Discover and read the best of Twitter Threads about #GRUNT

Most recents (1)

Profile picture
Nick Carr
@ItsReallyNick
#InstallUtil payloads are still very popular for code execution and app whitelisting bypass.

Here's a fresh sample with a #GRUNT payload: "compliancesignature.cs"
MD5: f55c0c165f30df6d92fbb50bf7688dc5
virustotal.com/gui/file/1db94…
0/59 static detections.
So I'll share some rules!
👇👇 ImageImage
Identify suspicious #InstallUtil code execution payloads with a syntax-based #Yara rule (gist.github.com/itsreallynick/…) from this thread () on a *pretty damn similar* sample 🧐

Also look closely at both samples' embedded PE information (Original/InternalName) 😉 Image
👋 hello @rapid7 red team btw

Or as I know you, #UNC1769.
You all do some really cool stuff. Keep it up! See you on the field!

Please try not to get as mad at me for putting some VT payloads on Twitter (like, no need to upload a bunch of aggressively-named files this time 😅)
Read 4 tweets

Related hashtags

#UNC1769 #InstallUtil #GRUNT #Yara

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!