Code Snippets

### .NET Framework 4.X Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord ### .NET Framework 3.X Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord Set-ItemProperty -Path...

{ "aud": "6ae19765-6bce-47fe-ab39-fea801fba272", "iss": "https://auth.schweigerstechblog.de/adfs", "iat": 1697447965, "nbf": 1697447965, "exp": 1697451565, "auth_time": 1697447577, "sub": "K9aaS9eMkJiUcrEoaTbXZR90U99U7HlxSKa5CQ2s7oc=", "upn": "kschweiger@schweigerstechblog.de", "unique_name": "SWT\kschweiger", "pwd_url": "https://auth.schweigerstechblog.de/adfs/portal/updatepassword/", "sid": "S-1-5-21-988405549-3412143714-2819284977-3374", "EmployeeID": "01", "Department": "Blogging", "apptype": "Confidential", "appid": "6ae19765-6bce-47fe-ab39-fea801fba272", "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "ver": "1.0", "scp": "openid" }

[PS] C:Windowssystem32>Get-Mailbox test01@test.com | fl EmailAddresses, LegacyExchangeDN EmailAddresses : {smtp:test01@test.de, SMTP:test01@test.com, smtp:test01-smtp@test.com} LegacyExchangeDN : /o=Test/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=9aee20dc504d453781f27fdfade08396-test01

#Exchange Online [PS] C:Windowssystem32> Get-Mailbox test01@test.com Name Alias Database —- —– ——– 32b2bd38-24a0-4ed1-9c5… test01 DEUP281DG201-db215 #Exchange On-Premises [PS] C:Windowssystem32>Get-Mailbox -Identity test01@test.com Name Alias ServerName ProhibitSendQuota —- —– ———- —————– Test01 test01 exc8201 Unlimited

.\CVE-2023-23397.ps1 -Environment OnPrem -UserMailboxes kevin@schweigerstechblog.de -EWSServerURL https://exchange.schweigerstechblog.de/EWS/Exchange.asmx Cmdlet CVE-2023-23397.ps1 an der Befehlspipelineposition 1 Geben Sie Werte für die folgenden Parameter an: Credential CVE-2023-23397 script version 23.03.15.2119 Trying to find Microsoft.Exchange.WebServices.dll in the script folder Microsoft.Exchange.WebServices.dll was found in the script folder Scanning 1 of 1 mailboxes (currently: kevin@schweigerstechblog.de) No vulnerable item found

Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Source: DeviceManagement-Enterprise-Diagnostics-Provider Event ID: 76 Level: Error Description: Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x80180002b)

[PS] C:Windowssystem32> Get-User test01@test.com | fl Name, Displayname, *Recipient* Name : 32b2bd38-24a0-4ed1-9c5e-007d4542d14c DisplayName : test01 PreviousRecipientTypeDetails : UserMailbox RecipientType : MailUser RecipientTypeDetails : MailUser [PS] C:Windowssystem32> Get-User test01@test.com | Set-User -PermanentlyClearPreviousMailboxInfo [PS] C:Windowssystem32> Get-MailUser test01@test.com | Set-MailUser -RemoveDisabledArchive

### Check if Mitigation Service has been enabled for Organization [PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-OrganizationConfig | select MitigationsEnabled MitigationsEnabled —————— True ### Check if Mitigation Service has been enabled for Exchange Nodes [PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>Get-ExchangeServer | select Name, Miti* Name MitigationsEnabled MitigationsApplied MitigationsBlocked —- —————— —————— —————— EX0401 True {M1.1, PING1} ### Check already applied...

PS C:\Users\kschweiger> Invoke-WebRequest https://mail.domain.com/autodiscover/autodiscover.json?@evil.com/powershell$Email=autodiscover/autodiscover.json%3f@evil.com  Invoke-WebRequest : Der Remoteserver hat einen Fehler zurückgegeben: (403) Unzulässig. In Zeile:1 Zeichen:1 + Invoke-WebRequest https://mail.domain.com/autodiscover/autodis … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc eption + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

– name: GATHER FACTS TESTING hosts: all gather_facts: no – name: GATHER Facts Windows setup: fact_path: C:\ProgramData\A8N\CustomFacts\A8N_CustomFacts01.ps1 gather_timeout: 15 gather_subset: – ‚!hardware‘ – ‚!network‘ – ‚!ohai‘ – ‚!facter‘ register: hosts_windows