Skip to content

Instantly share code, notes, and snippets.

View f-bader's full-sized avatar

Fabian Bader f-bader

196 followers · 27 following
View GitHub Profile
@f-bader
f-bader / Audit-KB5008383-EventIds.ps1
Created November 10, 2021 10:37
KB5008383 introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment
<#
KB5008383 - Active Directory permissions updates (CVE-2021-42291)
This update introduces additional Event Ids to monitor. This script helps in doing so in all Domain Controllers in your environment
The use of PowerShell Remoting makes it faster and better suiteable for restricted firewall setups
#>
$EventIds = @{
# https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
# Events that occur when an LDAP Add operation is denied.
3044 = "Enforcement Mode - LDAP Add failures"
3045 = "Enforcement Mode - LDAP Add failures"
@f-bader
f-bader / NsoCheck.kusto
Last active July 19, 2021 10:39
Check for client connections to well known NSO domains as published by @AmnestyTech
let NsoDomains = externaldata(RemoteUrl:string)
[
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/domains.txt",
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v2_domains.txt",
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v3_domains.txt",
h@"https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/v4_domains.txt"
]
with(format="csv");
DeviceNetworkEvents
| join kind = inner ( NsoDomains | distinct RemoteUrl) on RemoteUrl
@f-bader
f-bader / disablethings.bat
Created March 3, 2021 12:46 — forked from MHaggis/disablethings.bat
### Related to MalwareBytes LazyScripter https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtime
@f-bader
f-bader / SyncExchangeOnPremSendAsPermissions.ps1
Created August 10, 2020 19:58
<#
This script syncs SendAs permissions from Exchange on-Prem to Exchange Online to avoid a misconfigured hybrid environment
Uses Azure Automation for scheduling and safely storing the on-Prem credentials as well as the authentication certificate for Exchange Online
Prerequisites
* Azure Automation Account
* Hybrid Worker
* Setup App-only authentication (https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2)
* Install private certificate as exportable to Azure Automation Account as 'Exchange Hybrid Automation'
* Store OnPrem Exchange credentials in Azure Automation Account as 'Exchange onPrem'
@f-bader
f-bader / Test-IsO365IpAddress.ps1
Created August 23, 2019 18:55
Test if a IP address is part of the Office 365 endpoints
[CmdletBinding()]
param (
# IP Address to check against Office 365 Range
[Parameter(Mandatory = $true,
ValueFromPipeline = $true,
Position = 0)]
$IPAddress,
# Port to check
[Parameter(Mandatory = $false,
@f-bader
f-bader / ARMClient.exe.config
Last active July 30, 2018 11:32
Proxy, proxy on the wall
<configuration>
<system.net>
<defaultProxy>
<proxy usesystemdefault="false" autoDetect="false" proxyaddress="http://myproxy.local.bader.cloud:3128" bypassonlocal="true"/>
<bypasslist>
<add address="[a-z]+\.local\.bader\.cloud$" />
</bypasslist>
</defaultProxy>
</system.net>
</configuration>
@f-bader
f-bader / Enable-OpenSSHServer.ps1
Created May 3, 2018 17:49
OpenSSH Server auf Windows 1709+ aktivieren
# OpenSSH Server installieren
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
# Dienst starten
Start-Service sshd
# Starttyp auf "Automatisch" stellen
Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic
@f-bader
f-bader / gist:fbfb731cc9b6b22119fe6cfdcdcf88ca
Created March 15, 2018 11:55
https://stackoverflow.com/questions/7048839/sql-server-query-to-find-all-permissions-access-for-all-users-in-a-database
USE [DATENBANK]
SELECT
[UserName] = CASE princ.[type]
WHEN 'S' THEN princ.[name]
WHEN 'U' THEN ulogin.[name] COLLATE Latin1_General_CI_AI
END,
[UserType] = CASE princ.[type]
WHEN 'S' THEN 'SQL User'
WHEN 'U' THEN 'Windows User'
END,
@f-bader
f-bader / InviteAzureUser.ps1
Created January 29, 2018 15:10
Create invite URL for Azure B2B
# Use Azure AD Username
$User = "AzureUsername"
$TargetTenant = "TargetTenant"
# Login
$Cred = Get-Credential
Connect-AzureAD -Credential $cred
# Generate Invitation, but do not send
$Invitation = New-AzureADMSInvitation -InvitedUserEmailAddress $User -InvitedUserDisplayName $User -InviteRedirectUrl "https://portal.azure.com/$($TargetTenant)" -SendInvitationMessage $false
# Copy redeem URL to clipboard
$Invitation | Select-Object –ExpandProperty InviteRedeemUrl | clip
@f-bader
f-bader / Get-MyAzureRmAutomationHybridWorkerGroup.ps1
Created January 29, 2018 08:45
Select all Hybrid Workers within the same Hybrid Worker Group as the current computer
$ComputerSystem = (Get-CimInstance Win32_ComputerSystem)
$FqDn = "$($ComputerSystem.Name).$($ComputerSystem.Domain)"
$HybridWorkerGroup = Get-AzureRmAutomationAccount | Get-AzureRMAutomationHybridWorkerGroup | Where-Object { $FqDn -in $_.RunbookWorker.Name }
$HybridWorkerGroup.RunbookWorker.Name