Skip to content

Instantly share code, notes, and snippets.

View alexverboon's full-sized avatar

Alex Verboon alexverboon

View GitHub Profile
@alexverboon
alexverboon / WinConfigRefresh.md
Created August 15, 2024 11:49
Microsoft Intune - Windows 11 - ConfigRefresh

Config Refresh - PowerShell stuff

Get Config Refresh Events from the Event Log

# Define the event log name
$logName = "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"

# Define the event IDs you want to retrieve
$eventIDs = @(4200, 4201, 4202) + (4203..4214)
# Get Entra ID Device Info around registration and Management
# Devices with ManagementType 'MicrosoftSense' are managed with MDE Settings Management.
# Devices with OperatingSystem 'Windows Server' are also managed by MDE settings management
$Result = [System.Collections.ArrayList]::new()
$AllDevices = Get-MgDevice -All
foreach ($Device in $AllDevices) {
$DeviceDetail = $Device.AdditionalProperties
$object = [PSCustomObject]@{
DeviceName = $Device.DisplayName
@alexverboon
alexverboon / mde_installer.sh
Created April 24, 2023 21:34
MDE Linux Installer
#!/bin/bash
#============================================================================
#
# Copyright (c) 2021 Microsoft Corporation. All rights reserved.
#
# Abstract:
# MDE installation script
# - Fingerprinting OS and manually installs MDE as described in the online documentation
# https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
@alexverboon
alexverboon / macos mde channel.md
Created August 21, 2022 12:56
MacOS MDE channel

You can check the update channel using the following command: mdatp --health releaseRing

If your device is not already in the InsiderSlow update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).

defaults write com.microsoft.autoupdate2 ChannelName InsiderSlow

@alexverboon
alexverboon / log4jvariable.ps1
Created January 13, 2022 15:22
log4j variable
[Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS", $null, [EnvironmentVariableTarget]::Machine)
@alexverboon
alexverboon / mde_cmpivot.kql
Created December 20, 2021 11:07
CM Pivot for Defender Troubleshooting
// CM Pivot for Defender Troubleshooting
// Defender Event logs
WinEvent('Microsoft-Windows-Windows Defender/Operational', 1d)
// MDE Eent logs
WinEvent('Microsoft-Windows-SENSE/Operational', 1d)
// MDE Service Status
Service
| where Name == 'Sense'
@alexverboon
alexverboon / compare-log4j-core hashes
Created December 14, 2021 21:17
Code snippets How To Detect the Log4Shell Vulnerability (CVE-2021-44228) with Microsoft Endpoint Configuration Manager
$log4 = Get-log4files
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$vulnerablesums = -split $(Invoke-WebRequest https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/raw/main/sha256sums.txt -UseBasicParsing).content | ? {$_.length -eq 64}
($log4 | Select-Object).FH | Compare-Object -ReferenceObject $vulnerablesums -IncludeEqual
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$chck = ((invoke-webrequest https://gist.githubusercontent.com/spasam/7b2b2e03c6dd7bd6f1029e88c7cc82ad/raw/ed104b9bed088c04069b3139ae9adbdc9b99b2ac/log4j-core.csv -UseBasicParsing).content | ConvertFrom-Csv -Delimiter "," | Select-Object).sha256
($log4 | Select-Object).FH | Compare-Object -ReferenceObject $chck -IncludeEqual
@alexverboon
alexverboon / Get-log4files.ps1
Created December 14, 2021 21:14
PowerShell script to find log4j-core.jar files
Function Get-log4files(){
$Drives = Get-PSDrive | Select-Object -ExpandProperty 'Name' | Select-String -Pattern '^[a-e]$'
$FileInfo = [System.Collections.ArrayList]::new()
$Filetypes = @("*.jar")
ForEach($DriveLetter in $Drives)
{
$Drive = "$DriveLetter" + ":\"
$Log4Files = Get-ChildItem -Path $Drive -Filter "*log4j-core*" -Include $Filetypes -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName
Foreach($file in $Log4Files)
{

C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io

https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment

Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/

// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
@alexverboon
alexverboon / T1562.001 - Defender Exclusions modification.md
Last active August 14, 2023 07:47
T1562.001 - Defender Exclusions modification

T1562.001 - Defender Exclusions modification

Use the below query to detect Windows Defender exclusion changes.


Query

// T1562.001 - Impair Defenses: Disable or Modify Tools