Fabian Bader f-bader
f-bader
/ 2022 Top Routinely Exploited Vulnerabilities.csv
Created
August 21, 2023 20:34
2022 Top Routinely Exploited Vulnerabilities - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
View 2022 Top Routinely Exploited Vulnerabilities.csv
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CveId | |
| CVE-2018-13379 | |
| CVE-2021-34473 | |
| CVE-2021-31207 | |
| CVE-2021-34523 | |
| CVE-2021-40539 | |
| CVE-2021-26084 | |
| CVE-2021-44228 | |
| CVE-2022-22954 | |
| CVE-2022-22960 |
f-bader
/ OneLiner.ps1
Created
August 17, 2023 06:33
Delete all branches excpect main using Powershell
View OneLiner.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| git branch | Select-String -NotMatch -Pattern "main" | % {$branch = $_ -replace '\s'; git branch -D $branch } |
f-bader
/ HuntForMidnightBlizzard.kql
Last active
August 7, 2023 13:58
Hunting query for Midnight Blizzard based on the IoCs from https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
View HuntForMidnightBlizzard.kql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OfficeActivity | |
| | where TimeGenerated > ago(90d) | |
| | where UserId has_any ("msftprotection","identityVerification","accountsVerification","azuresecuritycenter","teamsprotection") and UserId has "onmicrosoft" | |
| | summarize by UserId |
f-bader
/ gist:d7e2371d5d5760b427697b7464e72cb1
Created
December 12, 2021 12:39
Detection for exploitation and old TGT usage
View gist:d7e2371d5d5760b427697b7464e72cb1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| CVE-2021-42287 - Authentication updates | |
| CVE-2021-42278 - Active Directory Security Accounts Manager hardening changes | |
| This updates introduced additional Event Ids to monitor. | |
| Use this script to check every domain controller for those eventIds | |
| #> | |
| $EventIds = @{ | |
| 35 = "PAC without attributes" | |
| 36 = "Ticket without a PAC" | |
| 37 = "Ticket without Requestor" |
f-bader
/ AuditAppRoles.ps1
Last active
June 30, 2022 07:28
— forked from andyrobbins/AuditAppRoles.ps1
Audit app roles
View AuditAppRoles.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Find dangerous API permissions as a user | |
| $AzureTenantID = '<Your tenant ID>' | |
| $AccountName = '<Username>@<Domain.com>' | |
| $Password = ConvertTo-SecureString '<Your password>' -AsPlainText -Force | |
| $Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password) | |
| Connect-AzAccount -Credential $Credential -TenantID $AzureTenantID | |
| function Get-AzureGraphToken | |
| { |
f-bader
/ CheckDefenderAVHealthState.kusto
Created
November 25, 2021 13:05
Advanced hunting query to check on a few vital Defender AV health settings
View CheckDefenderAVHealthState.kusto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Check Defender AV related health issues | |
| // Microsoft Defender Antivirus is disabled - scid-2010 | |
| // Microsoft Defender Antivirus definitions are outdated - scid-2011 | |
| // Microsoft Defender Antivirus real-time behavior monitoring is disabled - scid-91 | |
| // Microsoft Defender Antivirus real-time protection is disabled - scid-2012 | |
| // Microsoft Defender Antivirus cloud service connectivity is impaired - scid-2014 | |
| DeviceTvmSecureConfigurationAssessmentKB | |
| | where ConfigurationName contains "Defender" | |
| | join kind=innerunique DeviceTvmSecureConfigurationAssessment on ConfigurationId | |
| | where ConfigurationId in ("scid-2010","scid-2011","scid-2012","scid-91","scid-2014") |
f-bader
/ Audit-KB5008380-EventIds.ps1
Created
November 10, 2021 10:56
KB5008380 - Authentication updates (CVE-2021-42287)
View Audit-KB5008380-EventIds.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| KB5008380 - Authentication updates (CVE-2021-42287) | |
| This update introduces additional Event Ids to monitor. | |
| Use this script to check every domain controller for those eventIds | |
| #> | |
| $EventIds = @{ | |
| # https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041 | |
| 35 = "PAC without attributes" | |
| 36 = "Ticket without a PAC" | |
| 37 = "Ticket without Requestor" |
f-bader
/ Audit-KB5008383-EventIds.ps1
Created
November 10, 2021 10:37
KB5008383 introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment
View Audit-KB5008383-EventIds.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| KB5008383 - Active Directory permissions updates (CVE-2021-42291) | |
| This update introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment | |
| The use of PowerShell Remoting makes it faster and better suiteable for restricted firewall setups | |
| #> | |
| $EventIds = @{ | |
| # https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1 | |
| # Events that occur when an LDAP Add operation is denied. | |
| 3044 = "Enforcement Mode - LDAP Add failures" | |
| 3045 = "Enforcement Mode - LDAP Add failures" |
f-bader
/ NsoCheck.kusto
Last active
July 19, 2021 10:39
Check for client connections to well known NSO domains as published by @AmnestyTech
View NsoCheck.kusto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let NsoDomains = externaldata(RemoteUrl:string) | |
| [ | |
| h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/domains.txt", | |
| h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v2_domains.txt", | |
| h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v3_domains.txt", | |
| h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v4_domains.txt" | |
| ] | |
| with(format="csv"); | |
| DeviceNetworkEvents | |
| | join kind = inner ( NsoDomains | distinct RemoteUrl) on RemoteUrl |
f-bader
/ disablethings.bat
Created
March 3, 2021 12:46
— forked from MHaggis/disablethings.bat
View disablethings.bat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Related to MalwareBytes LazyScripter https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat | |
| reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtime |
NewerOlder