Trevor Bryant trevorbryant

## Windows Event Collection - Service Control: Start
<form>
  <label>Windows Event Collection - Service Control: Start</label>
  <description>Filtered search to discover started services</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="computername" searchWhenChanged="true">
      <label>Computer Name (FQDN)</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="servicename" searchWhenChanged="true">

## Windows Event Collection - Service Control
<form>
  <label>Windows Event Collection - Service Control Installed</label>
  <description>Filtered search to discover installed services</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="computername" searchWhenChanged="true">
      <label>Computer Name (FQDN)</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="servicename" searchWhenChanged="true">

## Windows Event Collection - Sensitive Local Groups
<form>
  <label>Windows Event Collection - Sensitive Local Groups</label>
  <description>Filtered search for modification of sensitive local groups.</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>

## Windows Event Collection - Process Creation
<form>
  <label>Windows Event Collection - Process Creation</label>
  <description>Filtered search to discover new processes</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="computername" searchWhenChanged="true">
      <label>Computer Name (FQDN)</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="processname" searchWhenChanged="true">

## Windows Event Collection - Primary User Logons
<form>
  <label>Windows Event Collection - Primary User Logons</label>
  <description>Filtered search for identifying non-administrative log on to servers.</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="computername" searchWhenChanged="true">
      <label>Computer Name (FQDN)</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="workstationname" searchWhenChanged="true">

## Windows Event Collection - Pass The Hash
<form>
  <label>Windows Event Collection - Pass The Hash</label>
  <description>Filtered search for Pass The hash</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="computername" searchWhenChanged="true">
      <label>Computer Name (FQDN)</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="workstationname" searchWhenChanged="true">

## Windows Event Collection - Offensive PowerShell
<form>
  <label>Windows Event Collection - Offensive PowerShell</label>
  <description>Detect Offensive PowerShell Attacks. Not every result is offensive; requires verification</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>

## Windows Event Collection - Logon Activities
<form>
  <label>Windows Event Collection - Logon Activities</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="username" searchWhenChanged="true">
      <label>Username</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="sid" searchWhenChanged="true">
      <label>Security ID</label>

## Get-StaleADUserAccounts.ps1
# Super duper dumb PS script to query ActiveDirectory for misconfigured User accounts.
# Created by Trevor Bryant (@apporima)
# Get-StaleADUserAccounts.ps1 version 1.0.0

# Set variables
$timestamp = (Get-Date -f HHmmss_MMddyyyy)
$ADDomainInfo = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$ADDomainInfoMode = $ADDomainInfo.DomainMode
$ADDomainInfoName = $ADDomainInfo.Name
$Export = "C:\temp\AD_Audit\Stale_AD_User_Account_Audit_$ADDomainInfoName`_$timestamp.csv"

## Get-ADGroupEnum.ps1
$Users = @()
$Export = @()
$RecursiveUsers = @()

$AdminGroups = $args
ForEach ($Group in $args) {

    Get-ADGroupMember "$Group" -ErrorAction SilentlyContinue | ForEach-Object {

    $Export = New-Object -TypeName PSObject
	<form>
	<label>Windows Event Collection - Service Control: Start</label>
	<description>Filtered search to discover started services</description>
	<fieldset submitButton="false" autoRun="true">
	<input type="text" token="computername" searchWhenChanged="true">
	<label>Computer Name (FQDN)</label>
	<default>*</default>
	<initialValue>*</initialValue>
	</input>
	<input type="text" token="servicename" searchWhenChanged="true">
	<form>
	<label>Windows Event Collection - Sensitive Local Groups</label>
	<description>Filtered search for modification of sensitive local groups.</description>
	<fieldset submitButton="false" autoRun="true">
	<input type="time" token="time" searchWhenChanged="true">
	<label>Time Range</label>
	<default>
	<earliest>-24h@h</earliest>
	<latest>now</latest>
	</default>
	<form>
	<label>Windows Event Collection - Process Creation</label>
	<description>Filtered search to discover new processes</description>
	<fieldset submitButton="false" autoRun="true">
	<input type="text" token="computername" searchWhenChanged="true">
	<label>Computer Name (FQDN)</label>
	<default>*</default>
	<initialValue>*</initialValue>
	</input>
	<input type="text" token="processname" searchWhenChanged="true">
	<form>
	<label>Windows Event Collection - Primary User Logons</label>
	<description>Filtered search for identifying non-administrative log on to servers.</description>
	<fieldset submitButton="false" autoRun="true">
	<input type="text" token="computername" searchWhenChanged="true">
	<label>Computer Name (FQDN)</label>
	<default>*</default>
	<initialValue>*</initialValue>
	</input>
	<input type="text" token="workstationname" searchWhenChanged="true">
	<form>
	<label>Windows Event Collection - Pass The Hash</label>
	<description>Filtered search for Pass The hash</description>
	<fieldset submitButton="false" autoRun="true">
	<input type="text" token="computername" searchWhenChanged="true">
	<label>Computer Name (FQDN)</label>
	<default>*</default>
	<initialValue>*</initialValue>
	</input>
	<input type="text" token="workstationname" searchWhenChanged="true">
	<form>
	<label>Windows Event Collection - Offensive PowerShell</label>
	<description>Detect Offensive PowerShell Attacks. Not every result is offensive; requires verification</description>
	<fieldset submitButton="false" autoRun="true">
	<input type="time" token="time" searchWhenChanged="true">
	<label>Time Range</label>
	<default>
	<earliest>-24h@h</earliest>
	<latest>now</latest>
	</default>
	<form>
	<label>Windows Event Collection - Logon Activities</label>
	<fieldset submitButton="false" autoRun="true">
	<input type="text" token="username" searchWhenChanged="true">
	<label>Username</label>
	<default>*</default>
	<initialValue>*</initialValue>
	</input>
	<input type="text" token="sid" searchWhenChanged="true">
	<label>Security ID</label>
	# Super duper dumb PS script to query ActiveDirectory for misconfigured User accounts.
	# Created by Trevor Bryant (@apporima)
	# Get-StaleADUserAccounts.ps1 version 1.0.0

	# Set variables
	$timestamp = (Get-Date -f HHmmss_MMddyyyy)
	$ADDomainInfo = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
	$ADDomainInfoMode = $ADDomainInfo.DomainMode
	$ADDomainInfoName = $ADDomainInfo.Name
	$Export = "C:\temp\AD_Audit\Stale_AD_User_Account_Audit_$ADDomainInfoName`_$timestamp.csv"
	$Users = @()
	$Export = @()
	$RecursiveUsers = @()

	$AdminGroups = $args
	ForEach ($Group in $args) {

	Get-ADGroupMember "$Group" -ErrorAction SilentlyContinue \| ForEach-Object {

	$Export = New-Object -TypeName PSObject