Skip to content

Instantly share code, notes, and snippets.

Avatar

Fabian Bader f-bader

View GitHub Profile
@f-bader
f-bader / gist:d7e2371d5d5760b427697b7464e72cb1
Created Dec 12, 2021
Detection for exploitation and old TGT usage
View gist:d7e2371d5d5760b427697b7464e72cb1
<#
CVE-2021-42287 - Authentication updates
CVE-2021-42278 - Active Directory Security Accounts Manager hardening changes
This updates introduced additional Event Ids to monitor.
Use this script to check every domain controller for those eventIds
#>
$EventIds = @{
35 = "PAC without attributes"
36 = "Ticket without a PAC"
37 = "Ticket without Requestor"
View AuditAppRoles.ps1
## Find dangerous API permissions as a user
$AzureTenantID = '<Your tenant ID>'
$AccountName = '<Username>@<Domain.com>'
$Password = ConvertTo-SecureString '<Your password>' -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password)
Connect-AzAccount -Credential $Credential -TenantID $AzureTenantID
function Get-AzureGraphToken
{
@f-bader
f-bader / CheckDefenderAVHealthState.kusto
Created Nov 25, 2021
Advanced hunting query to check on a few vital Defender AV health settings
View CheckDefenderAVHealthState.kusto
// Check Defender AV related health issues
// Microsoft Defender Antivirus is disabled - scid-2010
// Microsoft Defender Antivirus definitions are outdated - scid-2011
// Microsoft Defender Antivirus real-time behavior monitoring is disabled - scid-91
// Microsoft Defender Antivirus real-time protection is disabled - scid-2012
// Microsoft Defender Antivirus cloud service connectivity is impaired - scid-2014
DeviceTvmSecureConfigurationAssessmentKB
| where ConfigurationName contains "Defender"
| join kind=innerunique DeviceTvmSecureConfigurationAssessment on ConfigurationId
| where ConfigurationId in ("scid-2010","scid-2011","scid-2012","scid-91","scid-2014")
@f-bader
f-bader / Audit-KB5008380-EventIds.ps1
Created Nov 10, 2021
KB5008380 - Authentication updates (CVE-2021-42287)
View Audit-KB5008380-EventIds.ps1
<#
KB5008380 - Authentication updates (CVE-2021-42287)
This update introduces additional Event Ids to monitor.
Use this script to check every domain controller for those eventIds
#>
$EventIds = @{
# https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
35 = "PAC without attributes"
36 = "Ticket without a PAC"
37 = "Ticket without Requestor"
@f-bader
f-bader / Audit-KB5008383-EventIds.ps1
Created Nov 10, 2021
KB5008383 introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment
View Audit-KB5008383-EventIds.ps1
<#
KB5008383 - Active Directory permissions updates (CVE-2021-42291)
This update introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment
The use of PowerShell Remoting makes it faster and better suiteable for restricted firewall setups
#>
$EventIds = @{
# https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
# Events that occur when an LDAP Add operation is denied.
3044 = "Enforcement Mode - LDAP Add failures"
3045 = "Enforcement Mode - LDAP Add failures"
@f-bader
f-bader / NsoCheck.kusto
Last active Jul 19, 2021
Check for client connections to well known NSO domains as published by @AmnestyTech
View NsoCheck.kusto
let NsoDomains = externaldata(RemoteUrl:string)
[
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/domains.txt",
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v2_domains.txt",
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v3_domains.txt",
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v4_domains.txt"
]
with(format="csv");
DeviceNetworkEvents
| join kind = inner ( NsoDomains | distinct RemoteUrl) on RemoteUrl
View disablethings.bat
### Related to MalwareBytes LazyScripter https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtime
View SyncExchangeOnPremSendAsPermissions.ps1
<#
This script syncs SendAs permissions from Exchange on-Prem to Exchange Online to avoid a misconfigured hybrid environment
Uses Azure Automation for scheduling and safely storing the on-Prem credentials as well as the authentication certificate for Exchange Online
Prerequisites
* Azure Automation Account
* Hybrid Worker
* Setup App-only authentication (https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2)
* Install private certificate as exportable to Azure Automation Account as 'Exchange Hybrid Automation'
* Store OnPrem Exchange credentials in Azure Automation Account as 'Exchange onPrem'
@f-bader
f-bader / Test-IsO365IpAddress.ps1
Created Aug 23, 2019
Test if a IP address is part of the Office 365 endpoints
View Test-IsO365IpAddress.ps1
[CmdletBinding()]
param (
# IP Address to check against Office 365 Range
[Parameter(Mandatory = $true,
ValueFromPipeline = $true,
Position = 0)]
$IPAddress,
# Port to check
[Parameter(Mandatory = $false,
@f-bader
f-bader / ARMClient.exe.config
Last active Jul 30, 2018
Proxy, proxy on the wall
View ARMClient.exe.config
<configuration>
<system.net>
<defaultProxy>
<proxy usesystemdefault="false" autoDetect="false" proxyaddress="http://myproxy.local.bader.cloud:3128" bypassonlocal="true"/>
<bypasslist>
<add address="[a-z]+\.local\.bader\.cloud$" />
</bypasslist>
</defaultProxy>
</system.net>
</configuration>