This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
KB5008383 - Active Directory permissions updates (CVE-2021-42291) | |
This update introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment | |
The use of PowerShell Remoting makes it faster and better suiteable for restricted firewall setups | |
#> | |
$EventIds = @{ | |
# https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1 | |
# Events that occur when an LDAP Add operation is denied. | |
3044 = "Enforcement Mode - LDAP Add failures" | |
3045 = "Enforcement Mode - LDAP Add failures" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let NsoDomains = externaldata(RemoteUrl:string) | |
[ | |
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/domains.txt", | |
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v2_domains.txt", | |
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v3_domains.txt", | |
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v4_domains.txt" | |
] | |
with(format="csv"); | |
DeviceNetworkEvents | |
| join kind = inner ( NsoDomains | distinct RemoteUrl) on RemoteUrl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Related to MalwareBytes LazyScripter https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat | |
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtime |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
This script syncs SendAs permissions from Exchange on-Prem to Exchange Online to avoid a misconfigured hybrid environment | |
Uses Azure Automation for scheduling and safely storing the on-Prem credentials as well as the authentication certificate for Exchange Online | |
Prerequisites | |
* Azure Automation Account | |
* Hybrid Worker | |
* Setup App-only authentication (https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2) | |
* Install private certificate as exportable to Azure Automation Account as 'Exchange Hybrid Automation' | |
* Store OnPrem Exchange credentials in Azure Automation Account as 'Exchange onPrem' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[CmdletBinding()] | |
param ( | |
# IP Address to check against Office 365 Range | |
[Parameter(Mandatory = $true, | |
ValueFromPipeline = $true, | |
Position = 0)] | |
$IPAddress, | |
# Port to check | |
[Parameter(Mandatory = $false, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<configuration> | |
<system.net> | |
<defaultProxy> | |
<proxy usesystemdefault="false" autoDetect="false" proxyaddress="http://myproxy.local.bader.cloud:3128" bypassonlocal="true"/> | |
<bypasslist> | |
<add address="[a-z]+\.local\.bader\.cloud$" /> | |
</bypasslist> | |
</defaultProxy> | |
</system.net> | |
</configuration> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# OpenSSH Server installieren | |
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 | |
# Dienst starten | |
Start-Service sshd | |
# Starttyp auf "Automatisch" stellen | |
Set-Service sshd -StartupType Automatic | |
Set-Service ssh-agent -StartupType Automatic |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
USE [DATENBANK] | |
SELECT | |
[UserName] = CASE princ.[type] | |
WHEN 'S' THEN princ.[name] | |
WHEN 'U' THEN ulogin.[name] COLLATE Latin1_General_CI_AI | |
END, | |
[UserType] = CASE princ.[type] | |
WHEN 'S' THEN 'SQL User' | |
WHEN 'U' THEN 'Windows User' | |
END, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Use Azure AD Username | |
$User = "AzureUsername" | |
$TargetTenant = "TargetTenant" | |
# Login | |
$Cred = Get-Credential | |
Connect-AzureAD -Credential $cred | |
# Generate Invitation, but do not send | |
$Invitation = New-AzureADMSInvitation -InvitedUserEmailAddress $User -InvitedUserDisplayName $User -InviteRedirectUrl "https://portal.azure.com/$($TargetTenant)" -SendInvitationMessage $false | |
# Copy redeem URL to clipboard | |
$Invitation | Select-Object –ExpandProperty InviteRedeemUrl | clip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ComputerSystem = (Get-CimInstance Win32_ComputerSystem) | |
$FqDn = "$($ComputerSystem.Name).$($ComputerSystem.Domain)" | |
$HybridWorkerGroup = Get-AzureRmAutomationAccount | Get-AzureRMAutomationHybridWorkerGroup | Where-Object { $FqDn -in $_.RunbookWorker.Name } | |
$HybridWorkerGroup.RunbookWorker.Name |