View IniFiles-Computer.xml
<?xml version="1.0" encoding="utf-8"?>
<IniFiles clsid="{694C651A-08F2-47fa-A427-34C4F62BA207}"><Ini clsid="{EEFACE84-D3D8-4680-8D4B-BF103E759448}" name="AppDataDir" status="AppDataDir" image="2" bypassErrors="1" changed="2017-11-23 00:56:06" uid="{95D41DAD-AA68-4FD5-83EE-F99F154CF748}"><Properties path="%TempDir%\gpp-variables.ini" section="GPPVariables-Computer" value="%AppDataDir%" property="AppDataDir" action="U"/><Filters></Filters></Ini>
<Ini clsid="{EEFACE84-D3D8-4680-8D4B-BF103E759448}" name="BinaryComputerSid" status="BinaryComputerSid" image="2" bypassErrors="1" changed="2017-11-23 00:56:10" uid="{609ED203-3CBF-4556-8028-F134B1EEF95D}"><Properties path="%TempDir%\gpp-variables.ini" section="GPPVariables-Computer" value="%BinaryComputerSid%" property="BinaryComputerSid" action="U"/><Filters></Filters></Ini>
<Ini clsid="{EEFACE84-D3D8-4680-8D4B-BF103E759448}" name="BinaryUserSid" status="BinaryUserSid" image="2" bypassErrors="1" changed="2017-11-23 00:56:15" uid="{A822EFE8-33E6-4E66-8D13-F194EE50E5A
View Create-MitigationFirewallRules.ps1
#Requires -Version 5 -Module NetSecurity -RunAsAdministrator
<#
.SYNOPSIS
Create-MitigationFirewallRules - Creates Windows Firewall rules to mitigate certain app whitelisting bypasses and to prevent command interpreters from accessing the Internet
.DESCRIPTION
A script to automatically generate Windows Firewall with Advanced Security outbound rules
to prevent malware from being able to dial home.
These programs will only be allowed to communicate to IP addresses within the private IPv4 RFC1918 ranges:
View Enable NIC(s) upon Workstation Unlock.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2017-10-20T11:25:53.3600985</Date>
<Author>danielstreefkerk</Author>
<Description>This event enables all NICs when the workstation unlock event (4801) is detected in the security log.
It won't work without Success auditing of Other Logon/Logoff events being enabled.</Description>
<URI>\Enable NIC(s) upon Workstation Unlock</URI>
</RegistrationInfo>
View Disable NIC(s) upon Workstation Lock.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2017-10-20T11:25:53.3600985</Date>
<Author>danielstreefkerk</Author>
<Description>This event disables all NICs when the workstation lock event (4800) is detected in the security log.
It won't work without Success auditing of Other Logon/Logoff events being enabled.</Description>
<URI>\Disable NIC(s) upon Workstation Lock</URI>
</RegistrationInfo>
View ADScript.asp
<!--#include file="Constants.asp"-->
<%
' VERSION 1.0.0
' Simple SSO based on Classic ASP hosted on IIS.
'----------------------------------------------------------------
' VERSION 1.0.1
' Debugging information added.
'----------------------------------------------------------------
' VERSION 1.0.2
' Pass through functionality added.
View Get-ForwardedAppLockerLogs.ps1
Function Get-AppLockerLogs {
$filter = '
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*[System[Provider[@Name="Microsoft-Windows-AppLocker"] and (Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
'
$data = Get-WinEvent -FilterXml $filter -Oldest
View Remove-OldPrintJobs.ps1
# Jobs older than the below time will be deleted
$thresholdTime = (Get-Date).AddDays(-1)
# Get all current print jobs
$printJobs = Get-WmiObject Win32_PrintJob
ForEach ($printJob in $printJobs) {
# Convert the weird WMI time to a proper .NET DateTime object
$jobTime = [System.Management.ManagementDateTimeConverter]::ToDateTime($printJob.TimeSubmitted)
View unattend.xml
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SetupUILanguage>
<UILanguage>en-AU</UILanguage>
</SetupUILanguage>
<InputLocale>0c09:00000409</InputLocale>
<UserLocale>en-AU</UserLocale>
<SystemLocale>en-AU</SystemLocale>
View Parse-HibpJson.ps1
#requires -version 3
<#
.SYNOPSIS
Parse-HibpJson - Checks Active Directory for matching users, outputs info as objects
.DESCRIPTION
Cross-checks Active Directory for matching aliases from a HIBP breach JSON file, and then
lists the matching users and which breaches they were involved in.
Designed to be output to CSV for easy consumption in Excel with one breach per column
View Get-RandomPassword.ps1
function Get-RandomPassword {
[OutputType([string])]
Param
(
[int]
$Count = 1,
[string]
$Separator = '-'