Skip to content

Instantly share code, notes, and snippets.

Avatar

Alex Verboon alexverboon

View GitHub Profile
View servicetypes.ps1
# convert service types
$sku_lookup1 = @{
1 ="KernelDriver"
2 = "FileSystemDriver"
4 ="Adapter"
8 = "RecognizerDriver"
16= "Win32OwnProcess"
32 ="Win32ShareProcess"
48 = "Win32"
@alexverboon
alexverboon / ignitesessionfinder.ps1
Last active Nov 1, 2020
PowerShell session finder for Ignite and video hub
View ignitesessionfinder.ps1
# video hub: https://techcommunity.microsoft.com/t5/video-hub/bd-p/VideoHub
# Ignite API: - https://api.myignite.microsoft.com/api/session/all
$ALLSESSIONS = Invoke-WebRequest -Uri "https://api.myignite.microsoft.com/api/session/all"
$sessions = $ALLSESSIONS | ConvertFrom-Json;
# Solution Areas
$sessions | Select-Object -ExpandProperty SolutionArea | Group-Object | Select-Object Name | Sort-Object -Property Name
# Search Samples
@alexverboon
alexverboon / localgroupmembershipchanges.kql
Created Sep 6, 2020
Hunting for local group membership changes
View localgroupmembershipchanges.kql
let ADAZUsers = IdentityInfo
| extend DirectoryDomain = AccountDomain
| extend DirectoryAccount = AccountName
| distinct DirectoryDomain , DirectoryAccount , OnPremSid , CloudSid, AccountUpn, GivenName, Surname;
// check for any new created or modified local accounts
let NewUsers = DeviceEvents
| where ActionType contains "UserAccountCreated" // or ActionType contains "UserAccountModified"
| extend lUserAdded = AccountName
| extend NewUserSID = AccountSid
| extend laccountdomain = AccountDomain
View T1053 - Scheduled Tasks.kql
// define known tasks
let knowntasks = dynamic (["Windows Defender Cleanup",
"Windows Defender Scheduled Scan",
"Windows Defender Verification",
"Windows Defender Cache Maintenance",
@"\MicrosoftEdgeUpdateBrowserReplacementTask",
@"\MicrosoftEdgeUpdateTaskMachineUA",
@"\MicrosoftEdgeUpdateBrowserReplacementTask",
@"\MicrosoftEdgeUpdateTaskMachineCore",
@"\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults",
@alexverboon
alexverboon / New-KQPSModuleFunctions.ps1
Created Jul 10, 2020
Generate KQL with PowerShell
View New-KQPSModuleFunctions.ps1
function New-KQPSModuleFunctions
{
<#
.Synopsis
New-KQPSModulecmdlets
.DESCRIPTION
New-KQPSModulecmdlets creates kusto query to search for PowerShell commands
included in the specified PowerShell module name
.PARAMETER ModuleName
The name of the PowerShell module
@alexverboon
alexverboon / T1089 - Disabling Security Tools - sc.kql
Created May 31, 2020
T1089 - Disabling Security Tools - using sc
View T1089 - Disabling Security Tools - sc.kql
// T1089 - Disabling Security Tools
// https://attack.mitre.org/techniques/T1089/
search in (DeviceProcessEvents)
FileName == "sc.exe"
| where ProcessCommandLine has_any ("stop Wuauserv","stop WinDefend","stop wscsvc","stop mpssvc" ,"stop Sense","stop WdNisSvc","stop DiagTrack","stop gpsvc")
| extend SecurityTool = iff(ProcessCommandLine contains "stop wuauserv","Windows Update"
,iff(ProcessCommandLine contains "stop WinDefend","Windows Defender",iff(ProcessCommandLine contains "stop wscsvc", "Defender Security Center"
,iff(ProcessCommandLine contains "stop mpssvc","Defender Firewall",iff(ProcessCommandLine contains "stop WdNisSvc","Defender Antivirus Network Inspection"
,iff(ProcessCommandLine contains "stop diagtrack","Telemetry",iff(ProcessCommandLine contains "stop gpsvc","Group Policy"
View Hawk.ps1
# Check if Hawk is installed
If(!(Get-Module "Hawk"))
{
Install-Module -Name "Hawk" -scope CurrentUser
}
Else
{
Write-Output "Hawk Module is already installed"
}
View TestDL.ps1
Write-host "I was just downloaded"
Function RunMe{
Param(
$Param1
)
write-host "And executed with $Param1"
pause
}
View TestDL.ps1
Write-host "I was just downloaded"
Param(
$Param1
)
write-host "And executed with $Param1"
pause
View TestDL.ps1
Write-host "I was just downloaded"