Skip to content

Instantly share code, notes, and snippets.

View lansalot's full-sized avatar

lansalot

27 followers · 44 following
View GitHub Profile
@lansalot
lansalot / Scan-Events.ps1
Created August 25, 2021 12:15
Scan all DCs looking for a logon/logoff/lockout event
<#
.SYNOPSIS
Scan-Lockouts
Go round the DCs looking for account activity
.PARAMETER Minutes
How many minutes to look back over (default 15)
.PARAMETER AccountName
Account to search for
.PARAMETER Event
One of either Logon, LogOff, or Lockout
@lansalot
lansalot / Get-AutoPilotHashAuto.ps1
Last active August 17, 2021 07:42
If ((gwmi win32_operatingsystem).producttype -gt 1) {
Write-Host "Workstations only. No deal" -Foreground red
exit
}
Set-Location $PSScriptRoot
If (-Not (Test-Path c:\de)) {
mkdir c:\de -force
}
Clear-Host
Start-Transcript c:\de\autohash.log
@lansalot
lansalot / Fix-UnquotedServices.ps1
Created May 20, 2021 08:00
$servers = import-csv .\unquotedservers.txt -Delimiter "!" # what was I doing here? meh...
ForEach ($Server in $Servers) {
Write-Progress "Checking $($Server.Server) and `"$($server.servicename)`""
$st = sc.exe \\$($server.Server) qc "$($server.servicename)" | select-string BINARY_PATH
$exe = $st.line.substring($st.line.indexof(":") + 2 ,$st.line.indexof(".exe") - $st.line.indexof(":") + 2)
$st
$fixed = "`"`\`"$exe\`"`""
"sc.exe \\$($server.server) config `"$($server.servicename)`" binpath= $fixed"
""
}
@lansalot
lansalot / Get-ServicePermissions.ps1
Last active May 20, 2021 08:00
$Services = Get-WMIObject -Class Win32_Service
$Script:Out = @()
$Script:isWriteable = $False
Function Check-ACL ($Service, $ACLs, $Type, $Label) {
ForEach ($ACL in $ACLs.Access) {
# if (('NT AUTHORITY\SYSTEM','NT AUTHORITY\IUSR','BUILTIN\Administrators','NT SERVICE\TrustedInstaller','CREATOR OWNER','NT AUTHORITY\LOCAL SERVICE','NT AUTHORITY\NETWORK SERVICE') -notcontains $ACL.IdentityReference) {
if (('BUILTIN\Users','Everyone','DOMAIN\Domain Users') -contains $ACL.IdentityReference) {
# Not the usual suspects.. does anyone have full, write or modify access?
if ($ACL.FileSystemRights -match [System.Security.AccessControl.FileSystemRights]::FullControl -or `
$ACL.FileSystemRights -match [System.Security.AccessControl.FileSystemRights]::Write -or `
@lansalot
lansalot / Reinstall-WVDClient.ps1
Created January 7, 2021 15:32
Automate the uninstall of WVD client as SYSTEM, and re-install as USER. Use with your MSP tool of choice
# First, go grab some pre-requisites
# https://github.com/KelvinTegelaar/RunAsUser
# https://github.com/Windos/BurntToast
# Unzip them and re-zip without the folder name at the top. While RunAsUser is fine, BurntToast carries extra weight we can do without
# For BurntToast, you only need the actual BurntToast folder itself (no need for Examples, AzurePipelines etc)
# In my case, I stashed them on a company server so I could guarantee the location would be available and at the code revision I expected
#region RunAsSystemBeforeUser
# Stuff to run as SYSTEM before the user stuff kicks in goes here:
@lansalot
lansalot / Get-VulnerableTeams.ps1
Last active December 9, 2020 11:20
# https://www.theregister.com/2020/12/07/microsoft_teams_rce_flaw/
# https://github.com/oskarsve/ms-teams-rce
# Taking the vulnerable version from the above repo. I'm hoping that's the latest version this flaw exists on
# Output format is for limitations in our MSP software
# username:version (shows what version user is running, for every user running Teams at time of scan)
# RunMin = Lowest version found running
# RunMax = Highest version found running
# InstalledVersions = What versions are registered in add/remove programs
# and if the installed version is vulnerable, but user versions have updated, let us know situation is actually OK
# updated to version 30290 instead of 21759 as author found that some of the vulns had been updated late October apparently
@lansalot
lansalot / Stop-DisconnectedSessions.ps1
Last active November 17, 2020 15:23
function Get-TSSessions {
$qwinsta = (query user) -replace "IDLE TIME","IDLETIME" -replace "LOGON TIME","LOGONTIME"
$csv = $qwinsta | ForEach-Object {
$_.Trim() -replace "\s+",","
} | ConvertFrom-Csv
ForEach ($obj in $csv) {
If ($obj.id -eq 'Disc') {
$obj.logonTime = $obj.IdleTime
$obj.IdleTime = $obj.State
$obj.State = $obj.id
@lansalot
lansalot / Convert String to ASCII array
Created October 1, 2020 14:51
Find a filename with a bad character in it
[System.Text.Encoding]::UTF8.GetBytes( ((dir badfilename.txt).Name))
That showed me the bad filenames had char(127) in them
So dir c:\pathwithbadfiles -recurse -ea silentlycontinue | Where-Object { $_.Name.ToCharArray() -eq 127}
@lansalot
lansalot / Get-WVDSessions.ps1
Last active September 29, 2020 07:56
[OutputType("PSAzureOperationResponse")]
$LogAnalyticsWorkspaceId = "<as it sounds>"
$LogAnalyticsPrimaryKey = "<primary key>"
$HostPool = "<name of host pool>"
$RGName = "<resource group host pool is in>"
$connection = Get-AutomationConnection -Name AzureRunAsConnection
[void](Connect-AzAccount `
-ServicePrincipal `
@lansalot
lansalot / Create-SelfSignedCodeCert.ps1
Created January 31, 2020 09:16
$cert = New-SelfSignedCertificate -DnsName contoso.com -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My
# But if you try to sign, you'll get UnknownError because it's not in the trusted Root store. So do this to get it there
Export-Certificate -FilePath exported_cert.cer -Cert $cert
Import-Certificate -FilePath exported_cert.cer -CertStoreLocation Cert:\CurrentUser\Root