https://hexpysya.github.io/tags/powershell/Recent content in PowerShell on bubka hacks stuffHugo -- gohugo.ioen-usTue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-lumma-stealer---dll-side-loading-via-click-fix-phishing/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-lumma-stealer---dll-side-loading-via-click-fix-phishing/A Click Fix phishing email impersonating Microsoft lured Dylan into visiting a malicious site, which executed a disguised PowerShell command launching mshta.exe to download Lumma Stealer payload from overcoatpassably.shop. The host was contained before confirmed data exfiltration.https://hexpysya.github.io/blue_team/splunk-shadowroast/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-shadowroast/A masqueraded AdobeUpdater.exe binary established persistence via a registry Run key, injected into cmd.exe, performed AS-REP Roasting with Rubeus against four AD accounts, laterally moved to FileServer using cracked tcooper credentials, enabled RDP, and staged share data for exfiltration.https://hexpysya.github.io/blue_team/splunk-goldenspray/Fri, 10 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-goldenspray/An attacker from 77.91.78.115 brute-forced mwilliams credentials, connected via RDP, dropped OfficeUpdater.exe with registry persistence, staged Backup_Tools including mimikatz, dumped lsass to obtain jsmith credentials, laterally moved to ST-DC01 and ST-FS01, established scheduled task persistence on the DC, and archived client data for exfiltration.https://hexpysya.github.io/investigations/htb-liberty/Wed, 25 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-liberty/Password spraying led to domain account compromise, followed by NetNTLM hash theft via a malicious .url file, RDP access, data exfiltration to a C2 server, and PSWA backdoor installation for persistence.https://hexpysya.github.io/blue_team/thm-phishing-unfolding/Mon, 16 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/thm-phishing-unfolding/https://hexpysya.github.io/blue_team/ld-soc153---suspicious-powershell-script-executed/Sat, 14 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-soc153---suspicious-powershell-script-executed/User Tony downloaded and executed a malicious PowerShell script (payload_1.ps1 / agent3.ps1) classified as trojan.powershell/boxter (Azorult family). The script bypassed execution policy, then fetched and invoked a second-stage payload from kionagranada.com (161.22.46.148), establishing a two-stage C2 chain with a final pivot to 91.236.116.163.https://hexpysya.github.io/investigations/cdef-bluesky-ransomware/Tue, 10 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-bluesky-ransomware/An attacker performed a port scan, exploited a Microsoft SQL Server via the sa account, enabled xp_cmdshell to drop and execute a base64-encoded payload, then deployed a multi-stage PowerShell toolkit to disable AV, dump NTLM hashes, perform lateral movement via SMB, and stage the BlueSky ransomware payload.https://hexpysya.github.io/investigations/htb-a-call-from-the-museum/Sat, 07 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-a-call-from-the-museum/A phishing email with a password-protected ZIP delivered an LNK file that executed an obfuscated PowerShell stager — collecting system fingerprint data, checking in to a C2, and fetching a next-stage implant using hardcoded credentials. A decoy PDF was opened simultaneously to distract the victim.