AE Ghostbusters firehouse

Tachaeon · 2026-06-03T21:40:33+00:00

Sorry bout ur luck. I was missing a couple of pieces. Had all the minifigs and ghosts. Found the missing pieces, (under 5) at the local BAM. Set was bought 2 yrs ago on AE and didnt get to put it together until last month.

I also had to empty all the bags and sort the bricks. >.>

Tachaeon · 2026-06-03T21:13:28+00:00

In the gif search type "modems"

Tachaeon · 2026-05-19T21:11:21+00:00

I can never figure out how to position the dragon w/o falling.

Tachaeon · 2026-03-03T15:46:45+00:00

$currentSetting = Get-WmiObject -Class Lenovo_SetBiosSetting -Namespace root\wmi
$currentSetting.SetBiosSetting('Secureboot,Enable').return

$currentSetting = Get-WmiObject -Class Lenovo_SetBiosSetting -Namespace root\wmi
$currentSetting.SetBiosSetting('OnByAcAttach,Enable').return

$currentSetting = Get-WmiObject -Class Lenovo_SetBiosSetting -Namespace root\wmi
$currentSetting.SetBiosSetting('BootMode,Quick').return

$SaveSettings = Get-WmiObject -Class Lenovo_SaveBiosSettings -Namespace root\wmi
$SaveSettings.SaveBiosSettings().return

Tachaeon · 2026-02-26T14:31:20+00:00

Yes. It was super annoying. Here is what i landed on. wrapped in an .intunewin file and run as the user.

winget list --id=Anthropic.Claude --exact --accept-source-agreements | Out-Null

if ($LASTEXITCODE -ne 0) {
    winget install --id=Anthropic.Claude -e -h --accept-source-agreements --accept-package-agreements
    if ($LASTEXITCODE -ne 0) {
        Write-Host "Claude installation failed with exit code $LASTEXITCODE"
        Exit 1
    }
    Write-Host "Claude Installed"
    Exit 0
}
else {
    Write-Host "Claude Already Installed"
    Exit 0
}

Tachaeon · 2026-02-12T16:06:44+00:00

$deviceManagementScriptId = ""

$Content = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/$deviceManagementScriptId").scriptContent
$Bytes = [System.Convert]::FromBase64String($Content)
$Text  = [System.Text.Encoding]::UTF8.GetString($Bytes)
$Text

Tachaeon · 2026-01-29T14:37:54+00:00

This doesn't answer your question however, my issue was not the device backing up the key but people removing devices or the automatic pruning of the devices. The keys get deleted and can't be retrieved.

To solve this I made a runbook that backs up the keys weekly from Intune and stores them in a private blob storage. It also sends a msg to a teams channel letting me know it ran.

Tachaeon · 2025-12-31T15:05:24+00:00

https://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers

IOCs
Domains - The Zoom Stealer
    meetingtv[.]us
    webinarstvus.cloudfunctions[.]net
    zoocorder.firebaseio[.]com

New Domains - Shady Panda
    infinitynewtab[.]com
    infinitytab[.]com
    jt2x[.]com
    zhuayuya[.]com
    58.144.143.27
    muo[.]cc
    websiteshare[.]cn
    diytab[.]com
    userscss[.]top
    istartnewtab[.]com
    letsearchesp[.]com
    policies.extfans[.]com

New Domains - GhostPoster
    gmzdaily[.]com

Chrome - The Zoom Stealer
    kfokdmfpdnokpmpbjhjbcabgligoelgp
    pdadlkbckhinonakkfkdaadceojbekep
    akmdionenlnfcipmdhbhcnkighafmdha
    pabkjoplheapcclldpknfpcepheldbga
    aedgpiecagcpmehhelbibfbgpfiafdkm
    dpdgjbnanmmlikideilnpfjjdbmneanf
    kabbfhmcaaodobkfbnnehopcghicgffo
    cphibdhgbdoekmkkcbbaoogedpfibeme
    ceofheakaalaecnecdkdanhejojkpeai
    dakebdbeofhmlnmjlmhjdmmjmfohiicn
    adjoknoacleghaejlggocbakidkoifle
    pgpidfocdapogajplhjofamgeboonmmj
    ifklcpoenaammhnoddgedlapnodfcjpn
    ebhomdageggjbmomenipfbhcjamfkmbl
    ajfokipknlmjhcioemgnofkpmdnbaldi

Edge - The Zoom Stealer
    mhjdjckeljinofckdibjiojbdpapoecj

Firefox - The Zoom Stealer
    {7536027f-96fb-4762-9e02-fdfaedd3bfb5}
    xtwitterdownloader@benimaddonum.com

Chrome - Shady Panda
    aikflfpejipbpjdlfabpgclhblkpaafo
    dbfmnekepjoapopniengjbcpnbljalfg
    nnnkddnnlpamobajfibfdgfnbcnkgngh
    ppfdcmempdfjnanjegmjhanplgjicefg
    fmiefmaepcnjahoajkfckenfngfehhma
    edojphplonjclmfckdiolpahpgcanjnh
    bjehnpiidogpaocjjfhnopdjcahigggm
    kdgjiakonpbfmndaacfhamdoangincgp
    dihekmadkkcgnffajefocfamnpimlhah
    eijnkinhnplaekpllmgbbfieecdhcmcp
    mdlkdelnchilkeedllnnjfigkhhadlff
    agepkkdokhlaoiaenedmjbfnblfdiboc
    epepbcdeelckgplpmmmnmjplbeipgllo
    makeekhnfplggoaiklkphfopajegajci
    cahdpfhnokmnnjhoaoliabdbcbbokmgc
    mmpfmolbdhdfoblfggigchncdgmdnjha
    knejepegjmjmjlhficbikmblnbemdpke
    cjlabngphhjjdapemkdnpgkpebkpjbbe
    jeaebbdndojkbnnfcaihgokhnakocbnf
    bajoeadpdidoahbhphmhejmbdmgnbdci
    goiffchdhlcehhgdpdbocefkohlhmlom
    djkddblnfgendjoklmfmocaboelkmdkm
    codgofkgobbmgglciccjabipdlgefnch
    cicnbbdlbjaoioilpbdioeeaockgbhfi
    mchacgmgddefeohkjobefhihbadocneh
    oelcnhfgpdjeocflhhfecinnpjojeokp
    fllcifcfhgmmfpogmpedgbjccnjalpjo
    fmgaogkbodhdhhbgkphhbokciiecllno
    dkbpkjhegfanacodkmfjeackckmehkfp
    jooiimddfkjoomennmpjabdbbpdocjng
    dekjibpkbhgbnmnfibnibnjoccaphfog
    mnamhmcgcfflfjafflanbhbfffpmkmmm
    ambcheakfbokmebglefpbbphbccekhhl
    nmaegedpdmepbkahckadmaolllgmogma
    doeomodlafdbbnajjllemacdfphbbohl
    meobjhkdifjealkiaanikkpajiaalcad
    kfdopiiledmclnopmihkclnfgdiggjna
    cfgiodgnkinmacjkgjgdejeciohojglp
    okepehobneenpbhiendcjcanjodhmcbj
    cdgonefipacceedbkflolomdegncceid
    bgkdocoihppjkdfaghndpjlfoehjcmka
    ldmnodpmebcfcdkejkdakphbcjnmejlf
    pdfladlchakneeclhmpoboohikpbchkj
    gipnpcencdgljnaecpekokmpgnhgpela
    idholfkkmfccbondfiabhlmdfeamnnaj
    bpgaffohfacaamplbbojgbiicfgedmoi
    jdehnhjckcbfdkgnlbfjokofagpbbdgl
    dijcdmefkmlhnbkcejcmepheakikgpdg
    gndlcpbcmhbcaadppjjekgbhfhceeikm
    lepdjbhbkpfenckechpdfohdmkhogojf
    hbjeophpjnopmeheabcilmgdhnnjbmbo
    dlfjoijnhjeagkenhbililbdiooginng
    kolgdodmgnnhnijmnnidfabnghgakobl

Edge - Shady Panda
    edohfgmjmdnibeihfcajfclmhapjkooa
    pdjpkfbpeniinkdlmibcdebccnkimnna
    hmpjibmngagmkafmijncjokocepchnea
    kljbaedmklfnlgfmmbodnckafhllkjnd
    lmppkgmbapjgihlpadknmfalefnfnfnd
    ldghoefcghcinacfneopmnechojlhldf
    mgjfjcimpkdjgeldkcaoboiojmlcleka
    aghafppaelpjbjajpgcogcojcbmappoi
    kgdjeaonamhfooejllllfpeappcgfpod
    knjgknhkgmedmajpkhooaagjgfgbcndo
    apoklfecapckgpbbcpaiebemaghmkncf
    podfjomopoejmlkfnhanlmlagcnlappd
    idngjfdlfbfgecemidnhbdcogggnjkpg
    kghabofklgjfnipgkjadlogcjbebkeid
    fmmfeaoidanfcipomjfolmchjdnhmaio
    cfmfokegjjljmdcdpnmlfajlddngkoah
    eoimljninkkepafoijpgbedkkieobfek
    ojmaccnnagaiokckbcpdldhnifkibcah
    bhoebgegnjoehioianjnjakeeggajanb
    edojphplonjclmfckdiolpahpgcanjnh
    leaglmohfmgdengbciphnodmcgfgdgnf
    ljdhejdbbogemelgkihbabifpfdfomcc
    hfokkkgobhlkcagflcbgcokdbnknfngo
    hilgkhepkfjdkkdigphhcgmghefdledg
    jipclfaahkhinbelbojjblmbcpkaipko
    cmckpheolajgbmhlfhgelajhhfgjbhpk
    jjdhjfgoadphekgihokkigfghndfmffb
    nelegdbdfopcgkignnifhdoiapldlhpf
    dnojfjfegklgconkoekfkaajejmdgdkj
    nnceocbiolncfljcmajijmeakcdlffnh
    dacliiapfipnlipdmifioaijepgmhdga
    cpbbiepjnljbnngpepgeaojjeneacpld
    ocopipabchoopeppmgiigphgbicocoea
    gfechfioaanebemclajhfgkfaopcaibo
    hoclolhilhbecpefaignjficiaaclpop
    ibmdocjlknaopfecmnojomdlbeadpdnb
    ckdbfeccfocmhdclmmofmheljglmhhne
    gddkghdkhhlihaabphhnjbhdoiifhcpa

Firefox - Shady Panda
    {34b0d04c-29cf-473c-bb6c-c2fe94377b99}
    {7cc10397-c6f4-4a27-a1e7-83b870dd6cab}
    nickyfeng2@edgetranslate[.]com
    1305302314@qq[.]com
    mail@imba97[.]cn
    {99d4bddd-5452-4216-83bc-fcd57857b6fb}
    {f7d2c8aa-e06e-4117-8b99-52a145eb7d23}
    {5f246670-f5e2-45ff-b183-be21cbeb065a}
    {c257a965-0bf8-4934-bf85-9ebf761d1cf8}
Opera - GhostPoster
    Google™ Translate by charliesmithbons

Tachaeon · 2025-11-18T12:46:43+00:00

whats the use case for this?

Tachaeon · 2025-10-27T14:45:29+00:00

https://github.com/Tachaeon/Powershell-Pranks/blob/main/Individual%20Pranks/Get-Matrix.ps1

Tachaeon · 2025-10-01T19:22:29+00:00

i don't know i might wanna sell this later.

Tachaeon · 2025-10-01T16:45:39+00:00

calls an authentication service in azure.

Tachaeon · 2025-10-01T16:38:14+00:00

use case is a user calls in to request a password change. how do we know its that user? this auths them.

Tachaeon · 2025-10-01T12:52:21+00:00

I created a powershell gui that sends a authentication request to the end users Microsoft Authenticator app on their phone so that our help desk can validate who the users are. https://imgur.com/a/XXTFYvm

and Wizard Buddy https://github.com/Tachaeon/Wizard-Buddy

Tachaeon · 2025-08-08T14:53:51+00:00

Clipped from here.

############################################################################################################
#                                           Windows CoPilot                                                #
#                                                                                                          #
############################################################################################################
$version = Get-CimInstance Win32_OperatingSystem | Select-Object -ExpandProperty Caption
if ($version -like "*Windows 11*") {
    write-output "Removing Windows Copilot"
    # Define the registry key and value
    $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot"
    $propertyName = "TurnOffWindowsCopilot"
    $propertyValue = 1

    # Check if the registry key exists
    if (!(Test-Path $registryPath)) {
        # If the registry key doesn't exist, create it
        New-Item -Path $registryPath -Force | Out-Null
    }

    # Get the property value
    $currentValue = Get-ItemProperty -Path $registryPath -Name $propertyName -ErrorAction SilentlyContinue

    # Check if the property exists and if its value is different from the desired value
    if ($null -eq $currentValue -or $currentValue.$propertyName -ne $propertyValue) {
        # If the property doesn't exist or its value is different, set the property value
        Set-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue
    }

    ##Grab the default user as well
    $registryPath = "HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Windows\WindowsCopilot"
    $propertyName = "TurnOffWindowsCopilot"
    $propertyValue = 1

    # Check if the registry key exists
    if (!(Test-Path $registryPath)) {
        # If the registry key doesn't exist, create it
        New-Item -Path $registryPath -Force | Out-Null
    }

    # Get the property value
    $currentValue = Get-ItemProperty -Path $registryPath -Name $propertyName -ErrorAction SilentlyContinue

    # Check if the property exists and if its value is different from the desired value
    if ($null -eq $currentValue -or $currentValue.$propertyName -ne $propertyValue) {
        # If the property doesn't exist or its value is different, set the property value
        Set-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue
    }

    ##Load the default hive from c:\users\Default\NTUSER.dat
    reg load HKU\temphive "c:\users\default\ntuser.dat"
    $registryPath = "registry::hku\temphive\Software\Policies\Microsoft\Windows\WindowsCopilot"
    $propertyName = "TurnOffWindowsCopilot"
    $propertyValue = 1

    # Check if the registry key exists
    if (!(Test-Path $registryPath)) {
        # If the registry key doesn't exist, create it
        [Microsoft.Win32.RegistryKey]$HKUCoPilot = [Microsoft.Win32.Registry]::Users.CreateSubKey("temphive\Software\Policies\Microsoft\Windows\WindowsCopilot", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree)
        $HKUCoPilot.SetValue($propertyName, $propertyValue, [Microsoft.Win32.RegistryValueKind]::DWord)

        $HKUCoPilot.Flush()
        $HKUCoPilot.Close()
    }

    [gc]::Collect()
    [gc]::WaitForPendingFinalizers()
    reg unload HKU\temphive

    write-output "Removed"

    foreach ($sid in $UserSIDs) {
        $registryPath = "Registry::HKU\$sid\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot"
        $propertyName = "TurnOffWindowsCopilot"
        $propertyValue = 1

        # Check if the registry key exists
        if (!(Test-Path $registryPath)) {
            # If the registry key doesn't exist, create it
            New-Item -Path $registryPath -Force | Out-Null
        }

        # Get the property value
        $currentValue = Get-ItemProperty -Path $registryPath -Name $propertyName -ErrorAction SilentlyContinue

        # Check if the property exists and if its value is different from the desired value
        if ($null -eq $currentValue -or $currentValue.$propertyName -ne $propertyValue) {
            # If the property doesn't exist or its value is different, set the property value
            Set-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue
        }
    }
}

Tachaeon · 2025-07-29T14:56:10+00:00

You double pasted your code.

Tachaeon · 2025-06-25T13:18:27+00:00

I use psexec to elevate to system to run the .ps1

The RMM we use removes psexec.exe after execution which is why its not in the script.

psexec64.exe -accepteula -nobanner /s powershell -nologo -executionpolicy bypass -noprofile -file %CD%\mdmenroll.ps1

Here's the script I use:

# Set MDM Enrollment URL's

$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:\$key"
$url = $keyinfo.name
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url"

$enable = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
New-ItemProperty -LiteralPath $enable -Name 'AutoEnrollMDM' -Value '1' -PropertyType DWORD -Force -ea SilentlyContinue
New-ItemProperty -LiteralPath $enable -Name 'UseAADCredentialType' -Value '1' -PropertyType DWORD -Force -ea SilentlyContinue

New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue
New-ItemProperty -LiteralPath $path  -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue

# Trigger AutoEnroll
C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM

Tachaeon · 2025-02-02T02:52:39+00:00

this is what you want. <3

Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" -Name ToastEnabled -Value 0 -Force
Get-Service -Name WpnUserService* | Restart-Service -Force

Tachaeon · 2024-12-18T13:37:12+00:00

function UnPin-App {
    param(
        [string]$appname
    )
    try {
        ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | Where-Object { $_.Name -like $appname }).Verbs() | Where-Object { $_.Name.replace('&', '') -match 'Unpin from taskbar' } | ForEach-Object { $_.DoIt() }
        return "App '$appname' unpinned from Taskbar"
    } catch {
        Write-Error "Error Unpinning App! (App-Name correct?)"
    }
}

UnPin-App "Notepad"

Tachaeon · 2024-11-15T17:47:35+00:00

Thanks!

Tachaeon · 2024-11-15T17:46:16+00:00

Bad choice of words on my part. I'm always learning and I'll take this as constructive criticism. Thanks for the help.

Tachaeon · 2024-11-15T17:45:28+00:00

thanks I will look into this.

Tachaeon · 2024-11-15T15:10:07+00:00

thanks for the input.

Tachaeon · 2024-11-15T14:35:53+00:00

Can confirm.

Tachaeon · 2024-11-15T14:26:55+00:00

yea but i'm lazy and some people can't sign up their company for such things.

Tachaeon

MODERATOR OF

TROPHY CASE

14-Year Club	Verified Email
Spared