Learn Windows PowerShell in a Month of Lunches - Don Jones
Best Practices for Script Design - Don Jones
PowerShell Toolmaking (1 of 3) - Don Jones
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue 2>&1>$null | |
Resolve-Path -Path HKU:\*\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice | ForEach-Object { | |
$TheComputerName = $env:COMPUTERNAME | |
$TheUserSID = $_.Path.Split('\')[1] | |
$TheUserDefaultBrowser = $_ | Get-ItemPropertyValue -Name ProgId | |
[pscustomobject][ordered]@{ | |
ComputerName = $TheComputerName | |
UserSID = $TheUserSID | |
DefaultBrowser = $TheUserDefaultBrowser | |
} |
These examples assume you're using my Get-TenablePluginOutput PowerShell function. You can load it from the web here:
$Content = Invoke-WebRequest -Uri https://gist.githubusercontent.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content
. ([scriptblock]::Create($Content))
Also assumes you've already set your working directory to one with some .nessus files in it. ;-)
These examples assume you're using my Get-TenablePluginOutput PowerShell function. You can load it from the web here:
$Content = Invoke-WebRequest -Uri https://gist.githubusercontent.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content
. ([scriptblock]::Create($Content))
Also assumes you've already set your working directory to one with some .nessus files in it. ;-)
[{"RecommendationNumber":"18.9.102.1.2","CISv7SubControl":"2.4"},{"RecommendationNumber":"18.9.16.4","CISv7SubControl":"2.6"},{"RecommendationNumber":"18.9.102.1.1","CISv7SubControl":"2.6"},{"RecommendationNumber":"18.8.22.1.2","CISv7SubControl":"2.7"},{"RecommendationNumber":"18.9.45.14","CISv7SubControl":"2.7"},{"RecommendationNumber":"18.8.4.1","CISv7SubControl":"3.4"},{"RecommendationNumber":"18.9.17.1","CISv7SubControl":"3.4"},{"RecommendationNumber":"18.9.102.2","CISv7SubControl":"3.4"},{"RecommendationNumber":"18.9.102.3","CISv7SubControl":"3.4"},{"RecommendationNumber":"18.9.102.4","CISv7SubControl":"3.4"},{"RecommendationNumber":"18.9.102.5","CISv7SubControl":"3.4"},{"RecommendationNumber":"18.9.102.1.3","CISv7SubControl":"3.4"},{"RecommendationNumber":"2.2.21","CISv7SubControl":"4.1"},{"RecommendationNumber":"2.2.22","CISv7SubControl":"4.1"},{"RecommendationNumber":"2.2.6","CISv7SubControl":"4.3"},{"RecommendationNumber":"18.3.1","CISv7SubControl":"4.3"},{"RecommendationNumber":"18.5.11.4","CISv7Sub |
RecommendationNumber | CISv7SubControl | |
---|---|---|
18.9.102.1.2 | 2.4 | |
18.9.16.4 | 2.6 | |
18.9.102.1.1 | 2.6 | |
18.8.22.1.2 | 2.7 | |
18.9.45.14 | 2.7 | |
18.8.4.1 | 3.4 | |
18.9.17.1 | 3.4 | |
18.9.102.2 | 3.4 | |
18.9.102.3 | 3.4 |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
$wc = New-Object System.Net.WebClient | |
if (!(Test-Path "C:\Tools")) { | |
New-Item -Path "C:\" -Name "Tools" -ItemType "directory" | |
} | |
# SYSMON | |
# Download Sysmon | |
$SysmonDirectory = "C:\Tools\Sysmon\" |
Get-TenablePluginOutput -PluginID $PluginID | ForEach-Object { | |
$IpAddress = $_.IpAddress | |
$NetBiosName = $_.NetBiosName | |
$_.PluginOutput -split "`n`n" | Where-Object { $_ -cmatch '<Block matching regex>' } | ForEach-Object { | |
$Lines = $_ -split "`n" | ForEach-Object { $_.Trim() } | |
$EachOne = @{} | |
$Lines | ForEach-Object { | |
$Key = ($_ -split '\s:\s')[0].Trim() | |
$Value = ($_ -split '\s:\s')[-1].Trim() | |
$EachOne.Add($Key,$Value) |
$ApiId = '<API ID>' | |
$Secret = '<API SECRET>' | |
$AsciiBytes = [System.Text.Encoding]::ASCII.GetBytes("$ApiId`:$Secret") | |
$Base64String = [convert]::ToBase64String($AsciiBytes) | |
$Authorization = "Basic $Base64String" | |
$Header = @{Authorization = $Authorization} | |
$Query = 'autonomous_system.asn: 1798 OR 443.https.tls.certificate.parsed.names: (oregon.gov OR state.or.us)' | |
$Body = @" | |
{ | |
"query":"$Query", |
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1 |