PowerShell scripts Archives

Winsage

March 30, 2025

5 reasons I use PowerShell to automate boring Windows tasks

PowerShell automates repetitive computing tasks, enhancing productivity by offering a faster command-line interface (CLI) compared to traditional graphical user interfaces (GUIs). It simplifies app management, allowing users to reinstall or update applications more effectively than through the Microsoft Store. PowerShell also streamlines file management with the Move-Item cmdlet, which transfers files and deletes the original from the source. Users can automate scripts with Task Scheduler for routine tasks, and it supports system maintenance through cmdlets and custom scripts, benefiting both IT administrators and casual users. PowerShell's automation capabilities make it a valuable tool for optimizing computing experiences.

Winsage

March 16, 2025

Windows 11 config tool improves 24H2 updates compatibility, returns key activation, and more

NTLite has received updates that enhance its functionality and security features, including support for Windows UEFI CA 2023 certificates and Microsoft Pluton. The update improves compatibility with Windows 11 24H2 and reintroduces the unattended Windows product key activation option, with caution advised against using generic keys. Key components added include the Image Mastering API (IMAPIv2), InstallShield WOW64, and various tools for 32 and 64-bit systems. The update also includes enhancements to the downloader and cumulative update compatibility. The latest version, 2025.03.10349, is available for download on Neowin and the official NTLite website.

Winsage

March 10, 2025

Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines

Cisco Talos has reported a series of cyberattacks exploiting a critical vulnerability in PHP (CVE-2024-4577) to target Windows systems, primarily affecting organizations in Japan since January 2025. The vulnerability allows attackers to execute arbitrary PHP code on servers running Apache with PHP-CGI. They use a Python script, “PHP-CGICVE-2024-4577RCE.py,” to send crafted POST requests and confirm exploitation through a specific MD5 hash. After gaining access, attackers deploy a PowerShell injector script to establish a connection with their command and control (C2) server and utilize Cobalt Strike plugins for post-exploitation activities, including modifying registry keys for persistence and clearing event logs to evade detection. They conduct lateral movement using reconnaissance tools and exploit Group Policy Objects to execute malicious scripts, ultimately extracting credentials with Mimikatz. The attackers have access to a pre-configured installer script on their C2 server, suggesting potential for future attacks.

Winsage

March 8, 2025

Lumma Stealer Launch “Click Fix” Style Attack via Fake Google Meet & Windows Update Sites

Recent investigations from Palo Alto have revealed the use of "click fix" campaigns for distributing Lumma Stealer malware, which exploit user interaction by embedding malicious scripts into the copy-paste buffer. Victims are tricked into executing harmful commands through seemingly benign instructions on malicious web pages. Key tactics include: - Domain Impersonation: Registering domains that resemble legitimate services (e.g., windows-update[.]site). - Abuse of Trusted Platforms: Hosting malicious pages on reputable platforms like Google Sites. - PowerShell Script Delivery: Using data binaries that execute as PowerShell scripts. - DLL Side-Loading: Distributing zip archives with decoy files alongside legitimate executables for side-loading Lumma Stealer DLLs. Examples of malicious activity include: 1. Fake Google Meet Page: A fraudulent page instructs users to execute a PowerShell command that downloads a script from tlgrm-redirect[.]icu, leading to the download of Lumma Stealer files from plsverif[.]cfd/1.zip and executing a DLL file (DuiLib_u.dll) through side-loading. 2. Fake Windows Update Site: The site windows-update[.]site prompts users to run a PowerShell command that downloads a file from overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4, which functions as a PowerShell script. Malicious traffic patterns include HTTP POST requests to tlgrmverif[.]cyou/log.php and downloads from plsverif[.]cfd and overcoatpassably[.]shop. Active command-and-control (C2) domains for Lumma Stealer are: - web-security3[.]com - techspherxe[.]top Inactive C2 domains include: - hardswarehub[.]today - earthsymphzony[.]today Key files associated with these campaigns are: - A PowerShell script from tlgrm-redirect[.]icu/1.txt (SHA256: 909ed8a135…). - A zip archive from plsverif[.]cfd/1.zip (SHA256: 0608775a345…). - A side-loaded DLL (DuiLib_u.dll, SHA256: b3e8b610ef…). Indicators of compromise include active domains like windows-update[.]site and sites[.]google[.]com/view/get-access-now-test/verify-your-account, and associated domains such as authentication-safeguard[.]com, plsverif[.]cfd, and tlgrmverif[.]cyou.

Winsage

March 5, 2025

Microsoft To Remove DES Encryption from Windows 11 24H2 & Windows Server 2025

Microsoft plans to phase out the Data Encryption Standard (DES) encryption algorithm from Kerberos authentication in future Windows releases, specifically affecting Windows Server 2025 and Windows 11 version 24H2 after updates on or after September 9, 2025. This is part of Microsoft's Secure Future Initiative aimed at eliminating outdated encryption technologies. DES, established in 1977, has become vulnerable to security breaches and was integrated into Kerberos in 1993. While Windows has not relied solely on DES, it has been disabled by default since Windows 7 and Windows Server 2008 R2, although it remains available as an optional feature. After September 2025, affected systems will enter "DES in Kerberos Disabled Mode," making DES unsupported. Microsoft advises organizations to identify and address any existing DES usage before the deadline, recommending the use of PowerShell scripts to detect DES in security event logs and to disable it through Active Directory and Group Policy settings. Organizations should transition to more secure ciphers like the Advanced Encryption Standard (AES) and ensure compatibility with AES by changing passwords for accounts on older domain controllers.

Winsage

February 21, 2025

Can you really get Windows and Office for free? These hackers say yes

A group of developers called Massgrave has hacked Microsoft's activation tools for Windows and Office, uploading PowerShell scripts to GitHub that allow users to activate Windows and perpetual-license Office versions without paying licensing fees. Their tool, TSforge, supports activation for Windows versions 7, 8.x, 10, and 11, as well as Office versions from 2010 onward, excluding Microsoft 365 subscriptions. The scripts require minimal technical expertise and have been tested successfully on fresh installations of Windows 11 and updated Windows 10 machines. Massgrave acknowledges their actions as piracy and does not accept donations, emphasizing the ethical implications. The safety of the scripts is questioned, as there is a risk of malicious actors cloning their work. Microsoft is aware of the situation and plans to take action against unauthorized use of their software.

Winsage

February 19, 2025

These Windows 11 registry hacks will turn you into a PC pro

The Windows Registry Editor is accessed by pressing Win-R, typing regedit, and confirming with “OK.” The registry files are located in “C:WindowsSystem32config” and user-specific files in “C:Users[username].” The five main branches of the registry are: - HkeyCurrentUser: Configuration settings for the current user. - HkeyLocalMachine: Global settings for all users, requiring administrative rights for changes. - HkeyUsers: Contains user IDs for system profiles. - HkeyClassesRoot: Manages file name extensions and program shortcuts. - HkeyCurrentConfig: Links to keys under HkeyLocalMachineSystemCurrentControlSetHardware ProfilesCurrent. Users can create subkeys and values, which can be of different types. To modify the registry, select a key, use the “New” context menu, and double-click to edit. Creating a backup of the registry is recommended before making changes, which can be done using the Registry Backup Portable tool. To restore the registry, select the most recent backup and click “Restore Now.” Microsoft’s Process Monitor can be used to analyze registry values by filtering for “RegSetValue” and tracking changes. Certain registry values are restricted from modification for security reasons, such as the “widgets” feature in Windows 11. However, methods like batch files and PowerShell scripts can override these protections. Windows transmits diagnostic data to Microsoft, impacting user privacy. Tools like O&O Shutup10 and W10Privacy help manage telemetry settings.

Winsage

December 26, 2024

Hands on: Microsoft is building an AI Shell for Windows 11 command line

Microsoft has launched the public preview of AI Shell, a command-line utility that integrates generative AI capabilities into Windows PowerShell. It features two AI agents: Azure OpenAI and Copilot in Azure, with the option to add more. The installation requires Windows 10 or later and PowerShell version 7.4.6, using the script: Invoke-Expression “& { $(Invoke-RestMethod ‘https://aka.ms/install-aishell.ps1’) }”. Configuration involves adding API keys after executing the Start-AIShell command. AI Shell can execute commands, provide explanations for cmdlets, assist in writing PowerShell scripts, and generate Python code. It includes commands like /code post to send generated code to the terminal, /code copy to copy code, resolve-error to send errors for resolution, and Invoke-AIShell to send queries.

Winsage

December 16, 2024

“Reinventing the Wheel: New Computing Concepts Using Windows NT Architecture and PowerShell”

The Windows NT architecture continues to support a significant portion of global IT infrastructure, with millions of installations across Windows Server, Windows 10, and Windows 11. It can be leveraged alongside modern PowerShell techniques to create next-generation computing solutions. A secure and distributed file system can be implemented using Windows NT's Distributed File System (DFS) with encryption capabilities through PowerShell scripts. This allows organizations to create a secure, fault-tolerant file-sharing mechanism. PowerShell scripts can also be used to establish a real-time health monitoring dashboard that aggregates data from event logs, system performance counters, and custom triggers, enabling system administrators to swiftly identify failures and monitor system health. Automating patch management can be achieved through PowerShell by utilizing Windows Update Services (WSUS) to streamline the detection of missing updates, apply patches, and audit systems for compliance. PowerShell can enhance identity and access management (IAM) processes by automating compliance and monitoring permissions, ensuring continuous auditing of user access rights and adherence to corporate policies.