an example of certificates being dumped in the “Untrusted” category by some malware. This time we will try to write a program th...

Koadic: An Advanced Windows JScript/VBScript RAT!

PenTestIT RSS Feed All of us know that post-exploitation we need some mechanism to maintain access on the target. One of the most common methods is by installing a trojan. I have tried to maintain a list of similar tools on the malware sources page on this blog. Now, there is a new entrant which...

Learning PowerShell: some basic commands

My first Powershell script The first PowerShell script I wrote see below was a quick fix to remove certificates from the “Untrusted” registry key after a Vonteera infection. After some initial commands, this script basically loops back for every certificate that doesn’t belong under a certain key...

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...

Powershell: Cannot connect to backup server because some of its components are out of date

Challenge Connect-VBRServer PowerShell cmdlet fails with the error: Connect-VBRServer : Cannot connect to backup server because some of its components are out of date. Cause This issue occurs when the Veeam Backup & Replication Console files on the remote machine where the command was run do not...

How Do You Identify Zero-Days and Fileless Malware? Download (the) RAM.

Banner Source: The ever-handy http://www.downloadmoreram.com. When a tactic becomes less and less effective, its important to shift strategies and adapt. With malware, attackers are doing exactly that. As preventative measures such as antivirus and endpoint detection and response continue to...

nps_payload: Basic Intrusion Detection Avoidance Payload Generator!

PenTestIT RSS Feed This is a short post about npspayload, an open source, python script that helps you create basic payloads that help you avoid or bypass intrusion detection systems. This is a mix of @ben0xa's Not PowerShell nps frameworks and some features of @HackingDave’s unicorn tool. As you...

HoneypotBuster - Microsoft PowerShell Module to Find HoneyPots and HoneyTokens in the Network

Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host. CodeExecution Execute code on a target machine using Import-Module. Invoke-HoneypotBuster HoneypotBuster is a tool designed to spot Honey Tokens, Honey Bread Crumbs...

UPDATE: Luckystrike 2.0!

PenTestIT RSS Feed My first post regarding this malicious Microsoft Office document generator was about an older version. However a few hours ago, an update was released - Luckystrike 2.0! Major highlights for this awesome release include full support for Microsoft Word in addition to a new COM...

Unravelling .NET with the Help of WinDBG

This blog was authored by Paul Rascagneres and Warren Mercer.Introduction.NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other...

A week in security (July 10 – July 16)

Last week, we took a look at some of your malware infection stories, took a stroll through the basics of PowerShell, explored a piece of .NET malware, and shone the spotlight on the Petya ransomware family. Elsewhere, the following stories were taking place: Latest updates for Consumers...

NetworkRecon: PowerShell to Identify Network Vulnerabilities!

PenTestIT RSS Feed As PowerShell becomes more prevalent in the Windows environment, so will it's use for vulnerability assessment and penetration tests. I have covered a few of them earlier such as PowerSploit, PSAttack. However none of the ones I mentioned help you detect network vulnerabilities...

WinRM Command Runner

This module runs arbitrary Windows commands using the WinRM Service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/winrm/connection' class MetasploitModule 'WinRM Command Runner', 'Description' = %q This...

Skype for Business 2016 - Cross-Site Scripting Vulnerability

Exploit for windows platform in category remote exploits Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 Exploit Author: @nyxgeek - TrustedSec Date: 2017-04-10 Vendor Homepage: www.microsoft.com Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower Requirements:...

Skype for Business 2016 - Cross-Site Scripting

Skype for Business 2016 - Cross-Site Scripting Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 Exploit Author: @nyxgeek - TrustedSec Date: 2017-04-10 Vendor Homepage: www.microsoft.com Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower Requirements: Originating...