Bill Wilder codingoutloud

## az-sub-list.sh
#!/bin/bash
# Bill Wilder, 13-June-2024
# Consider applying "chmod u+x az-sub-list.sh" or similar to a local copy of this file as you see fit.
# If not being invoked from Azure Shell you need to ensure you have authenticated via "az login" before running.

az account list --query '[].{Name:name, ID:id}' --output tsv | awk -F'\t' '{print "Azure Subscription ID \"" $2 "\" is for Subscription named \"" $1 "\""}'

USERNAME=$(az account show --query '{Name:user.name}' --output tsv)
DEFSUB=$(az account list --query '[?isDefault].{Name:name}' --output tsv)

## foo.json
{
   "days": 42
}

## mimikatz-lab-helpers.txt
# For educational purposes only

## STEP 0 - Create a Windows VM in the cloud, such as a Windows 2016 Server in Azure, with RDP enabled

Log in via RDP

Open PowerShell as Administrator

if you want to download local PowerShell help to poke around:
Get-Help curl

## who-vm.sh
#!/bin/bash

rgName=qu-rg

# comment out setting of the VM name to instead use the resource group (more results may be returned)
# you can also change the VM name here to focus on a different VM
###vmName=qu-sam-vm

if [ -z "${vmName}" ]; then
   # if vmName is not set, use the resource group

## puml.sh
#!/bin/bash
# Mostly this script exists to simply make it possible/simple to do "puml.sh foo.puml" to create "foo.png" from command line.
#
# If you want it even simpler - "puml foo.puml" (no ".sh" extension) consider using an alias.
# Here is example for .bash_profile:
#    alias puml=~/bin/puml.sh

for ARG in "$@"
do
   if [ "$ARG" = "v" ]; then

## azipcheck.sh
#!/bin/bash

if [ $# -eq 1 ]; then
   IP="$1"

   ## NEED AN AZURE MAP API KEY
   ## Create an Azure Map account in the Azure portal to get a new APIKEY.
   AZUREMAP_APIKEY='...'

   ## Azure Map API to look up the COUNTRY (two-char ISO) of the IP

## azure-activity-log-security.json
<!--
Actual activity-log entry, redacted (...) and anonymized.
category = "Security"
level = "Informational"

The threatName and threatID values under properties match this:
     https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FConteban.A!ml&threatid=2147735508
-->

{

## getRandomInt.js
// Return a random integer in [0..max] (inclusive, so 0 and max are valid values).
// Assumes (but does not validate) that max is a non-negative integer less than Number.MAX_SAFE_INTEGER.
// Does not use a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).
function getRandomInt(max) {
  return Math.floor(Math.random() * (max + 1));

  // How it works:
  //       Math.random()            → returns a floating point number at least zero but less than one: [0..1)
  //       Math.random() * (max+1)  → returns a floating point number at least 0 but less than (max+1): [0..max+1)
  // floor(Math.random() * (max+1)) → returns an integer at least 0 but could be as high as max: [0..max]

## myip.py
# OpenDNS resolves "myip.opendns.com" to the caller's publicly-facing IP.
# To use this feature, resolve that DNS name against an OpenDNS name server.

# https://github.com/rthalley/dnspython
# pip install dnspython

import dns.resolver

resolver = dns.resolver.Resolver()

## check-azure-sql-db-logins.sql
-- Turn on Audit Logging to Blob for your Azure SQL Database. Then you can query who has logged in.
-- The example below assumes DB Server-level audit logging. Details will vary slightly for Database-level audit logging.
-- The example below shows who logged in so far today.
-- Change "-0" to "-1" to look at yesterday (from a UTC perspective, not your local timezone).
-- Change "-0" to "-100" to look at 100 days ago.
SELECT FORMATMESSAGE('%s (%s)', CAST(DATEADD(day, -0, CONVERT(date, SYSUTCDATETIME())) as varchar),
                      DATENAME(WEEKDAY, DATEADD(day, -0, SYSUTCDATETIME()))),
       server_principal_name,
       COUNT(server_principal_name) as 'Logins'
FROM sys.fn_get_audit_file(FORMATMESSAGE('https://<MYBLOB>.blob.core.windows.net/sqldbauditlogs/<MYDBSERVER>/<MYDB>/SqlDbAuditing_ServerAudit/%s/',
	#!/bin/bash
	# Bill Wilder, 13-June-2024
	# Consider applying "chmod u+x az-sub-list.sh" or similar to a local copy of this file as you see fit.
	# If not being invoked from Azure Shell you need to ensure you have authenticated via "az login" before running.

	az account list --query '[].{Name:name, ID:id}' --output tsv \| awk -F'\t' '{print "Azure Subscription ID \"" $2 "\" is for Subscription named \"" $1 "\""}'

	USERNAME=$(az account show --query '{Name:user.name}' --output tsv)
	DEFSUB=$(az account list --query '[?isDefault].{Name:name}' --output tsv)
	# For educational purposes only

	## STEP 0 - Create a Windows VM in the cloud, such as a Windows 2016 Server in Azure, with RDP enabled

	Log in via RDP

	Open PowerShell as Administrator

	if you want to download local PowerShell help to poke around:
	Get-Help curl
	#!/bin/bash

	rgName=qu-rg

	# comment out setting of the VM name to instead use the resource group (more results may be returned)
	# you can also change the VM name here to focus on a different VM
	###vmName=qu-sam-vm

	if [ -z "${vmName}" ]; then
	# if vmName is not set, use the resource group
	#!/bin/bash
	# Mostly this script exists to simply make it possible/simple to do "puml.sh foo.puml" to create "foo.png" from command line.
	#
	# If you want it even simpler - "puml foo.puml" (no ".sh" extension) consider using an alias.
	# Here is example for .bash_profile:
	# alias puml=~/bin/puml.sh

	for ARG in "$@"
	do
	if [ "$ARG" = "v" ]; then
	#!/bin/bash

	if [ $# -eq 1 ]; then
	IP="$1"

	## NEED AN AZURE MAP API KEY
	## Create an Azure Map account in the Azure portal to get a new APIKEY.
	AZUREMAP_APIKEY='...'

	## Azure Map API to look up the COUNTRY (two-char ISO) of the IP
	<!--
	Actual activity-log entry, redacted (...) and anonymized.
	category = "Security"
	level = "Informational"

	The threatName and threatID values under properties match this:
	https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FConteban.A!ml&threatid=2147735508
	-->

	{
	// Return a random integer in [0..max] (inclusive, so 0 and max are valid values).
	// Assumes (but does not validate) that max is a non-negative integer less than Number.MAX_SAFE_INTEGER.
	// Does not use a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).
	function getRandomInt(max) {
	return Math.floor(Math.random() * (max + 1));

	// How it works:
	// Math.random() → returns a floating point number at least zero but less than one: [0..1)
	// Math.random() * (max+1) → returns a floating point number at least 0 but less than (max+1): [0..max+1)
	// floor(Math.random() * (max+1)) → returns an integer at least 0 but could be as high as max: [0..max]
	# OpenDNS resolves "myip.opendns.com" to the caller's publicly-facing IP.
	# To use this feature, resolve that DNS name against an OpenDNS name server.

	# https://github.com/rthalley/dnspython
	# pip install dnspython

	import dns.resolver

	resolver = dns.resolver.Resolver()
	-- Turn on Audit Logging to Blob for your Azure SQL Database. Then you can query who has logged in.
	-- The example below assumes DB Server-level audit logging. Details will vary slightly for Database-level audit logging.
	-- The example below shows who logged in so far today.
	-- Change "-0" to "-1" to look at yesterday (from a UTC perspective, not your local timezone).
	-- Change "-0" to "-100" to look at 100 days ago.
	SELECT FORMATMESSAGE('%s (%s)', CAST(DATEADD(day, -0, CONVERT(date, SYSUTCDATETIME())) as varchar),
	DATENAME(WEEKDAY, DATEADD(day, -0, SYSUTCDATETIME()))),
	server_principal_name,
	COUNT(server_principal_name) as 'Logins'
	FROM sys.fn_get_audit_file(FORMATMESSAGE('https://<MYBLOB>.blob.core.windows.net/sqldbauditlogs/<MYDBSERVER>/<MYDB>/SqlDbAuditing_ServerAudit/%s/',