Fabian Bader f-bader
f-bader
/ gist:d7e2371d5d5760b427697b7464e72cb1
Created
December 12, 2021 12:39
Detection for exploitation and old TGT usage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| CVE-2021-42287 - Authentication updates | |
| CVE-2021-42278 - Active Directory Security Accounts Manager hardening changes | |
| This updates introduced additional Event Ids to monitor. | |
| Use this script to check every domain controller for those eventIds | |
| #> | |
| $EventIds = @{ | |
| 35 = "PAC without attributes" | |
| 36 = "Ticket without a PAC" | |
| 37 = "Ticket without Requestor" |
f-bader
/ NsoCheck.kusto
Last active
July 19, 2021 10:39
Check for client connections to well known NSO domains as published by @AmnestyTech
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let NsoDomains = externaldata(RemoteUrl:string) | |
| [ | |
| h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/domains.txt", | |
| h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v2_domains.txt", | |
| h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v3_domains.txt", | |
| h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v4_domains.txt" | |
| ] | |
| with(format="csv"); | |
| DeviceNetworkEvents | |
| | join kind = inner ( NsoDomains | distinct RemoteUrl) on RemoteUrl |
f-bader
/ Sync-TfsIdentity.ps1
Last active
March 17, 2021 14:55
— forked from jstangroome/Sync-TfsIdentity.ps1
Force TFS 2018 to synchronize Active Directory group memberships
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Mandatory=$true, Position=0)] | |
| [uri] | |
| $ServerUri | |
| ) | |
| $ErrorActionPreference = 'Stop' | |
| Set-StrictMode -Version Latest |
f-bader
/ disablethings.bat
Created
March 3, 2021 12:46
— forked from MHaggis/disablethings.bat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Related to MalwareBytes LazyScripter https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat | |
| reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtime |
f-bader
/ SyncExchangeOnPremSendAsPermissions.ps1
Created
August 10, 2020 19:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| This script syncs SendAs permissions from Exchange on-Prem to Exchange Online to avoid a misconfigured hybrid environment | |
| Uses Azure Automation for scheduling and safely storing the on-Prem credentials as well as the authentication certificate for Exchange Online | |
| Prerequisites | |
| * Azure Automation Account | |
| * Hybrid Worker | |
| * Setup App-only authentication (https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2) | |
| * Install private certificate as exportable to Azure Automation Account as 'Exchange Hybrid Automation' | |
| * Store OnPrem Exchange credentials in Azure Automation Account as 'Exchange onPrem' |
f-bader
/ Test-IsO365IpAddress.ps1
Created
August 23, 2019 18:55
Test if a IP address is part of the Office 365 endpoints
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CmdletBinding()] | |
| param ( | |
| # IP Address to check against Office 365 Range | |
| [Parameter(Mandatory = $true, | |
| ValueFromPipeline = $true, | |
| Position = 0)] | |
| $IPAddress, | |
| # Port to check | |
| [Parameter(Mandatory = $false, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <configuration> | |
| <system.net> | |
| <defaultProxy> | |
| <proxy usesystemdefault="false" autoDetect="false" proxyaddress="http://myproxy.local.bader.cloud:3128" bypassonlocal="true"/> | |
| <bypasslist> | |
| <add address="[a-z]+\.local\.bader\.cloud$" /> | |
| </bypasslist> | |
| </defaultProxy> | |
| </system.net> | |
| </configuration> |
f-bader
/ Enable-OpenSSHServer.ps1
Created
May 3, 2018 17:49
OpenSSH Server auf Windows 1709+ aktivieren
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # OpenSSH Server installieren | |
| Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 | |
| # Dienst starten | |
| Start-Service sshd | |
| # Starttyp auf "Automatisch" stellen | |
| Set-Service sshd -StartupType Automatic | |
| Set-Service ssh-agent -StartupType Automatic |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| USE [DATENBANK] | |
| SELECT | |
| [UserName] = CASE princ.[type] | |
| WHEN 'S' THEN princ.[name] | |
| WHEN 'U' THEN ulogin.[name] COLLATE Latin1_General_CI_AI | |
| END, | |
| [UserType] = CASE princ.[type] | |
| WHEN 'S' THEN 'SQL User' | |
| WHEN 'U' THEN 'Windows User' | |
| END, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Use Azure AD Username | |
| $User = "AzureUsername" | |
| $TargetTenant = "TargetTenant" | |
| # Login | |
| $Cred = Get-Credential | |
| Connect-AzureAD -Credential $cred | |
| # Generate Invitation, but do not send | |
| $Invitation = New-AzureADMSInvitation -InvitedUserEmailAddress $User -InvitedUserDisplayName $User -InviteRedirectUrl "https://portal.azure.com/$($TargetTenant)" -SendInvitationMessage $false | |
| # Copy redeem URL to clipboard | |
| $Invitation | Select-Object –ExpandProperty InviteRedeemUrl | clip |