Skip to content

Instantly share code, notes, and snippets.

Avatar

Daniel Streefkerk dstreefkerk

View GitHub Profile
@dstreefkerk
dstreefkerk / ConditionalAccess-SignIns-ReportOnly.txt
Last active Apr 30, 2020
KQL Query to retrieve all Azure AD sign-ins that failed a Conditional Access policy in Report-Only mode
View ConditionalAccess-SignIns-ReportOnly.txt
// Get Sign-in logs for any Report-Only Conditional Access policies where the result = ReportOnlyFailure
SigninLogs
| mvexpand ConditionalAccessPolicies
| where ConditionalAccessPolicies["result"] == "reportOnlyFailure"
| project TimeGenerated, Identity, UserPrincipalName, AzureADApplication = AppDisplayName, ClientApplication = ClientAppUsed, ClientBrowser = DeviceDetail.browser, ClientOperatingSystem = DeviceDetail.operatingSystem, ClientIPAddress = IPAddress , ClientUserAgent = UserAgent , ConditionalAccessPolicyName = ConditionalAccessPolicies["displayName"], ConditionalAccessPolicyID = ConditionalAccessPolicies["id"]
@dstreefkerk
dstreefkerk / Copy-Shrug.ps1
Created Feb 14, 2020
Put this into your PowerShell profile file for an offline version of www.copyshrug.com.
View Copy-Shrug.ps1
function Copy-Shrug {
"¯\_(ツ)_/¯" | Set-Clipboard
Write-Output "Shrug copied to clipboard"
}
New-Alias -name 'cps' -Value Copy-Shrug
@dstreefkerk
dstreefkerk / Get-MachineAccountQuotaUsers.ps1
Created Jan 29, 2020
Gets a list of AD computers that were created by regular users exercising their default right to create up to 10 computer accounts in an AD domain
View Get-MachineAccountQuotaUsers.ps1
$machineAccountQuotaComputers = Get-ADComputer -filter {ms-DS-CreatorSID -ne "$null"} -Properties ms-DS-CreatorSID,Created
foreach ($machine in $machineAccountQuotaComputers) {
$creator = $null
try {
$creator = [System.Security.Principal.SecurityIdentifier]::new($machine.'ms-DS-CreatorSID').Translate([System.Security.Principal.NTAccount]).Value
}
catch {
$creator = $machine.'ms-DS-CreatorSID'
}
@dstreefkerk
dstreefkerk / CSVGridView.bat
Created Nov 8, 2019
Batch file that enables a CSV to be dragged/dropped and then opened in a PowerShell GridView. Requires the PowerShell ISE to be instaled.
View CSVGridView.bat
@echo off
IF "%~1"=="" GOTO NOFILE
set CSVPATH=%~1
ECHO Loading CSV %CSVPATH%
powershell.exe -NoProfile -NoExit -NoLogo -Command "if ((Test-Path $env:CSVPATH -PathType Leaf) -and ($env:CSVPATH -like '*.csv')) {Import-Csv -Path $env:CSVPATH | Out-GridView -Wait -Title $env:CSVPATH};exit"
GOTO END
:NOFILE
@dstreefkerk
dstreefkerk / dfstargets.ps1
Last active Nov 7, 2019
Get a list of active DFS folder targets under a specific DFS root
View dfstargets.ps1
Get-DfsnFolder -Path \\internal.contoso.com\dfsroot\* | Get-DfsnFolderTarget | ? {$_.State -eq "Online"} | Group-Object -Property Path | ForEach-Object {$_.group[0]}
@dstreefkerk
dstreefkerk / Get-AussieGovDomains.ps1
Created Jul 9, 2019
Retrieve a list of Australian government (.gov.au) domains from the CKAN Data API at https://data.gov.au/
View Get-AussieGovDomains.ps1
<#
.DESCRIPTION
Retrieve a list of Australian government (.gov.au) domains from the CKAN Data API at https://data.gov.au/
#>
# https://data.gov.au/dataset/ds-dga-4d5301b2-bc64-4774-b437-56a408836e57/details
$dataUri = 'https://data.gov.au/data/api/3/action/datastore_search?resource_id=507f8129-b84c-4215-ae7d-5aca364e4a0e&limit=2000'
# Basic function to strip the URL down to the bare FQDN
View Invoke-QuerySpfViaCloudflareDoh.ps1
# Retrieve SPF records for a domain via Cloudflare DoH
$domain = 'example.com'
$result = Invoke-RestMethod -Uri "https://cloudflare-dns.com/dns-query?name=$domain&type=TXT" -Headers @{'accept'='application/dns-json'}
if ($result -ne $null) {
if ($result.answer -ne $null) {
$result.answer | Select-Object -ExpandProperty data | Where-Object {$_ -like '*v=spf1*'}
}
}
@dstreefkerk
dstreefkerk / Invoke-SpeechPrank.ps1
Last active May 15, 2019
Some PowerShell pranking fun. Combine with PSRemoting to confuse your co-workers. I've not used this since 2014, so I don't know if it still works.
View Invoke-SpeechPrank.ps1
Add-Type -TypeDefinition @'
using System.Runtime.InteropServices;
[Guid("5CDF2C82-841E-4546-9722-0CF74078229A"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
interface IAudioEndpointVolume {
// f(), g(), ... are unused COM method slots. Define these if you care
int f(); int g(); int h(); int i();
int SetMasterVolumeLevelScalar(float fLevel, System.Guid pguidEventContext);
int j();
int GetMasterVolumeLevelScalar(out float pfLevel);
@dstreefkerk
dstreefkerk / Invoke-RegexReplaceTest.ps1
Created Apr 27, 2019
Some simple character replacement via Regex in PowerShell
View Invoke-RegexReplaceTest.ps1
# Regex Examples with -Replace
$testString = "ABCabc 123456_!#$%"
Write-Host "Remove all numbers in a string" -ForegroundColor Yellow
"Before: $testString"
"After: $($testString -replace '\d')"
""
Write-Host "Remove everything but numbers from a string" -ForegroundColor Yellow
"Before: $testString"
@dstreefkerk
dstreefkerk / New-ContosoUser.ps1
Created Apr 27, 2019
Generate a new AD User based upon a few specific requirements
View New-ContosoUser.ps1
# Requirements
#
# 1. Inputs - First Name, Last Name
#
# 2. SamAccountName and CN must be in firstname.lastname format
# 3. UPN must be in firstname.lastname@contoso.com format
# 4. If a user already exists with the same UPN or SamAccountName, add a number to the end or increment the existing number
function New-ContosoUser ([string]$FirstName,[string]$LastName) {
$maxUsersPerName = 100
You can’t perform that action at this time.