dstreefkerk

function Start-DNSClientLog {
    $DnsOpLog = Get-WinEvent -ListLog Microsoft-Windows-DNS-Client/Operational
    $DnsOpLog.IsEnabled = $true
    $DnsOpLog.SaveChanges()
}


function Get-DNSClientQueries {
    foreach($event in (get-winevent Microsoft-Windows-DNS-Client/Operational | % { [xml]$_.ToXml() })) {
        $Query = ($event.Event.EventData.Data | Where-Object { $_.Name -eq "QueryName" }).'#text'

dstreefkerk

# Quick little script that's kinda like a browser's "Close other tabs" function, but for Windows apps
# Drop a reference to this script into your PowerShell profile as follows:
#   New-Alias -Name IFM -Value "C:\Scripts\Invoke-Focus.ps1" -Force
#
# USE AT YOUR OWN RISK
#
# Daniel Streefkerk, 2019
#
# If you want it to terminate apps without cleanly closing them, uncomment the last line

dstreefkerk

Not sure if these are still valid, wrote them back in 2015. Might come in handy for somebody.

-------------------------------------------------------------------------------------------------------------
- All comments for a specific ticket

select u.email as created_by, c.body,c.is_public,c.comment_type,c.attachment_location,c.attachment_content_type,c.attachment_name from comments as c
inner join users as u on c.created_by = u.id
where ticket_id = 5500
order by c.created_at
-------------------------------------------------------------------------------------------------------------

dstreefkerk

Connect-MsolService

$allUsers = Get-MsolUser -MaxResults 100000
$usersWithSmsOrPhoneMfa = @()
foreach ($user in $allUsers) {
	foreach ($method in $user.StrongAuthenticationMethods) {
		if (($method.MethodType -eq 'OneWaySMS') -or ($method.MethodType -eq 'PhoneAppNotification')) {
			if ($method.IsDefault) { $usersWithSmsOrPhoneMfa += $user }
		}
	}

dstreefkerk

$currentSettings = Get-WmiObject -Class Lenovo_BiosSetting -Namespace root\wmi -Filter 'CurrentSetting != ""' | Select-Object -ExpandProperty CurrentSetting | Sort-Object

$allSettings = @()

foreach ($setting in $currentSettings) {   
    # Check if Lenovo_GetBiosSelections exists. If not, we're running on a newer system that includes returns the possible values
    # as part of the current setting value
    $legacyMethodExists = Get-CimClass Lenovo_GetBiosSelections -Namespace root\wmi -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
    
    if ($legacyMethodExists) {

dstreefkerk

Function Create-X500ProxyAddressFromLegacyExchangeDN($Address) {
  # As per https://support.microsoft.com/en-au/help/2807779/imceaex-non-delivery-report-when-you-send-email-messages-to-an-interna
  $Address = $Address.Replace('_','/')        # Replace any underscore character (_) with a slash character (/)
  $Address = $Address.Replace('+20',' ')      # Replace "+20" with a blank space
  $Address = $Address.Replace('+28','(')      # Replace "+28" with an opening parenthesis character
  $Address = $Address.Replace('+29',')')      # Replace "+29" with a closing parenthesis character.
  $Address = $Address.Replace('IMCEAEX-','')  # Delete the "IMCEAEX-" string
  $Address = $Address.Split('@')[0]           # Delete the "@mgd.domain.com" string
  $Address = "X500:$Address"                  # Add "X500:" at the beginning
  $Address

dstreefkerk

<?xml version="1.0" encoding="utf-8"?>
<IniFiles clsid="{694C651A-08F2-47fa-A427-34C4F62BA207}"><Ini clsid="{EEFACE84-D3D8-4680-8D4B-BF103E759448}" name="AppDataDir" status="AppDataDir" image="2" bypassErrors="1" changed="2017-11-23 00:56:06" uid="{95D41DAD-AA68-4FD5-83EE-F99F154CF748}"><Properties path="%TempDir%\gpp-variables.ini" section="GPPVariables-Computer" value="%AppDataDir%" property="AppDataDir" action="U"/><Filters></Filters></Ini>
	<Ini clsid="{EEFACE84-D3D8-4680-8D4B-BF103E759448}" name="BinaryComputerSid" status="BinaryComputerSid" image="2" bypassErrors="1" changed="2017-11-23 00:56:10" uid="{609ED203-3CBF-4556-8028-F134B1EEF95D}"><Properties path="%TempDir%\gpp-variables.ini" section="GPPVariables-Computer" value="%BinaryComputerSid%" property="BinaryComputerSid" action="U"/><Filters></Filters></Ini>
	<Ini clsid="{EEFACE84-D3D8-4680-8D4B-BF103E759448}" name="BinaryUserSid" status="BinaryUserSid" image="2" bypassErrors="1" changed="2017-11-23 00:56:15" uid="{A822EFE8-33E6-4E66-8D13-F194EE50E5A

dstreefkerk

#Requires -Version 5 -Module NetSecurity -RunAsAdministrator
<#
.SYNOPSIS
Create-MitigationFirewallRules - Creates Windows Firewall rules to mitigate certain app whitelisting bypasses and to prevent command interpreters from accessing the Internet

.DESCRIPTION 
A script to automatically generate Windows Firewall with Advanced Security outbound rules
to prevent malware from being able to dial home.

These programs will only be allowed to communicate to IP addresses within the private IPv4 RFC1918 ranges:

dstreefkerk

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2017-10-20T11:25:53.3600985</Date>
    <Author>danielstreefkerk</Author>
    <Description>This event enables all NICs when the workstation unlock event (4801) is detected in the security log.

It won't work without Success auditing of Other Logon/Logoff events being enabled.</Description>
    <URI>\Enable NIC(s) upon Workstation Unlock</URI>
  </RegistrationInfo>

dstreefkerk

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2017-10-20T11:25:53.3600985</Date>
    <Author>danielstreefkerk</Author>
    <Description>This event disables all NICs when the workstation lock event (4800) is detected in the security log.

It won't work without Success auditing of Other Logon/Logoff events being enabled.</Description>
    <URI>\Disable NIC(s) upon Workstation Lock</URI>
  </RegistrationInfo>