DXPetti
/ CustomIndicators_NotepadPlusPlus.csv
Last active
February 4, 2026 09:01
Custom Indicators for Notepad++ Chrysalis Backdoor based on associated Rapid7 blog entry https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
We can make this file beautiful and searchable if this error is corrected: It looks like row 4 should actually have 12 columns, instead of 8 in line 3.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IndicatorType,IndicatorValue,ExpirationTime,Action,Severity,Title,Description,RecommendedActions,RbacGroups,Category,MitreTechniques,GenerateAlert | |
| FileSha256,a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9,2027-02-01T00:00:00Z,BlockAndRemediate,Low,Notepad++ Chrysalis Backdoor file detected,A file hash associated with the Notepad++ Chrysalis Backdoor was detected,Quarantine the file and investigate the source.,,SuspiciousActivity,,TRUE | |
| FileSha256,8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e,2027-02-01T00:00:00Z,BlockAndRemediate,Low,Notepad++ Chrysalis Backdoor file detected,A file hash associated with the Notepad++ Chrysalis Backdoor was detected,Quarantine the file and investigate the source.,,SuspiciousActivity,,TRUE | |
| FileSha256,2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924,2027-02-01T00:00:00Z,BlockAndRemediate,Low,Notepad++ Chrysalis Backdoor file detected,A file hash associated with the Notepad++ Chrysalis Backdoor was detected,Quarantine the file a |
DXPetti
/ Get-AutoPilotInfoAndSend.ps1
Last active
October 10, 2024 00:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get NuGet provider | |
| Install-PackageProvider -Name NuGet -Force | |
| # Import NuGet provider | |
| Import-PackageProvider -Name NuGet -Force | |
| # Get Autopilot Script | |
| Install-Script -Name Get-WindowsAutoPilotInfo -Force | |
| # Get Az Modules |
DXPetti
/ Restore-AdAttributes.ps1
Created
April 4, 2020 06:08
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Restore select Ad Attributes from a mounted AD DS database | |
| .DESCRIPTION | |
| This cmdlet will take a OU path as input, takes a backup of the attributes of all users | |
| in said OU, import the attributes from a currently mounted AD DS database into a | |
| hashtable, loop through each user in the OU and apply said attributes. Finally, a export | |
| of the users current attributes is saved in the same path as the backup for before/after | |
| comparisons | |
| .EXAMPLE |
DXPetti
/ Restore-SharedMbxOoo.ps1
Last active
April 4, 2020 05:22
DXPetti
/ Set-SharedMbxOoo.ps1
Created
April 4, 2020 04:42
DXPetti
/ Remove-IeMitigations.ps1
Created
January 21, 2020 05:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # As per https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001 | |
| cacls $ENV:windir\system32\jscript.dll /E /R everyone | |
| cacls $ENV:windir\syswow64\jscript.dll /E /R everyone |
DXPetti
/ Add-IeMitigations.ps1
Last active
January 21, 2020 05:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # As per https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001 | |
| takeown /f $ENV:windir\syswow64\jscript.dll | |
| cacls $ENV:windir\syswow64\jscript.dll /E /P everyone:N | |
| takeown /f $ENV:windir\system32\jscript.dll | |
| cacls $ENV:windir\system32\jscript.dll /E /P everyone:N |
DXPetti
/ Install-Minikube.ps1
Created
January 30, 2019 10:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Install MiniKube + Kubectl | |
| .DESCRIPTION | |
| This script downloads the executables for MiniKube, Kubectl, configures Hyper-V as the hypervisor (if not configured already) | |
| together with configuring a specific network adapter for use with the Minikube virtual machine | |
| .EXAMPLE | |
| Install-MiniKube | |
| .NOTES | |
| Version: 1.0 |
DXPetti
/ Repair-RegistryPol.ps1
Created
August 23, 2018 07:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Clean up machines with bad (old/corrupt) machine Registry.pol files | |
| .DESCRIPTION | |
| Taking a array as input, this cmdlet assists in keeping machines in a healthy state to accept Group Policy driven changes | |
| by confirming the last modified date of the machines Registry.pol and if older than a day , remove it, (or doesn't exist) | |
| followed by a forced Machine Policy update. | |
| To work against older WMF/Powershell environments, invoke-command + invoke-gpupdate have been avoided. | |
| .EXAMPLE | |
| Repair-RegistryPol -Computers workstation1,workstation2 |
DXPetti
/ Remove-LegacyBoot.ps1
Created
August 22, 2018 08:08
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .DESCRIPTION | |
| Powershell script to remove DHCP policies that allows Legacy BIOS based network booting (PXE) based upon information sent by client detailed in RFC 4578 (https://tools.ietf.org/html/rfc4578) | |
| .PARAMETERS | |
| None - execute directly from Powershell | |
| .VERSION | |
| 1.0 | |
| .AUTHOR | |
| James Pettigrove | |
| .COMPATIBILITY |
NewerOlder