alexverboon

# convert service types

$sku_lookup1 = @{
1 ="KernelDriver"
2 = "FileSystemDriver"
4 ="Adapter"
8 = "RecognizerDriver"
16= "Win32OwnProcess"
32 ="Win32ShareProcess"
48 = "Win32"

alexverboon

# video hub:  https://techcommunity.microsoft.com/t5/video-hub/bd-p/VideoHub
# Ignite API: - https://api.myignite.microsoft.com/api/session/all

$ALLSESSIONS = Invoke-WebRequest -Uri "https://api.myignite.microsoft.com/api/session/all"
$sessions = $ALLSESSIONS | ConvertFrom-Json;

# Solution Areas
$sessions | Select-Object -ExpandProperty SolutionArea  | Group-Object | Select-Object Name | Sort-Object -Property Name

# Search Samples

alexverboon

let ADAZUsers =  IdentityInfo 
| extend DirectoryDomain = AccountDomain 
| extend DirectoryAccount = AccountName 
| distinct DirectoryDomain , DirectoryAccount , OnPremSid , CloudSid, AccountUpn, GivenName, Surname;
 // check for any new created or modified local accounts 
let NewUsers =  DeviceEvents
| where ActionType contains "UserAccountCreated"  // or ActionType contains "UserAccountModified"
| extend lUserAdded = AccountName
| extend NewUserSID = AccountSid
| extend laccountdomain = AccountDomain

alexverboon

 // define known tasks
 let knowntasks = dynamic (["Windows Defender Cleanup",
 "Windows Defender Scheduled Scan",
 "Windows Defender Verification",
 "Windows Defender Cache Maintenance",
 @"\MicrosoftEdgeUpdateBrowserReplacementTask",
 @"\MicrosoftEdgeUpdateTaskMachineUA",
 @"\MicrosoftEdgeUpdateBrowserReplacementTask",
 @"\MicrosoftEdgeUpdateTaskMachineCore",
 @"\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults",

alexverboon

function New-KQPSModuleFunctions
{
<#
.Synopsis
   New-KQPSModulecmdlets
.DESCRIPTION
   New-KQPSModulecmdlets creates kusto query to search for PowerShell commands
   included in the specified PowerShell module name
.PARAMETER ModuleName
    The name of the PowerShell module

alexverboon

// T1089 - Disabling Security Tools
// https://attack.mitre.org/techniques/T1089/

search in (DeviceProcessEvents)
FileName == "sc.exe"
| where ProcessCommandLine has_any ("stop Wuauserv","stop WinDefend","stop wscsvc","stop mpssvc" ,"stop Sense","stop WdNisSvc","stop DiagTrack","stop gpsvc")
| extend SecurityTool = iff(ProcessCommandLine contains "stop wuauserv","Windows Update"
,iff(ProcessCommandLine contains "stop WinDefend","Windows Defender",iff(ProcessCommandLine contains "stop wscsvc", "Defender Security Center"
,iff(ProcessCommandLine contains "stop mpssvc","Defender Firewall",iff(ProcessCommandLine contains "stop WdNisSvc","Defender Antivirus Network Inspection"
,iff(ProcessCommandLine contains "stop diagtrack","Telemetry",iff(ProcessCommandLine contains "stop gpsvc","Group Policy"

alexverboon

# Check if Hawk is installed
If(!(Get-Module "Hawk"))
{
    Install-Module -Name "Hawk" -scope CurrentUser
}
Else
{
    Write-Output "Hawk Module is already installed"
}

alexverboon

Write-host "I was just downloaded"

Function RunMe{
Param(
  $Param1
)

write-host "And executed with $Param1"
pause
}

alexverboon

Write-host "I was just downloaded"

Param(
  $Param1
)

write-host "And executed with $Param1"
pause

alexverboon

Write-host "I was just downloaded"