Skip to content

Instantly share code, notes, and snippets.

View lansalot's full-sized avatar

lansalot

27 followers · 44 following
View GitHub Profile
@lansalot
lansalot / Get-ActiveWindowProcessID.ps1
Created January 24, 2019 23:26
Find the active window process owner
Add-Type @"
using System;
using System.Runtime.InteropServices;
public static class Win32Api
{
[System.Runtime.InteropServices.DllImportAttribute( "User32.dll", EntryPoint = "GetWindowThreadProcessId" )]
public static extern int GetWindowThreadProcessId ( [System.Runtime.InteropServices.InAttribute()] System.IntPtr hWnd, out int lpdwProcessId );
[System.Runtime.InteropServices.DllImportAttribute( "User32.dll", EntryPoint = "GetForegroundWindow" )]
public static extern IntPtr GetForegroundWindow();
}
@lansalot
lansalot / Get-GPOWithoutUnauthenticatedUsers.ps1
Created January 16, 2020 09:38
Find all group policyies without Authenticated Users permissions
Get-GPO -All | ForEach-Object {
# Test if Authenticated Users group have at least read permission on the GPO
if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
$_
}
} | Select DisplayName
@lansalot
lansalot / Create-SelfSignedCodeCert.ps1
Created January 31, 2020 09:16
$cert = New-SelfSignedCertificate -DnsName contoso.com -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My
# But if you try to sign, you'll get UnknownError because it's not in the trusted Root store. So do this to get it there
Export-Certificate -FilePath exported_cert.cer -Cert $cert
Import-Certificate -FilePath exported_cert.cer -CertStoreLocation Cert:\CurrentUser\Root
@lansalot
lansalot / Get-WVDSessions.ps1
Last active September 29, 2020 07:56
[OutputType("PSAzureOperationResponse")]
$LogAnalyticsWorkspaceId = "<as it sounds>"
$LogAnalyticsPrimaryKey = "<primary key>"
$HostPool = "<name of host pool>"
$RGName = "<resource group host pool is in>"
$connection = Get-AutomationConnection -Name AzureRunAsConnection
[void](Connect-AzAccount `
-ServicePrincipal `
@lansalot
lansalot / Convert String to ASCII array
Created October 1, 2020 14:51
Find a filename with a bad character in it
[System.Text.Encoding]::UTF8.GetBytes( ((dir badfilename.txt).Name))
That showed me the bad filenames had char(127) in them
So dir c:\pathwithbadfiles -recurse -ea silentlycontinue | Where-Object { $_.Name.ToCharArray() -eq 127}
@lansalot
lansalot / Stop-DisconnectedSessions.ps1
Last active November 17, 2020 15:23
function Get-TSSessions {
$qwinsta = (query user) -replace "IDLE TIME","IDLETIME" -replace "LOGON TIME","LOGONTIME"
$csv = $qwinsta | ForEach-Object {
$_.Trim() -replace "\s+",","
} | ConvertFrom-Csv
ForEach ($obj in $csv) {
If ($obj.id -eq 'Disc') {
$obj.logonTime = $obj.IdleTime
$obj.IdleTime = $obj.State
$obj.State = $obj.id
@lansalot
lansalot / Get-VulnerableTeams.ps1
Last active December 9, 2020 11:20
# https://www.theregister.com/2020/12/07/microsoft_teams_rce_flaw/
# https://github.com/oskarsve/ms-teams-rce
# Taking the vulnerable version from the above repo. I'm hoping that's the latest version this flaw exists on
# Output format is for limitations in our MSP software
# username:version (shows what version user is running, for every user running Teams at time of scan)
# RunMin = Lowest version found running
# RunMax = Highest version found running
# InstalledVersions = What versions are registered in add/remove programs
# and if the installed version is vulnerable, but user versions have updated, let us know situation is actually OK
# updated to version 30290 instead of 21759 as author found that some of the vulns had been updated late October apparently
@lansalot
lansalot / Reinstall-WVDClient.ps1
Created January 7, 2021 15:32
Automate the uninstall of WVD client as SYSTEM, and re-install as USER. Use with your MSP tool of choice
# First, go grab some pre-requisites
# https://github.com/KelvinTegelaar/RunAsUser
# https://github.com/Windos/BurntToast
# Unzip them and re-zip without the folder name at the top. While RunAsUser is fine, BurntToast carries extra weight we can do without
# For BurntToast, you only need the actual BurntToast folder itself (no need for Examples, AzurePipelines etc)
# In my case, I stashed them on a company server so I could guarantee the location would be available and at the code revision I expected
#region RunAsSystemBeforeUser
# Stuff to run as SYSTEM before the user stuff kicks in goes here:
@lansalot
lansalot / Get-ServicePermissions.ps1
Last active May 20, 2021 08:00
$Services = Get-WMIObject -Class Win32_Service
$Script:Out = @()
$Script:isWriteable = $False
Function Check-ACL ($Service, $ACLs, $Type, $Label) {
ForEach ($ACL in $ACLs.Access) {
# if (('NT AUTHORITY\SYSTEM','NT AUTHORITY\IUSR','BUILTIN\Administrators','NT SERVICE\TrustedInstaller','CREATOR OWNER','NT AUTHORITY\LOCAL SERVICE','NT AUTHORITY\NETWORK SERVICE') -notcontains $ACL.IdentityReference) {
if (('BUILTIN\Users','Everyone','DOMAIN\Domain Users') -contains $ACL.IdentityReference) {
# Not the usual suspects.. does anyone have full, write or modify access?
if ($ACL.FileSystemRights -match [System.Security.AccessControl.FileSystemRights]::FullControl -or `
$ACL.FileSystemRights -match [System.Security.AccessControl.FileSystemRights]::Write -or `
@lansalot
lansalot / Fix-UnquotedServices.ps1
Created May 20, 2021 08:00
$servers = import-csv .\unquotedservers.txt -Delimiter "!" # what was I doing here? meh...
ForEach ($Server in $Servers) {
Write-Progress "Checking $($Server.Server) and `"$($server.servicename)`""
$st = sc.exe \\$($server.Server) qc "$($server.servicename)" | select-string BINARY_PATH
$exe = $st.line.substring($st.line.indexof(":") + 2 ,$st.line.indexof(".exe") - $st.line.indexof(":") + 2)
$st
$fixed = "`"`\`"$exe\`"`""
"sc.exe \\$($server.server) config `"$($server.servicename)`" binpath= $fixed"
""
}