Skip to content

Instantly share code, notes, and snippets.

View endoleg's full-sized avatar

Thorsten Enderlein endoleg

37 followers · 742 following
View GitHub Profile
@nicolonsky
nicolonsky / Detect-M365AppUpdate.ps1
Last active January 30, 2024 12:39
Intune / Configuration Manager Proactive Remediation to trigger Office Click to Run Updater (intended to run for the logged on user to show built-in update pop-up)
# See Microsoft 365 Apps Version history https://learn.microsoft.com/en-us/officeupdates/update-history-microsoft365-apps-by-date#version-history
$targetVersions = @{
'CurrentChannel' = [System.Version]::Parse('16.0.16130.20306')
'MonthlyEnterpriseChannel1' = [System.Version]::Parse('16.0.16026.20238')
'MonthlyEnterpriseChannel2' = [System.Version]::Parse('16.0.15928.20298')
'Semi-AnnualEnterpriseChannel(Preview)' = [System.Version]::Parse('16.0.16130.20306')
'Semi-AnnualEnterpriseChannel1' = [System.Version]::Parse('16.0.15601.20578')
'Semi-AnnualEnterpriseChannel2' = [System.Version]::Parse('16.0.14931.20944')
'CurrentChannel(Preview)' = [System.Version]::Parse('16.0.16227.20094')
@sassdawe
sassdawe / Get-LatestLTS.ps1
Created February 12, 2022 22:32
Get the latest LTS version of PowerShell
<#
.Synopsis
Get-LatestLTS
.DESCRIPTION
Long description
.EXAMPLE
Example of how to use this cmdlet
.EXAMPLE
Another example of how to use this cmdlet
@PierBover
PierBover / create-dev-certs.sh
Created January 27, 2022 17:57
Create certs for HTTP in localhost
openssl req -x509 -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -keyout localhost-key.pem -out localhost-cert.pem
mkcert -install
mkcert -key-file localhost-key.pem -cert-file localhost-cert.pem localhost 127.0.0.1
@kilasuit
kilasuit / WebsiteAccess.ps1
Last active February 2, 2022 23:52
functions for enabling/disabling Website access via hosts file.
#Requires -RunAsAdministrator
#Requires -Module @{ ModuleName = 'PSHosts';
RequiredVersion = '1.2.2' }
Function New-WebSiteHostEntry {
[CmdletBinding()]
[Alias('NWA')]
param (
# Parameter help description
[Parameter()]
@SwitHak
SwitHak / 20211210-TLP-WHITE_LOG4J.md
Last active October 14, 2025 08:35
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
@wdormann
wdormann / noappinstaller.reg
Last active December 14, 2021 00:30
Prevent the ability to click on a ms-appinstaller: URI for the current user
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\ms-appinstaller]
"URL Protocol"=-
@technion
technion / CVE-2021-40444Mit.ps1
Last active September 12, 2021 08:43
CVE-2021-40444 Mitigation Script
Set-Strictmode -Version 2
# Applies reg keys from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
# Although the above document is still "Revision 1.0", Microsoft has removed the WOW6432 section
for($i = 0; $i -le 3; $i++) {
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\$i"
if (-not (Test-Path $RegPath)) {
New-Item $RegPath -Force
}
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@tijme
tijme / Get-AllADGroupUsersRecursively.ps1
Last active February 20, 2023 11:52
This function will return all domain users in the specified group, including recursive memberships. This also includes users in special groups such as the "Domain Users" group. Users are part of special groups via the SID instead of the members attribute. Therefore `Get-ADGroupMembers -Recursive` doesn't return users in these special groups.
Function Get-AllADGroupUsersRecursively {
<#
.SYNOPSIS
This script will identify all AD users in a specific group recursively (including special groups such as "Domain Users").
.DESCRIPTION
This script will identify all AD users in a specific group recursively (including special groups such as "Domain Users").
.NOTES
Name: Get-AllADGroupUsersRecursively
@jdhitsolutions
jdhitsolutions / Get-Restart.ps1
Created May 7, 2021 18:54
A PowerShell function and format file to query the event log using Get-WinEvent for restart related events.
Function Get-Restart {
[cmdletbinding()]
[outputtype("RestartEvent")]
Param(
[Parameter(Position = 0, ValueFromPipeline)]
[ValidateNotNullOrEmpty()]
[Alias("CN")]
[string]$Computername = $env:COMPUTERNAME,
[Parameter(HelpMessage = "Find restart events since this date and time.")]
[ValidateNotNullOrEmpty()]