Skip to content

Instantly share code, notes, and snippets.


Alex Verboon alexverboon

View GitHub Profile
View servicetypes.ps1
# convert service types
$sku_lookup1 = @{
1 ="KernelDriver"
2 = "FileSystemDriver"
4 ="Adapter"
8 = "RecognizerDriver"
16= "Win32OwnProcess"
32 ="Win32ShareProcess"
48 = "Win32"
alexverboon / ignitesessionfinder.ps1
Last active Nov 1, 2020
PowerShell session finder for Ignite and video hub
View ignitesessionfinder.ps1
# video hub:
# Ignite API: -
$ALLSESSIONS = Invoke-WebRequest -Uri ""
$sessions = $ALLSESSIONS | ConvertFrom-Json;
# Solution Areas
$sessions | Select-Object -ExpandProperty SolutionArea | Group-Object | Select-Object Name | Sort-Object -Property Name
# Search Samples
alexverboon / localgroupmembershipchanges.kql
Created Sep 6, 2020
Hunting for local group membership changes
View localgroupmembershipchanges.kql
let ADAZUsers = IdentityInfo
| extend DirectoryDomain = AccountDomain
| extend DirectoryAccount = AccountName
| distinct DirectoryDomain , DirectoryAccount , OnPremSid , CloudSid, AccountUpn, GivenName, Surname;
// check for any new created or modified local accounts
let NewUsers = DeviceEvents
| where ActionType contains "UserAccountCreated" // or ActionType contains "UserAccountModified"
| extend lUserAdded = AccountName
| extend NewUserSID = AccountSid
| extend laccountdomain = AccountDomain
View T1053 - Scheduled Tasks.kql
// define known tasks
let knowntasks = dynamic (["Windows Defender Cleanup",
"Windows Defender Scheduled Scan",
"Windows Defender Verification",
"Windows Defender Cache Maintenance",
alexverboon / New-KQPSModuleFunctions.ps1
Created Jul 10, 2020
Generate KQL with PowerShell
View New-KQPSModuleFunctions.ps1
function New-KQPSModuleFunctions
New-KQPSModulecmdlets creates kusto query to search for PowerShell commands
included in the specified PowerShell module name
The name of the PowerShell module
alexverboon / T1089 - Disabling Security Tools - sc.kql
Created May 31, 2020
T1089 - Disabling Security Tools - using sc
View T1089 - Disabling Security Tools - sc.kql
// T1089 - Disabling Security Tools
search in (DeviceProcessEvents)
FileName == "sc.exe"
| where ProcessCommandLine has_any ("stop Wuauserv","stop WinDefend","stop wscsvc","stop mpssvc" ,"stop Sense","stop WdNisSvc","stop DiagTrack","stop gpsvc")
| extend SecurityTool = iff(ProcessCommandLine contains "stop wuauserv","Windows Update"
,iff(ProcessCommandLine contains "stop WinDefend","Windows Defender",iff(ProcessCommandLine contains "stop wscsvc", "Defender Security Center"
,iff(ProcessCommandLine contains "stop mpssvc","Defender Firewall",iff(ProcessCommandLine contains "stop WdNisSvc","Defender Antivirus Network Inspection"
,iff(ProcessCommandLine contains "stop diagtrack","Telemetry",iff(ProcessCommandLine contains "stop gpsvc","Group Policy"
View Hawk.ps1
# Check if Hawk is installed
If(!(Get-Module "Hawk"))
Install-Module -Name "Hawk" -scope CurrentUser
Write-Output "Hawk Module is already installed"
View TestDL.ps1
Write-host "I was just downloaded"
Function RunMe{
write-host "And executed with $Param1"
View TestDL.ps1
Write-host "I was just downloaded"
write-host "And executed with $Param1"
View TestDL.ps1
Write-host "I was just downloaded"