Skip to content

Instantly share code, notes, and snippets.

Daniel Streefkerk dstreefkerk

View GitHub Profile
@dstreefkerk
dstreefkerk / dns_client_log.ps1
Created Mar 21, 2019 — forked from randomvariable/dns_client_log.ps1
DNS Client Logging on Windows
View dns_client_log.ps1
function Start-DNSClientLog {
$DnsOpLog = Get-WinEvent -ListLog Microsoft-Windows-DNS-Client/Operational
$DnsOpLog.IsEnabled = $true
$DnsOpLog.SaveChanges()
}
function Get-DNSClientQueries {
foreach($event in (get-winevent Microsoft-Windows-DNS-Client/Operational | % { [xml]$_.ToXml() })) {
$Query = ($event.Event.EventData.Data | Where-Object { $_.Name -eq "QueryName" }).'#text'
@dstreefkerk
dstreefkerk / Invoke-Focus.ps1
Created Mar 20, 2019
Quick little script that's kinda like a browser's "Close other tabs" function, but for Windows apps
View Invoke-Focus.ps1
# Quick little script that's kinda like a browser's "Close other tabs" function, but for Windows apps
# Drop a reference to this script into your PowerShell profile as follows:
# New-Alias -Name IFM -Value "C:\Scripts\Invoke-Focus.ps1" -Force
#
# USE AT YOUR OWN RISK
#
# Daniel Streefkerk, 2019
#
# If you want it to terminate apps without cleanly closing them, uncomment the last line
@dstreefkerk
dstreefkerk / spiceworks.txt
Created Feb 1, 2019
Some SQLite queries to pull data out of a Spiceworks DB for migration to Freshservice
View spiceworks.txt
Not sure if these are still valid, wrote them back in 2015. Might come in handy for somebody.
-------------------------------------------------------------------------------------------------------------
- All comments for a specific ticket
select u.email as created_by, c.body,c.is_public,c.comment_type,c.attachment_location,c.attachment_content_type,c.attachment_name from comments as c
inner join users as u on c.created_by = u.id
where ticket_id = 5500
order by c.created_at
-------------------------------------------------------------------------------------------------------------
@dstreefkerk
dstreefkerk / Get-MsolUserWithSmsOrPhoneMfa.ps1
Created Jan 9, 2019
List all users that have SMS or Phone call as their default MFA method.
View Get-MsolUserWithSmsOrPhoneMfa.ps1
Connect-MsolService
$allUsers = Get-MsolUser -MaxResults 100000
$usersWithSmsOrPhoneMfa = @()
foreach ($user in $allUsers) {
foreach ($method in $user.StrongAuthenticationMethods) {
if (($method.MethodType -eq 'OneWaySMS') -or ($method.MethodType -eq 'PhoneAppNotification')) {
if ($method.IsDefault) { $usersWithSmsOrPhoneMfa += $user }
}
}
@dstreefkerk
dstreefkerk / Get-LenovoBiosSetting.ps1
Last active May 23, 2018
Retrieves all current BIOS settings, and lists possible values for each setting
View Get-LenovoBiosSetting.ps1
$currentSettings = Get-WmiObject -Class Lenovo_BiosSetting -Namespace root\wmi -Filter 'CurrentSetting != ""' | Select-Object -ExpandProperty CurrentSetting | Sort-Object
$allSettings = @()
foreach ($setting in $currentSettings) {
# Check if Lenovo_GetBiosSelections exists. If not, we're running on a newer system that includes returns the possible values
# as part of the current setting value
$legacyMethodExists = Get-CimClass Lenovo_GetBiosSelections -Namespace root\wmi -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
if ($legacyMethodExists) {
@dstreefkerk
dstreefkerk / Create-X500ProxyAddressFromLegacyExchangeDN.ps1
Created Apr 17, 2018
PowerShell function to create an X500 proxy address from a IMCEAEX NDR
View Create-X500ProxyAddressFromLegacyExchangeDN.ps1
Function Create-X500ProxyAddressFromLegacyExchangeDN($Address) {
# As per https://support.microsoft.com/en-au/help/2807779/imceaex-non-delivery-report-when-you-send-email-messages-to-an-interna
$Address = $Address.Replace('_','/') # Replace any underscore character (_) with a slash character (/)
$Address = $Address.Replace('+20',' ') # Replace "+20" with a blank space
$Address = $Address.Replace('+28','(') # Replace "+28" with an opening parenthesis character
$Address = $Address.Replace('+29',')') # Replace "+29" with a closing parenthesis character.
$Address = $Address.Replace('IMCEAEX-','') # Delete the "IMCEAEX-" string
$Address = $Address.Split('@')[0] # Delete the "@mgd.domain.com" string
$Address = "X500:$Address" # Add "X500:" at the beginning
$Address
@dstreefkerk
dstreefkerk / IniFiles-Computer.xml
Created Nov 23, 2017
Group Policy Preferences - INI File Export - To write all GPP Variable names and their values to INI files in %temp%
View IniFiles-Computer.xml
<?xml version="1.0" encoding="utf-8"?>
<IniFiles clsid="{694C651A-08F2-47fa-A427-34C4F62BA207}"><Ini clsid="{EEFACE84-D3D8-4680-8D4B-BF103E759448}" name="AppDataDir" status="AppDataDir" image="2" bypassErrors="1" changed="2017-11-23 00:56:06" uid="{95D41DAD-AA68-4FD5-83EE-F99F154CF748}"><Properties path="%TempDir%\gpp-variables.ini" section="GPPVariables-Computer" value="%AppDataDir%" property="AppDataDir" action="U"/><Filters></Filters></Ini>
<Ini clsid="{EEFACE84-D3D8-4680-8D4B-BF103E759448}" name="BinaryComputerSid" status="BinaryComputerSid" image="2" bypassErrors="1" changed="2017-11-23 00:56:10" uid="{609ED203-3CBF-4556-8028-F134B1EEF95D}"><Properties path="%TempDir%\gpp-variables.ini" section="GPPVariables-Computer" value="%BinaryComputerSid%" property="BinaryComputerSid" action="U"/><Filters></Filters></Ini>
<Ini clsid="{EEFACE84-D3D8-4680-8D4B-BF103E759448}" name="BinaryUserSid" status="BinaryUserSid" image="2" bypassErrors="1" changed="2017-11-23 00:56:15" uid="{A822EFE8-33E6-4E66-8D13-F194EE50E5A
@dstreefkerk
dstreefkerk / Create-MitigationFirewallRules.ps1
Last active Jun 13, 2018
A script to automatically generate Windows Firewall with Advanced Security outbound rules to prevent malware from being able to dial home.
View Create-MitigationFirewallRules.ps1
#Requires -Version 5 -Module NetSecurity -RunAsAdministrator
<#
.SYNOPSIS
Create-MitigationFirewallRules - Creates Windows Firewall rules to mitigate certain app whitelisting bypasses and to prevent command interpreters from accessing the Internet
.DESCRIPTION
A script to automatically generate Windows Firewall with Advanced Security outbound rules
to prevent malware from being able to dial home.
These programs will only be allowed to communicate to IP addresses within the private IPv4 RFC1918 ranges:
@dstreefkerk
dstreefkerk / Enable NIC(s) upon Workstation Unlock.xml
Last active Oct 20, 2017
Scheduled Task export that enables all NICs when the workstation unlock event is registered
View Enable NIC(s) upon Workstation Unlock.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2017-10-20T11:25:53.3600985</Date>
<Author>danielstreefkerk</Author>
<Description>This event enables all NICs when the workstation unlock event (4801) is detected in the security log.
It won't work without Success auditing of Other Logon/Logoff events being enabled.</Description>
<URI>\Enable NIC(s) upon Workstation Unlock</URI>
</RegistrationInfo>
@dstreefkerk
dstreefkerk / Disable NIC(s) upon Workstation Lock.xml
Created Oct 20, 2017
Scheduled Task export that disables all NICs when the workstation lock event is registered
View Disable NIC(s) upon Workstation Lock.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2017-10-20T11:25:53.3600985</Date>
<Author>danielstreefkerk</Author>
<Description>This event disables all NICs when the workstation lock event (4800) is detected in the security log.
It won't work without Success auditing of Other Logon/Logoff events being enabled.</Description>
<URI>\Disable NIC(s) upon Workstation Lock</URI>
</RegistrationInfo>
You can’t perform that action at this time.