An attacker dropped and ran a recon script named new1.bat. The script deleted itself after it ran but due to logging I was able to see most of the commands it ran. A list of commands can be found here.

I was able to locate at least a portion of the script which was posted to zhacker.net in 2016. It appears this script was used as a starting point and additional commands were added to it.

This script looks for a series of things such as admin permissions, cookies (payments, shops, dating, others), domain trusts, domain admins, users, system info, IP info, listening services, and currently installed programs. Below I will walk through some of the commands run by the script.

The first part looks for domain trusts, the workstation configuration, connected computers, servers and shares including admin shares as well as the users of the domain admins group. These commands are eerily similar to Trickbot recon seen in the past. If you don’t already have detection rules for lines 1,2,4, I would recommend it.

Dsquery is being used to query the domain to get the hostname, distinguished name, description and operating system. Line 7 also uses dsquery, but this time it gets information on the user such as the username, email address, comments as well as the description.

These commands look for sessions, local users, systeminfo minus installed KBs, all IP info, and listening services.

Reg query is then used to locate installed programs.

This outputs the running services and all IPv4 addresses.

Here findstr is being used to look for cookies pertaining to payment sites.

The script uses PowerShell to get a file listing of C, Program Files, Roaming, Local, Desktop, Downlaods and Documents.

At the end of the script it prints win_install.log to screen and then copies the content into the copy buffer and then deletes itself and the bat file.

Links

All links and commands can be found in MISP Priv and the CIRCL OSINT feed.

commands

script