PowerShell scripts Archives

Winsage

June 25, 2025

Building a Windows Storage Dashboard, Part 2: Collecting Historical Data

The process of gathering historical data for a Windows storage dashboard involves two steps: creating a PowerShell script to collect and save the data, and configuring the Windows Task Scheduler to run this script at set intervals. The script collects data on file system drives using the Get-PSDrive cmdlet, creating a custom PowerShell object with columns for Timestamp, Drive, UsedGB, FreeGB, and TotalGB, which is then exported to a CSV file. The script specifies the CSV file path, appends new data without overwriting existing data, and excludes type information from the header. The generated CSV file includes a header row and records for each drive with their respective usage statistics.

Tech Optimizer

June 17, 2025

Hackers Use Fake Verification Prompt and Clickfix Technique to Deploy Fileless AsyncRAT

Threat actors are using a fileless variant of AsyncRAT, targeting German-speaking individuals with a deceptive verification prompt. This prompt misleads users into executing harmful commands. The malware employs obfuscated PowerShell scripts to operate in memory without creating files on disk, complicating detection by antivirus solutions. The attack begins with a fake verification page prompting users to click "I’m not a robot," which copies a malicious command to the clipboard. This command uses conhost.exe to run a hidden PowerShell instance that retrieves a payload from a remote server. The malware establishes a connection to a command-and-control server and maintains persistence through registry keys, enabling remote control and data exfiltration. Key tactics include stealth execution, in-memory C# compilation, and TCP-based communication over non-standard ports. The campaign has been active since at least April 2025. Indicators of Compromise (IOCs) include: - IP: 109.250.111[.]155 (Clickfix Delivery) - FQDN: namoet[.]de (Clickfix / C2 Server) - Port: 4444 (TCP Reverse Shell Listener) - URL: hxxp[:]//namoet[.]de:80/x (PowerShell Payload) - Registry (HKCU): SOFTWAREMicrosoftWindowsCurrentVersionRunOncewindows (Persistence on Boot) - Registry (HKCU): SOFTWAREMicrosoftWindows NTCurrentVersionWindowswin (Holds Obfuscated Command)

Tech Optimizer

June 9, 2025

ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information

The AhnLab Security Intelligence Center (ASEC) has reported that ViperSoftX malware, first identified in 2020, continues to pose a significant threat, particularly targeting cryptocurrency-related information. It disguises itself as cracked software or eBooks on torrent sites and uses deceptive tactics to infect users globally. ViperSoftX exploits the Windows Task Scheduler to execute malicious PowerShell scripts and communicates with its command-and-control server to transmit detailed system information. The malware captures clipboard activity to steal cryptocurrency wallet addresses and employs mechanisms to avoid detection, including self-removal. It also deploys secondary payloads like Quasar RAT and ClipBanker, which hijacks wallet addresses during transactions. ASEC warns that infections can lead to total system compromise and advises users to avoid unverified downloads and maintain updated security measures. Indicators of Compromise (IOCs): - MD5: - 064b1e45016e8a49eba01878e41ecc37 - 0ed2d0579b60d9e923b439d8e74b53e1 - 0efe1a5d5f4066b7e9755ad89ee9470c - 197ff9252dd5273e3e77ee07b37fd4dd - 1ec4b69f3194bd647639e6b0fa5c7bb5 - URLs: - http://136.243.132.112/ut.exe - http://136.243.132.112:881/3.exe - http://136.243.132.112:881/APPDATA.exe - http://136.243.132.112:881/a.ps1 - http://136.243.132.112:881/firefoxtemp.exe - IPs: - 136.243.132.112 - 160.191.77.89 - 185.245.183.74 - 212.56.35.232 - 89.117.79.31

Tech Optimizer

May 23, 2025

Hackers Exploit PyBitmessage Library to Evade Antivirus and Network Security Detection

The AhnLab Security Intelligence Center (ASEC) has identified a new strain of backdoor malware that works with a Monero coin miner, utilizing the PyBitmessage library for covert P2P communications. This malware uses encryption to secure data exchanges and anonymize identities, complicating detection by security tools. It decrypts resources using XOR operations to deploy a Monero miner and a backdoor component. The Monero miner exploits the cryptocurrency's anonymity, while the backdoor, created with PowerShell, installs PyBitmessage and retrieves files from GitHub or a Russian file-sharing platform. Commands are executed as PowerShell scripts, making detection difficult. The malware may be distributed as legitimate software or cracked files. ASEC advises caution with unverified files and recommends keeping security solutions updated. Indicators of Compromise (IOCs): - MD5: 17909a3f757b4b31ab6cd91b3117ec50 - MD5: 29d43ebc516dd66f2151da9472959890 - MD5: 36235f722c0f3c71b25bcd9f98b7e7f0 - MD5: 498c89a2c40a42138da00c987cf89388 - MD5: 604b3c0c3ce5e6bd5900ceca07d587b9 - URLs: - http://krb.miner.rocks:4444/ - http://krb.sberex.com:3333/ - http://pool.karbowanec.com:3333/ - http://pool.supportxmr.com:3333/ - https://spac1.com/files/view/bitmessage-6-3-2-80507747/

Winsage

May 10, 2025

Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network

Threat actors are exploiting Windows Remote Management (WinRM) to navigate through Active Directory environments stealthily, allowing them to bypass detection systems, escalate privileges, and deploy malicious payloads. WinRM operates on HTTP port 5985 and HTTPS port 5986, enabling remote command execution and management tasks. Attackers can gain access through compromised credentials and use WinRM-enabled PowerShell commands for reconnaissance, deploying payloads while evading detection. The attack chain includes initial access, reconnaissance, payload deployment, persistence, and lateral movement, often utilizing techniques that obfuscate malicious activities. Detecting such attacks is challenging due to the use of built-in Windows functionalities and encrypted channels. Recommended mitigation strategies include monitoring for unusual activity, restricting WinRM access, enforcing credential hygiene, and implementing advanced monitoring solutions.

Winsage

March 30, 2025

5 reasons I use PowerShell to automate boring Windows tasks

PowerShell automates repetitive computing tasks, enhancing productivity by offering a faster command-line interface (CLI) compared to traditional graphical user interfaces (GUIs). It simplifies app management, allowing users to reinstall or update applications more effectively than through the Microsoft Store. PowerShell also streamlines file management with the Move-Item cmdlet, which transfers files and deletes the original from the source. Users can automate scripts with Task Scheduler for routine tasks, and it supports system maintenance through cmdlets and custom scripts, benefiting both IT administrators and casual users. PowerShell's automation capabilities make it a valuable tool for optimizing computing experiences.

Winsage

March 16, 2025

Windows 11 config tool improves 24H2 updates compatibility, returns key activation, and more

NTLite has received updates that enhance its functionality and security features, including support for Windows UEFI CA 2023 certificates and Microsoft Pluton. The update improves compatibility with Windows 11 24H2 and reintroduces the unattended Windows product key activation option, with caution advised against using generic keys. Key components added include the Image Mastering API (IMAPIv2), InstallShield WOW64, and various tools for 32 and 64-bit systems. The update also includes enhancements to the downloader and cumulative update compatibility. The latest version, 2025.03.10349, is available for download on Neowin and the official NTLite website.

Winsage

March 10, 2025

Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines

Cisco Talos has reported a series of cyberattacks exploiting a critical vulnerability in PHP (CVE-2024-4577) to target Windows systems, primarily affecting organizations in Japan since January 2025. The vulnerability allows attackers to execute arbitrary PHP code on servers running Apache with PHP-CGI. They use a Python script, “PHP-CGICVE-2024-4577RCE.py,” to send crafted POST requests and confirm exploitation through a specific MD5 hash. After gaining access, attackers deploy a PowerShell injector script to establish a connection with their command and control (C2) server and utilize Cobalt Strike plugins for post-exploitation activities, including modifying registry keys for persistence and clearing event logs to evade detection. They conduct lateral movement using reconnaissance tools and exploit Group Policy Objects to execute malicious scripts, ultimately extracting credentials with Mimikatz. The attackers have access to a pre-configured installer script on their C2 server, suggesting potential for future attacks.

Winsage

March 8, 2025

Lumma Stealer Launch “Click Fix” Style Attack via Fake Google Meet & Windows Update Sites

Recent investigations from Palo Alto have revealed the use of "click fix" campaigns for distributing Lumma Stealer malware, which exploit user interaction by embedding malicious scripts into the copy-paste buffer. Victims are tricked into executing harmful commands through seemingly benign instructions on malicious web pages. Key tactics include: - Domain Impersonation: Registering domains that resemble legitimate services (e.g., windows-update[.]site). - Abuse of Trusted Platforms: Hosting malicious pages on reputable platforms like Google Sites. - PowerShell Script Delivery: Using data binaries that execute as PowerShell scripts. - DLL Side-Loading: Distributing zip archives with decoy files alongside legitimate executables for side-loading Lumma Stealer DLLs. Examples of malicious activity include: 1. Fake Google Meet Page: A fraudulent page instructs users to execute a PowerShell command that downloads a script from tlgrm-redirect[.]icu, leading to the download of Lumma Stealer files from plsverif[.]cfd/1.zip and executing a DLL file (DuiLib_u.dll) through side-loading. 2. Fake Windows Update Site: The site windows-update[.]site prompts users to run a PowerShell command that downloads a file from overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4, which functions as a PowerShell script. Malicious traffic patterns include HTTP POST requests to tlgrmverif[.]cyou/log.php and downloads from plsverif[.]cfd and overcoatpassably[.]shop. Active command-and-control (C2) domains for Lumma Stealer are: - web-security3[.]com - techspherxe[.]top Inactive C2 domains include: - hardswarehub[.]today - earthsymphzony[.]today Key files associated with these campaigns are: - A PowerShell script from tlgrm-redirect[.]icu/1.txt (SHA256: 909ed8a135…). - A zip archive from plsverif[.]cfd/1.zip (SHA256: 0608775a345…). - A side-loaded DLL (DuiLib_u.dll, SHA256: b3e8b610ef…). Indicators of compromise include active domains like windows-update[.]site and sites[.]google[.]com/view/get-access-now-test/verify-your-account, and associated domains such as authentication-safeguard[.]com, plsverif[.]cfd, and tlgrmverif[.]cyou.

Winsage

March 5, 2025

Microsoft To Remove DES Encryption from Windows 11 24H2 & Windows Server 2025

Microsoft plans to phase out the Data Encryption Standard (DES) encryption algorithm from Kerberos authentication in future Windows releases, specifically affecting Windows Server 2025 and Windows 11 version 24H2 after updates on or after September 9, 2025. This is part of Microsoft's Secure Future Initiative aimed at eliminating outdated encryption technologies. DES, established in 1977, has become vulnerable to security breaches and was integrated into Kerberos in 1993. While Windows has not relied solely on DES, it has been disabled by default since Windows 7 and Windows Server 2008 R2, although it remains available as an optional feature. After September 2025, affected systems will enter "DES in Kerberos Disabled Mode," making DES unsupported. Microsoft advises organizations to identify and address any existing DES usage before the deadline, recommending the use of PowerShell scripts to detect DES in security event logs and to disable it through Active Directory and Group Policy settings. Organizations should transition to more secure ciphers like the Advanced Encryption Standard (AES) and ensure compatibility with AES by changing passwords for accounts on older domain controllers.