trevorbryant

ZGZWVW

A Pen by Trevor Bryant on CodePen.

License.

trevorbryant

### Keybase proof

I hereby claim:

  * I am trevorbryant on github.
  * I am trevorbryant (https://keybase.io/trevorbryant) on keybase.
  * I have a public key ASBLUMBhLtBsA6Rl62X09nNiSTRjMkCTWympa7fjxUXXqgo

To claim this, I am signing this object:

trevorbryant

# Run on local Microsoft Windows endpoint and find all objects with Local Administrator rights
$ErrorActionPreference="SilentlyContinue"

#Credit to Sean Metcalf for this bit
$ADForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$ADForestInfoRootDomain = $ADForestInfo.RootDomain
$ADForestInfoRootDomainDN = "DC=" + $ADForestInfoRootDomain -Replace("\.",',DC=')
$ADDomainLDAPDN = 'GC://' + $ADForestInfoRootDomainDN
$root = [ADSI]$ADDomainLDAPDN

trevorbryant

# Get-LocalGroupMembers.ps1
# Set variables
$Results = @()
$ComputerName = [ADSI]("WinNT://$env:COMPUTERNAME,computer")
$LocalGroups = $ComputerName.psbase.Children | Where-Object {

    $_.psbase.schemaclassname -Eq "group"

}

trevorbryant

param(

    [array] $Target

)

foreach ($TargetShares in $Target) {

    (net view \\$Target) | Foreach-Object {
    

trevorbryant

$Users = @()
$Export = @()
$RecursiveUsers = @()

$AdminGroups = $args
ForEach ($Group in $args) {

    Get-ADGroupMember "$Group" -ErrorAction SilentlyContinue | ForEach-Object {

    $Export = New-Object -TypeName PSObject

trevorbryant

# Super duper dumb PS script to query ActiveDirectory for misconfigured User accounts.
# Created by Trevor Bryant (@apporima)
# Get-StaleADUserAccounts.ps1 version 1.0.0

# Set variables
$timestamp = (Get-Date -f HHmmss_MMddyyyy)
$ADDomainInfo = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$ADDomainInfoMode = $ADDomainInfo.DomainMode
$ADDomainInfoName = $ADDomainInfo.Name
$Export = "C:\temp\AD_Audit\Stale_AD_User_Account_Audit_$ADDomainInfoName`_$timestamp.csv"

trevorbryant

<form>
  <label>Windows Event Collection - Logon Activities</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="username" searchWhenChanged="true">
      <label>Username</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="sid" searchWhenChanged="true">
      <label>Security ID</label>

trevorbryant

<form>
  <label>Windows Event Collection - Offensive PowerShell</label>
  <description>Detect Offensive PowerShell Attacks. Not every result is offensive; requires verification</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>

trevorbryant

<form>
  <label>Windows Event Collection - Pass The Hash</label>
  <description>Filtered search for Pass The hash</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="computername" searchWhenChanged="true">
      <label>Computer Name (FQDN)</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="workstationname" searchWhenChanged="true">