After I started to use Wazuh, around June 2022, I came across many pain points. Here, I recorded and grouped some of them together. There is no specific order, neither alphabetical nor by importance.
zbalkan
/ New-SysmonArchiveQuota.ps1
Last active
January 22, 2024 10:59
If you use Sysmon and enabled FileDelete events started with Sysmon 11, you probably came up with the issue of instantly growing hidden archive. For those who have not solved the problem yet, I came up with a PowerShell cmdlet (run as SYSTEM) based on the article https://blog.nviso.eu/2022/06/30/enforcing-a-sysmon-archive-quota/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -RunAsAdministrator | |
| <# | |
| .Synopsis | |
| Generates Sysmon Archive file quota for `File Delete` events to help managing the size. | |
| .DESCRIPTION | |
| Based on: https://blog.nviso.eu/2022/06/30/enforcing-a-sysmon-archive-quota/ | |
| .INPUTS | |
| None. Cmdlet does not accept pipe values. | |
| .OUTPUTS |
zbalkan
/ Uninstall OneNote Printer Driver.ps1
Last active
June 5, 2023 09:45
Source: https://superuser.com/a/1734476/1337449
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $officeFolder = Get-ChildItem -Path 'C:\Program Files\Microsoft Office\' -Filter Office* | Select-Object -ExpandProperty Name | |
| $currentPath = 'C:\Program Files\Microsoft Office\'+$officeFolder+'\OneNote' | |
| $newPath = 'C:\Program Files\Microsoft Office\'+$officeFolder+'\OneNoteOLD' | |
| Rename-Item $currentPath $newPath | |
| $drivers = pnputil /enum-drivers | |
| $drivers -split '\r?\n' | select-string -Pattern "prnms006.inf" -Context 1,0 | % { | |
| $pubName = $_.Context.PreContext[0] | |
| } |
zbalkan
/ Wazuh pain points.md
Last active
February 27, 2024 12:18
After I started to use Wazuh, around June 2022, I came across many pain points. Here, I recorded and grouped some of them together. There is no specific order, neither alphabetical nor by importance.
zbalkan
/ pysigma-wazuh-backend
Created
October 15, 2022 13:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| test |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Personal .nanorc config | |
| # Based on https://bash-prompt.net/guides/nanorc-settings/ | |
| # Non-default settings | |
| set atblanks # wrap line at blanks. | |
| set cutfromcursor # CTRL+K cuts from cursor position to end of line. | |
| #set nohelp # Disable the help information (CTRL+G to view the help screen). | |
| set softwrap # Enable softwrap of lines. | |
| set suspend # Enables CTRL+Z to suspend nano. | |
| #set tabsize 4 # Sets tab-to-spaces size to 4. |
zbalkan
/ Install-WmiFilters.ps1
Last active
July 18, 2023 11:17
Updated version of https://github.com/darkoperator/powershell_scripts/blob/master/install-wmifilters.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Script for creating WMI Filters for use with Group Policy Manager. | |
| .DESCRIPTION | |
| The Script will create several WMI Filters for filtering based on: | |
| - Processor Architecture. | |
| - If the Hosts is a Virtual Machine | |
| - Operating System Version. | |
| - Type of Operating System. | |
| - If Java is installed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Time-based One-Time Password Algorithm (RFC 6238) | |
| .DESCRIPTION | |
| Based on the script of Jon Friesen - https://gist.github.com/jonfriesen/234c7471c3e3199f97d5 | |
| .EXAMPLE | |
| Get-OTP -Secret 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567' # Default OTP length is 6 digits and period is 30 seconds | |
| .EXAMPLE | |
| totp -Secret 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567' # you can use totp or otp alias | |
| .EXAMPLE |
zbalkan
/ keybase.md
Created
January 15, 2022 14:11
I hereby claim:
- I am zbalkan on github.
- I am zbalkan (https://keybase.io/zbalkan) on keybase.
- I have a public key ASBBqweJA8AtahYGZFH_5frCdso79FPav7P4qXIcoLlVMAo
To claim this, I am signing this object:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Shows Windows native credential dialog on PowerShell 7.x and VS Code. | |
| .DESCRIPTION | |
| The cmdlet utilizes Windows native code based on P/Invoke calls. The parameters and output are the same as Get-Credential cmdlet. Based on the example: https://www.developerfusion.com/code/4693/using-the-credential-management-api/ | |
| .SYNTAX | |
| Get-WinCredential [[-UserName] <string>] -Message <string> [<CommonParameters>] | |
| .EXAMPLE | |
| Get-WinCredential | |
| .EXAMPLE |
zbalkan
/ Set Windows Photo Viewer as default.ps1
Created
October 31, 2021 19:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Reg2CI (c) 2021 by Roger Zander | |
| if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Classes\Applications\photoviewer.dll") -ne $true) { New-Item "HKLM:\SOFTWARE\Classes\Applications\photoviewer.dll" -Force -ErrorAction SilentlyContinue }; | |
| if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Classes\Applications\photoviewer.dll\shell") -ne $true) { New-Item "HKLM:\SOFTWARE\Classes\Applications\photoviewer.dll\shell" -Force -ErrorAction SilentlyContinue }; | |
| if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open") -ne $true) { New-Item "HKLM:\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open" -Force -ErrorAction SilentlyContinue }; | |
| if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open\command") -ne $true) { New-Item "HKLM:\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open\command" -Force -ErrorAction SilentlyContinue }; | |
| if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open\DropTarget") -ne $true) { New- |
NewerOlder