This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Scan-Lockouts | |
Go round the DCs looking for account activity | |
.PARAMETER Minutes | |
How many minutes to look back over (default 15) | |
.PARAMETER AccountName | |
Account to search for | |
.PARAMETER Event | |
One of either Logon, LogOff, or Lockout |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If ((gwmi win32_operatingsystem).producttype -gt 1) { | |
Write-Host "Workstations only. No deal" -Foreground red | |
exit | |
} | |
Set-Location $PSScriptRoot | |
If (-Not (Test-Path c:\de)) { | |
mkdir c:\de -force | |
} | |
Clear-Host | |
Start-Transcript c:\de\autohash.log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$servers = import-csv .\unquotedservers.txt -Delimiter "!" # what was I doing here? meh... | |
ForEach ($Server in $Servers) { | |
Write-Progress "Checking $($Server.Server) and `"$($server.servicename)`"" | |
$st = sc.exe \\$($server.Server) qc "$($server.servicename)" | select-string BINARY_PATH | |
$exe = $st.line.substring($st.line.indexof(":") + 2 ,$st.line.indexof(".exe") - $st.line.indexof(":") + 2) | |
$st | |
$fixed = "`"`\`"$exe\`"`"" | |
"sc.exe \\$($server.server) config `"$($server.servicename)`" binpath= $fixed" | |
"" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Services = Get-WMIObject -Class Win32_Service | |
$Script:Out = @() | |
$Script:isWriteable = $False | |
Function Check-ACL ($Service, $ACLs, $Type, $Label) { | |
ForEach ($ACL in $ACLs.Access) { | |
# if (('NT AUTHORITY\SYSTEM','NT AUTHORITY\IUSR','BUILTIN\Administrators','NT SERVICE\TrustedInstaller','CREATOR OWNER','NT AUTHORITY\LOCAL SERVICE','NT AUTHORITY\NETWORK SERVICE') -notcontains $ACL.IdentityReference) { | |
if (('BUILTIN\Users','Everyone','DOMAIN\Domain Users') -contains $ACL.IdentityReference) { | |
# Not the usual suspects.. does anyone have full, write or modify access? | |
if ($ACL.FileSystemRights -match [System.Security.AccessControl.FileSystemRights]::FullControl -or ` | |
$ACL.FileSystemRights -match [System.Security.AccessControl.FileSystemRights]::Write -or ` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# First, go grab some pre-requisites | |
# https://github.com/KelvinTegelaar/RunAsUser | |
# https://github.com/Windos/BurntToast | |
# Unzip them and re-zip without the folder name at the top. While RunAsUser is fine, BurntToast carries extra weight we can do without | |
# For BurntToast, you only need the actual BurntToast folder itself (no need for Examples, AzurePipelines etc) | |
# In my case, I stashed them on a company server so I could guarantee the location would be available and at the code revision I expected | |
#region RunAsSystemBeforeUser | |
# Stuff to run as SYSTEM before the user stuff kicks in goes here: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://www.theregister.com/2020/12/07/microsoft_teams_rce_flaw/ | |
# https://github.com/oskarsve/ms-teams-rce | |
# Taking the vulnerable version from the above repo. I'm hoping that's the latest version this flaw exists on | |
# Output format is for limitations in our MSP software | |
# username:version (shows what version user is running, for every user running Teams at time of scan) | |
# RunMin = Lowest version found running | |
# RunMax = Highest version found running | |
# InstalledVersions = What versions are registered in add/remove programs | |
# and if the installed version is vulnerable, but user versions have updated, let us know situation is actually OK | |
# updated to version 30290 instead of 21759 as author found that some of the vulns had been updated late October apparently |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-TSSessions { | |
$qwinsta = (query user) -replace "IDLE TIME","IDLETIME" -replace "LOGON TIME","LOGONTIME" | |
$csv = $qwinsta | ForEach-Object { | |
$_.Trim() -replace "\s+","," | |
} | ConvertFrom-Csv | |
ForEach ($obj in $csv) { | |
If ($obj.id -eq 'Disc') { | |
$obj.logonTime = $obj.IdleTime | |
$obj.IdleTime = $obj.State | |
$obj.State = $obj.id |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[System.Text.Encoding]::UTF8.GetBytes( ((dir badfilename.txt).Name)) | |
That showed me the bad filenames had char(127) in them | |
So dir c:\pathwithbadfiles -recurse -ea silentlycontinue | Where-Object { $_.Name.ToCharArray() -eq 127} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[OutputType("PSAzureOperationResponse")] | |
$LogAnalyticsWorkspaceId = "<as it sounds>" | |
$LogAnalyticsPrimaryKey = "<primary key>" | |
$HostPool = "<name of host pool>" | |
$RGName = "<resource group host pool is in>" | |
$connection = Get-AutomationConnection -Name AzureRunAsConnection | |
[void](Connect-AzAccount ` | |
-ServicePrincipal ` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$cert = New-SelfSignedCertificate -DnsName contoso.com -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My | |
# But if you try to sign, you'll get UnknownError because it's not in the trusted Root store. So do this to get it there | |
Export-Certificate -FilePath exported_cert.cer -Cert $cert | |
Import-Certificate -FilePath exported_cert.cer -CertStoreLocation Cert:\CurrentUser\Root |