Skip to content

Instantly share code, notes, and snippets.

View f-bader's full-sized avatar

Fabian Bader f-bader

199 followers · 27 following
View GitHub Profile
@f-bader
f-bader / GetAllRegisterdaaGuids.ps1
Last active April 14, 2024 19:46
List all AAGUIDs in an Entra ID / Azure AD tenant
# looking for a all in one solution?
# https://github.com/f-bader/EntraIDPasskeyHelper
Connect-MGGraph -UseDeviceAuthentication -Scopes "AuditLog.Read.All", "UserAuthenticationMethod.Read.All"
$NextUri = "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$filter=methodsRegistered/any(x:x eq 'passKeyDeviceBound')"
do {
$Result = Invoke-MgGraphRequest -Uri $NextUri
$NextUri = $Result['@odata.nextLink']
$ReturnValue += $Result['value']
@f-bader
f-bader / Get-Guid.ps1
Created October 12, 2023 17:25 — forked from azurekid/Get-Guid.ps1
PowerShell function to create a GUID from a string value
<#
.SYNOPSIS
Generates a GUID from a given string value using MD5 hashing.
.PARAMETER Value
The string value to generate a GUID from.
.EXAMPLE
Get-Guid -Value "example string"
Returns a GUID generated from the string "example string".
@f-bader
f-bader / HuntForCVE-2023-38545.kql
Last active October 12, 2023 09:09
CVE-2023-38545 detection based on usage of curl process and TVM data in MDE
// List all devices that have curl installed or use curl.
let ProcessBasedDevices = DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has "curl" and FileName != "SenseNdr.exe"
| extend Method = "Process"
| summarize by DeviceId, DeviceName, Method;
let TVMBasedDevices = DeviceTvmSoftwareInventory
| where SoftwareName has "curl"
| extend Method = "Software Inventory"
| project DeviceId, DeviceName, Method, SoftwareName, SoftwareVersion, SoftwareVendor;
@f-bader
f-bader / 2022 Top Routinely Exploited Vulnerabilities.csv
Created August 21, 2023 20:34
2022 Top Routinely Exploited Vulnerabilities - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
CveId
CVE-2018-13379
CVE-2021-34473
CVE-2021-31207
CVE-2021-34523
CVE-2021-40539
CVE-2021-26084
CVE-2021-44228
CVE-2022-22954
CVE-2022-22960
@f-bader
f-bader / OneLiner.ps1
Created August 17, 2023 06:33
Delete all branches excpect main using Powershell
git branch | Select-String -NotMatch -Pattern "main" | % {$branch = $_ -replace '\s'; git branch -D $branch }
@f-bader
f-bader / HuntForMidnightBlizzard.kql
Last active August 7, 2023 13:58
Hunting query for Midnight Blizzard based on the IoCs from https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
OfficeActivity
| where TimeGenerated > ago(90d)
| where UserId has_any ("msftprotection","identityVerification","accountsVerification","azuresecuritycenter","teamsprotection") and UserId has "onmicrosoft"
| summarize by UserId
@f-bader
f-bader / Audit-KB5008383-EventIds.ps1
Created November 10, 2021 10:37
KB5008383 introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment
<#
KB5008383 - Active Directory permissions updates (CVE-2021-42291)
This update introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment
The use of PowerShell Remoting makes it faster and better suiteable for restricted firewall setups
#>
$EventIds = @{
# https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
# Events that occur when an LDAP Add operation is denied.
3044 = "Enforcement Mode - LDAP Add failures"
3045 = "Enforcement Mode - LDAP Add failures"
@f-bader
f-bader / AuditAppRoles.ps1
Last active June 30, 2022 07:28 — forked from andyrobbins/AuditAppRoles.ps1
Audit app roles
## Find dangerous API permissions as a user
$AzureTenantID = '<Your tenant ID>'
$AccountName = '<Username>@<Domain.com>'
$Password = ConvertTo-SecureString '<Your password>' -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password)
Connect-AzAccount -Credential $Credential -TenantID $AzureTenantID
function Get-AzureGraphToken
{
@f-bader
f-bader / Audit-KB5008380-EventIds.ps1
Created November 10, 2021 10:56
KB5008380 - Authentication updates (CVE-2021-42287)
<#
KB5008380 - Authentication updates (CVE-2021-42287)
This update introduces additional Event Ids to monitor.
Use this script to check every domain controller for those eventIds
#>
$EventIds = @{
# https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
35 = "PAC without attributes"
36 = "Ticket without a PAC"
37 = "Ticket without Requestor"
@f-bader
f-bader / CheckDefenderAVHealthState.kusto
Created November 25, 2021 13:05
Advanced hunting query to check on a few vital Defender AV health settings
// Check Defender AV related health issues
// Microsoft Defender Antivirus is disabled - scid-2010
// Microsoft Defender Antivirus definitions are outdated - scid-2011
// Microsoft Defender Antivirus real-time behavior monitoring is disabled - scid-91
// Microsoft Defender Antivirus real-time protection is disabled - scid-2012
// Microsoft Defender Antivirus cloud service connectivity is impaired - scid-2014
DeviceTvmSecureConfigurationAssessmentKB
| where ConfigurationName contains "Defender"
| join kind=innerunique DeviceTvmSecureConfigurationAssessment on ConfigurationId
| where ConfigurationId in ("scid-2010","scid-2011","scid-2012","scid-91","scid-2014")