Or how to fuck with Windows Admins
(Last Update May 18th 2021)
The obvious ones – EICAR as:
| User-Agent | See what Webserver is running Windows and AV |
| Password | See what crappy application is hosted on Windows and Stores Passwords in Cleartext |
| Eicar in Cookies | See some cookie monsters? |
| OS Username | If you are not on Windows obviously! Clusterbomb, see where your username gets stored as Metadata – like every Office Document – kind of a DLP :) |
| As Crypto transaction comment | In the blockchain forever! Ruin Coins for Windows Users! |
Maybe less successful ones – EICAR as:
| Spray EICAR against any Login Prompt as Username | See what Logfiles are stored and processed on Windows machines with AV |
| EICAR as TLS Certificate Alternate Name or Comment | See who processes TLS Certificates on Windows machines |
| EICAR as DNS Reverse Lookups | Anyone hosting SIEM on Windows? |
| EICAR as TXT/MX DNS Lookups | Mailsecurity on Windows? Logging of Mailsecurity on Windows? |
| Post EICAR in MS Teams Chats, Calls | Maybe they get delivered as mails or stored as chatlogs? |
| Inside Website Icon | Eicar as Icon – see recent vulnerabilities in Browser Icon Storage – Some browsers never clear Icon Cache?! |
| In as many social media Information Fields as possible | See who mines social media and works with the results in excel? Shoot me! |
| In as many Azure as a Service thingies you can find? | Lets test how much cloud backend Microsoft still runs on Windows with AV? |
| HTML Comments – especially in every automatically generated CMS Page | Just for the kicks? |
| In Webpage Forms? | Any food delivery Comments? WARNING: DO NOT DO THIS IF YOU ARE ACTUALLY HUNGRY! |
| Webshops | Like in every single input field if the Webserver is running on IIS? |
| OTP Token Entry field | Microsoft Azure Authenticator and Microsoft LDAP MFA Whatever Proxy? |
| WiFi SSID | SupplicAVnt? |
Stupid Stuff – Eicar as:
| Inside Games, Chats, Items, Character Names | Gameserver Backend on Windows? |
| Bumper Sticker | OCR on the Road – or what crazy person is storing car camera Images/OCR on Windows? |
| As a banking transaction comment | HELL NO! DONT DO THIS! |
Disclaimer
Do not do this at work, or anywhere without permission!
If you have to do this do it in VMs and Safe Environments for testing!
It may not be illegal to use EICAR as a string but it sure will be illegal to willingly and knowingly use EICAR to cause harm.
Regards
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
