Fabian Bader f-bader

## Disconnect-RemoteSessions.ps1
<#
.Synopsis
    Disconnects your user from remote computers

.DESCRIPTION
    This scripts uses the quser to scan for session on a remote computer and then rwinsta to disconnect it

.NOTES

.LINK

## 2021-1675-spooler-imageloads.kql
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers

## PowerShell Script Block Merge in Kusto
Event
| where EventID == "4104"
| extend ParsedEvent = parse_xml(strcat("<root>", ParameterXml, "</root>"))
| extend MessageNumber = tolong(ParsedEvent.root.Param[0])
| extend MessageTotal = tolong(ParsedEvent.root.Param[1])
| extend ScriptBlockElement = iff(
    strlen(tostring(ParsedEvent.root.Param[2]["#text"])) > 0,
        ParsedEvent.root.Param[2]["#text"],
        ParsedEvent.root.Param[2])
| extend ScriptBlockId = tostring(ParsedEvent.root.Param[3])

## hugo.yml
name: github pages

on:
  push:
    branches:
      - blog # Set a branch to deploy
  pull_request:

jobs:
  deploy:

## DeviceNetworkEvents_Iana.kql
// Enrich DeviceNetworkEvents with the port number Servicename information
let iana_port_assignments = (externaldata(entry: string ) [@"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv"]
with (format="txt",ignoreFirstRecord=true))
//iana_port_assignments
// Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes
| extend data = parse_csv(entry)
| extend ServiceName = tostring(data[0])
| extend PortNumber = toint(data[1])
| project ServiceName, PortNumber
| summarize any(ServiceName) by PortNumber

## KDCProxy.ps1
# Copyright: (c) 2022, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

Function Install-KDCProxyServer {
    <#
    .SYNOPSIS
    Set up a KDC Proxy server.

    .DESCRIPTION
    Sets up the KDC proxy server on the current host.

## check_hashes.py
#!/usr/bin/env python3

#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
# ./check_hashes.py <hash_dump>

import argparse
import re

parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords")

## c2threadview_io_kql.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              4 stars
            
          
                alexverboon
                / c2threadview_io_kql.md
            
            
              Last active
              June 30, 2023 15:54
            
          
    C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io

https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt
IP,Date of Detection,Host,Protocol,Beacon Config,Comment
Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/
// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment

  
## Create-ClientsWithNoAssociatedSiteReport.ps1
#Get Domain Controllers for current domain
$DCs = Get-ADGroupMember "Domain Controllers"
#Initiate the clients array
$Clients = @()
Foreach ($DC in $DCs) {
    #Define the netlogon.log path
    $NetLogonFilePath = "\\" + $DC.Name + "\C$\Windows\debug\netlogon.log"
    #Reading the content of the netlogon.log file
    try {$NetLogonFile = Get-Content -Path $NetLogonFilePath -ErrorAction Stop}
    catch {"Error reading $NetLogonFilePath"}

## ATPSiPolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>
    <Rule>
	<#
	.Synopsis
	Disconnects your user from remote computers

	.DESCRIPTION
	This scripts uses the quser to scan for session on a remote computer and then rwinsta to disconnect it

	.NOTES

	.LINK
	let serverlist=DeviceInfo
	\| where DeviceType != "Workstation"
	\| distinct DeviceId;
	let suspiciousdrivers=DeviceImageLoadEvents
	\| where DeviceId in (serverlist)
	\| where FolderPath startswith @"c:\windows\system32\spool\drivers"
	\| distinct SHA1
	\| invoke FileProfile(SHA1, 1000)
	\| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
	suspiciousdrivers
	Event
	\| where EventID == "4104"
	\| extend ParsedEvent = parse_xml(strcat("<root>", ParameterXml, "</root>"))
	\| extend MessageNumber = tolong(ParsedEvent.root.Param[0])
	\| extend MessageTotal = tolong(ParsedEvent.root.Param[1])
	\| extend ScriptBlockElement = iff(
	strlen(tostring(ParsedEvent.root.Param[2]["#text"])) > 0,
	ParsedEvent.root.Param[2]["#text"],
	ParsedEvent.root.Param[2])
	\| extend ScriptBlockId = tostring(ParsedEvent.root.Param[3])
	name: github pages

	on:
	push:
	branches:
	- blog # Set a branch to deploy
	pull_request:

	jobs:
	deploy:
	// Enrich DeviceNetworkEvents with the port number Servicename information
	let iana_port_assignments = (externaldata(entry: string ) [@"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv"]
	with (format="txt",ignoreFirstRecord=true))
	//iana_port_assignments
	// Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes
	\| extend data = parse_csv(entry)
	\| extend ServiceName = tostring(data[0])
	\| extend PortNumber = toint(data[1])
	\| project ServiceName, PortNumber
	\| summarize any(ServiceName) by PortNumber
	# Copyright: (c) 2022, Jordan Borean (@jborean93) <jborean93@gmail.com>
	# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

	Function Install-KDCProxyServer {
	<#
	.SYNOPSIS
	Set up a KDC Proxy server.

	.DESCRIPTION
	Sets up the KDC proxy server on the current host.
	#!/usr/bin/env python3

	#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
	#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
	# ./check_hashes.py <hash_dump>

	import argparse
	import re

	parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords")
	#Get Domain Controllers for current domain
	$DCs = Get-ADGroupMember "Domain Controllers"
	#Initiate the clients array
	$Clients = @()
	Foreach ($DC in $DCs) {
	#Define the netlogon.log path
	$NetLogonFilePath = "\\" + $DC.Name + "\C$\Windows\debug\netlogon.log"
	#Reading the content of the netlogon.log file
	try {$NetLogonFile = Get-Content -Path $NetLogonFilePath -ErrorAction Stop}
	catch {"Error reading $NetLogonFilePath"}
	<?xml version="1.0"?>
	<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.0.0</VersionEx>
	<PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:UMCI</Option>
	</Rule>
	<Rule>