├── powershell.jpg ├── DNS ├── Get-DNSLogSearch.ps1 ├── Get-DNS_Data_SVR08.ps1 ├── Get-DNSOutsideQuery.ps1 ├── Get-DNS_Data_SVR2012.ps1 └── Invoke-DNSLogParser.ps1 ├── McAfee ├── ESM_Import_Script.ps1 └── Get-MalwareDomains.ps1 ├── System_Information ├── Get-WhoIs.ps1 ├── Get-SurveyHost.ps1 ├── Get-Computer_Info.ps1 ├── Get-LoggedOnUser.ps1 ├── Set-LocalPassword.ps1 ├── Invoke-SysMon │ ├── Sysmon.exe │ ├── Sysmon64.exe │ └── Invoke-SysMon.ps1 ├── Get-Autoruns │ ├── autorunsc.exe │ ├── autorunsc64.exe │ └── Get-Autoruns.ps1 ├── Get-FolderPermissions.ps1 ├── Get-SigCheck │ ├── sigcheck.exe │ ├── sigcheck64.exe │ └── Get-SigCheck.ps1 ├── Get-LastActivity │ ├── LastActivityView.exe │ └── Get-LastActivity.ps1 ├── Get-OpenShares.ps1 ├── Get-SelfSignedCerts.ps1 ├── Get-Sid2UserAll.ps1 ├── Get-SymLinks.ps1 ├── Set-ProgramUninstall.ps1 ├── Get-DirListing2.ps1 ├── Get-IPDomainCPU.ps1 ├── Get-InstalledFeatures.ps1 ├── Get-OSArchitecture.ps1 ├── Get-EnvPaths.ps1 ├── Get-HashBaseline.ps1 ├── Get-LocalUser2Sid.ps1 ├── Get-FileSignatureData.ps1 ├── Get-File_Hash.ps1 ├── Get-SoftwareInstall.ps1 ├── Get-Hostname2IP.ps1 ├── Set-WMI_Logging.ps1 ├── Get-TotalLinkProcessCount.ps1 ├── Get-DirListing.ps1 ├── Get-OS.ps1 ├── Get-IP2Hostname.ps1 ├── Get-SchedTasks.ps1 ├── Get-HashDiff.ps1 ├── Get-HashBaseline_v2.ps1 ├── Get-CreatedFilesLast24.ps1 ├── Get-TextPasswords.ps1 ├── Get-FileMonitor.ps1 ├── Get-HashDiffExplanations.ps1 ├── Get-LocalAccounts.ps1 ├── Get-SchedTasks2.ps1 └── Get-SoftwareInstallData.ps1 ├── Disk ├── Invoke-MemCapture │ ├── WinPmem.exe │ └── Invoke-MemCapture.ps1 ├── Invoke-$MFT │ ├── README.txt │ └── Invoke-$MFT.ps1 └── Invoke-USNJRNL │ ├── README.txt │ └── Invoke-USNJRNL.ps1 ├── Active_Directory ├── Get-ADAssetReport.ps1 ├── Get-ADGroupMembers.ps1 ├── Get-ADUserAllUsers.ps1 ├── Get-OU_Permissions.ps1 ├── Get-ADGroupFromSID.ps1 ├── Get-ADUserNon-ExpiringAccounts.ps1 ├── Get-ADUserSearch.ps1 ├── Get-ADGroupSID2Group.ps1 ├── Get-ADUserLastLoginDate.ps1 ├── Get-ADUserPasswordChangeDate2.ps1 ├── Get-ADUserPasswordChangeDate.ps1 ├── Get-ADUser2Sid.ps1 ├── Get-ADGroup2SID.ps1 ├── Get-ADUserSID2User.ps1 ├── Get-DomainTrusts.ps1 ├── Get-ADUserRecentlyCreated.ps1 ├── Set-PasswordByGroup.ps1 ├── Set-PasswordByOU.ps1 ├── Get-BaselineUsers.ps1 ├── Get-ADUserInactivity.ps1 ├── Get-ADComputerSid.ps1 ├── Get-BaselineAdmins.ps1 ├── Test-ADCredential.ps1 ├── Get-DomainChanges.ps1 ├── Get-UserLastLogonTime.ps1 ├── Get-BaselineUsersCompare.ps1 ├── Get-BaselineAdminCompare.ps1 ├── Get-ADComputersList.ps1 └── Set-PasswordChangeRandom.ps1 ├── Group_Policy ├── Get-GPOLink_Metadata.ps1 ├── Get-GPOReport.ps1 └── Invoke-GPOHunter.ps1 ├── Registry ├── Get-ShellBags │ ├── ShellBagsView.exe │ └── Get-ShellBags.ps1 ├── Get-UserAssist │ ├── UserAssistView.exe │ └── Get-UserAssist.ps1 ├── Invoke-MUICache │ ├── MUICacheView.exe │ └── Invoke-MUICacheView.ps1 ├── Set-RegKey.ps1 ├── Get-RegKeyValueRecurse.ps1 ├── Get-RegKeyExport.ps1 ├── Get-RegKeyValueData.ps1 ├── Get-RemoteRegHive.ps1 └── Get-NTUSER │ └── Get-NTUSER.ps1 ├── README.md ├── Linux ├── Invoke-ProcessSuspend.ps1 ├── Get-BootServices ├── Get-InstalledPackages.ps1 ├── Invoke-ScriptBlockParser.ps1 ├── Invoke-SecureLogParse.ps1 ├── nix_simpleHTTP.psl ├── Get-CronJobs.ps1 ├── Get-CronLogs.ps1 ├── Get-Service.ps1 └── nix_webshell.ps1 ├── Processes and Services ├── Get-PIDs_PPIDs.ps1 ├── Get-ProcessesDLL.ps1 ├── Get-PPID.ps1 ├── Get-ProcessHash.ps1 ├── Get-AutoNotStartedServices.ps1 ├── Get-ProcessCompare.ps1 ├── Invoke-TerminateProcess.ps1 ├── Get-TotalLinkProcessCount.ps1 ├── Get-MassServiceStatus.ps1 ├── Invoke-RestartServices.ps1 ├── Restart-MassServices.ps1 └── Start-MassServices.ps1 ├── Web ├── Invoke-IISLogParser ├── Get-MalwareDomains.ps1 ├── Get-Webserver.ps1 └── Get-WebserverDataOnly.ps1 ├── GRR ├── Remove-GRR_Agent.ps1 └── Invoke-GRR_Agent.ps1 ├── _Misc ├── Convert-Base64ToText.ps1 ├── Convert-TextToBase64.ps1 ├── Convert-BinaryToBase64.ps1 ├── Convert-ImageToBase64.ps1 ├── Convert-Base64ToFile.ps1 ├── Set-ServerPrefetch.ps1 ├── Disable-Cortana.ps1 ├── Convert-Base64ToImage.ps1 ├── Convert-Rot13.ps1 ├── Get-TranscriptStatus.ps1 ├── Get-PortScan.ps1 └── Invoke-IPScanner.ps1 ├── Eventlogs ├── Service_Creation_Eventlog_Parse.ps1 └── Event_Queries.ps1 ├── Splunk ├── Get-SplunkStatus.ps1 ├── Restart-SplunkFwd.ps1 ├── Invoke-SplunkFwdRemover2.ps1 ├── Splunk-StartFowarder.ps1 ├── Invoke-SplunkFwd.ps1 └── Invoke-SplunkFwdRemover.ps1 ├── Exchange ├── Find and delete.txt └── Search Exchange Mailbox.txt ├── MIR └── Invoke-MIR_Agent.ps1 ├── WMI_Process_Call ├── WMI_Process_Call.ps1 └── WMI_Process_Call (Bypass Exe Policy).ps1 └── Endgame └── Deploy-Endgame_Sensor.ps1 /powershell.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/powershell.jpg -------------------------------------------------------------------------------- /DNS/Get-DNSLogSearch.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/DNS/Get-DNSLogSearch.ps1 -------------------------------------------------------------------------------- /DNS/Get-DNS_Data_SVR08.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/DNS/Get-DNS_Data_SVR08.ps1 -------------------------------------------------------------------------------- /McAfee/ESM_Import_Script.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/McAfee/ESM_Import_Script.ps1 -------------------------------------------------------------------------------- /System_Information/Get-WhoIs.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-WhoIs.ps1 -------------------------------------------------------------------------------- /Disk/Invoke-MemCapture/WinPmem.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/Disk/Invoke-MemCapture/WinPmem.exe -------------------------------------------------------------------------------- /Active_Directory/Get-ADAssetReport.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/Active_Directory/Get-ADAssetReport.ps1 -------------------------------------------------------------------------------- /Group_Policy/Get-GPOLink_Metadata.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/Group_Policy/Get-GPOLink_Metadata.ps1 -------------------------------------------------------------------------------- /System_Information/Get-SurveyHost.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-SurveyHost.ps1 -------------------------------------------------------------------------------- /Active_Directory/Get-ADGroupMembers.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/Active_Directory/Get-ADGroupMembers.ps1 -------------------------------------------------------------------------------- /Active_Directory/Get-ADUserAllUsers.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/Active_Directory/Get-ADUserAllUsers.ps1 -------------------------------------------------------------------------------- /Active_Directory/Get-OU_Permissions.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/Active_Directory/Get-OU_Permissions.ps1 -------------------------------------------------------------------------------- /Registry/Get-ShellBags/ShellBagsView.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/Registry/Get-ShellBags/ShellBagsView.exe -------------------------------------------------------------------------------- /System_Information/Get-Computer_Info.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-Computer_Info.ps1 -------------------------------------------------------------------------------- /System_Information/Get-LoggedOnUser.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-LoggedOnUser.ps1 -------------------------------------------------------------------------------- /System_Information/Set-LocalPassword.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Set-LocalPassword.ps1 -------------------------------------------------------------------------------- /Registry/Get-UserAssist/UserAssistView.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/Registry/Get-UserAssist/UserAssistView.exe -------------------------------------------------------------------------------- /Registry/Invoke-MUICache/MUICacheView.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/Registry/Invoke-MUICache/MUICacheView.exe -------------------------------------------------------------------------------- /System_Information/Invoke-SysMon/Sysmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Invoke-SysMon/Sysmon.exe -------------------------------------------------------------------------------- /System_Information/Get-Autoruns/autorunsc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-Autoruns/autorunsc.exe -------------------------------------------------------------------------------- /System_Information/Get-FolderPermissions.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-FolderPermissions.ps1 -------------------------------------------------------------------------------- /System_Information/Get-SigCheck/sigcheck.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-SigCheck/sigcheck.exe -------------------------------------------------------------------------------- /System_Information/Invoke-SysMon/Sysmon64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Invoke-SysMon/Sysmon64.exe -------------------------------------------------------------------------------- /System_Information/Get-Autoruns/autorunsc64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-Autoruns/autorunsc64.exe -------------------------------------------------------------------------------- /System_Information/Get-SigCheck/sigcheck64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-SigCheck/sigcheck64.exe -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PowerShell 2 | A series of scripts 3 | 4 | ![Alt text](https://github.com/WiredPulse/PowerShell/blob/master/powershell.jpg?raw=true "Optional Title") 5 | -------------------------------------------------------------------------------- /System_Information/Get-LastActivity/LastActivityView.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/PowerShell/HEAD/System_Information/Get-LastActivity/LastActivityView.exe -------------------------------------------------------------------------------- /Linux/Invoke-ProcessSuspend.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-ProcessSuspend ($id){ 2 | kill -STOP $id 3 | } 4 | 5 | function Invoke-ResumeProcess ($id){ 6 | kill -CONT $id 7 | } 8 | -------------------------------------------------------------------------------- /System_Information/Get-OpenShares.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets shares on local or remote system 4 | #> 5 | 6 | 7 | Get-WmiObject Win32_Share -computername 127.0.0.1 -------------------------------------------------------------------------------- /System_Information/Get-SelfSignedCerts.ps1: -------------------------------------------------------------------------------- 1 | Get-ChildItem Cert: -recurse | where{$_.subject -ne $null} | where{$_.subject -eq $_.issuer} | select notbefore, notaftersubject, issuer | Out-GridView 2 | -------------------------------------------------------------------------------- /System_Information/Get-Sid2UserAll.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Returns all SIDS on a system 4 | #> 5 | 6 | (Get-WmiObject -Class Win32_UserProfile -Namespace "root\cimv2" | select sid,localpath) -------------------------------------------------------------------------------- /System_Information/Get-SymLinks.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Searches for linked files and folders 3 | #> 4 | 5 | Get-ChildItem C:\Users\blue\Desktop -Recurse| Where-Object { $_.Attributes -match "ReparsePoint" }| select name, CreationTime, LastWriteTime, Target -------------------------------------------------------------------------------- /Active_Directory/Get-ADGroupFromSID.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will return the group name for the specified SID. 4 | 5 | .LINK 6 | #> 7 | 8 | 9 | import-module activedirectory 10 | Get-ADGroup -Identity S-1-5-32-544 11 | 12 | -------------------------------------------------------------------------------- /System_Information/Set-ProgramUninstall.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Uses WMI to uninstall a program. It can be slow but does support the -computername switch. 4 | #> 5 | 6 | wmic product where "name like 'UniversalForwarder'" call uninstall /nointeractive -------------------------------------------------------------------------------- /Active_Directory/Get-ADUserNon-ExpiringAccounts.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Searches for non-expiring accounts 4 | #> 5 | 6 | 7 | import-module activedirectory 8 | 9 | Get-ADUser -Filter * -Properties passwordneverexpires | sort name | ft Name,passwordneverexpires,ObjectClass -A -------------------------------------------------------------------------------- /Group_Policy/Get-GPOReport.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Retrieves all GPOs in the domain and their settings. The data is saved to a html file. 4 | 5 | 6 | #> 7 | 8 | Import-Module GroupPolicy 9 | Get-GPOReport -All -ReportType HTML | out-file .\GPOReport.html 10 | -------------------------------------------------------------------------------- /System_Information/Get-DirListing2.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Recursively gets file listing and metadata 4 | #> 5 | 6 | gci c:\ -force | select Name, Fullname, Extension, Mode, Length, CreationTime, LastAccessTime, LastWriteTime, Attributes, IsReadOnly | export-csv dir_list.csv -------------------------------------------------------------------------------- /System_Information/Get-IPDomainCPU.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Returns IP and operating system for all computers in a domain 4 | 5 | #> 6 | 7 | Get-ADComputer -Filter * -Properties ipv4Address, OperatingSystem, OperatingSystemServicePack | Format-table name, ipv4*, oper*| Out-GridView -------------------------------------------------------------------------------- /Processes and Services/Get-PIDs_PPIDs.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Retrieves all PIDs and with their PPIDs 4 | 5 | #> 6 | 7 | get-wmiobject win32_process -computername localhost | select name, processid, parentprocessid, handle, handlecount, executablepath, creationdate | ft -autosize -------------------------------------------------------------------------------- /Disk/Invoke-$MFT/README.txt: -------------------------------------------------------------------------------- 1 | 1) Double-click 'Mft2Csv.exe' 2 | 3 | 2) Click the 'Choose $MFT' button 4 | 5 | 3) Navigate to the $MFT file 6 | 7 | 4) Click ok to the default 1024 8 | 9 | 5) Click the 'Set Output Path' button and select a directory 10 | 11 | 6) Click 'Start Processing' -------------------------------------------------------------------------------- /Registry/Set-RegKey.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Updates Registry Keys 4 | 5 | #> 6 | 7 | $regupdate = "HKLM:\System\CurrentControlSet\Control\FileSystem" 8 | $key = "NtfsDisableLastAccessUpdate" 9 | $val = "0" 10 | Set-ItemProperty $regupdate -Name $key -Value $val -------------------------------------------------------------------------------- /Linux/Get-BootServices: -------------------------------------------------------------------------------- 1 | $systemctl = systemctl list-unit-files --state=enabled --no-legend 2 | $obj = @() 3 | $obj = foreach($sys in $systemctl[1..$systemctl.length[-1]]){ 4 | $sys = $sys -split '\s+' 5 | [PSCustomObject]@{ 6 | Name = $sys[0] 7 | } 8 | } 9 | 10 | $obj 11 | -------------------------------------------------------------------------------- /Active_Directory/Get-ADUserSearch.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Searches Active Directory for user accounts that end in ".admin" 4 | #> 5 | 6 | 7 | import-module activedirectory 8 | 9 | Get-ADUser -ldapFilter '(SamAccountName=*.admin)' | Select-Object -Property Name,SamAccountName | sort SamAccountName -------------------------------------------------------------------------------- /Active_Directory/Get-ADGroupSID2Group.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will return the SID for a specified group. 4 | 5 | .LINK 6 | 7 | #> 8 | 9 | param( 10 | [Parameter(Mandatory=$true)][string]$Group 11 | ) 12 | 13 | import-module activedirectory 14 | Get-ADGroup -Identity $group 15 | -------------------------------------------------------------------------------- /Active_Directory/Get-ADUserLastLoginDate.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets a list of all users who have logged on since the date specified 4 | #> 5 | 6 | 7 | import-module activedirectory 8 | 9 | get-aduser -filter {lastlogondate -gt "7/18/2015"} -Properties lastlogondate | select Name,LastLogonDate | sort name -------------------------------------------------------------------------------- /System_Information/Get-InstalledFeatures.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Retrieves installed features from a server OS.This script will only work on a server OS. 4 | #> 5 | 6 | 7 | Import-Module ServerManager 8 | Get-WindowsFeature | Where-Object {$_.Installed -match "True"} | Select-Object -ExpandProperty Name 9 | -------------------------------------------------------------------------------- /Processes and Services/Get-ProcessesDLL.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Displays all running processes and their DLLs 4 | 5 | #> 6 | Foreach ( $item in ps) 7 | { 8 | Write-Host “PID:” $item.Id “Name:” $item.name 9 | Get-Process -Id $item.Id| select -ExpandProperty modules| Format-Table –AutoSize 10 | } 11 | -------------------------------------------------------------------------------- /Linux/Get-InstalledPackages.ps1: -------------------------------------------------------------------------------- 1 | $packages = rpm -qa --last 2 | $obj = @() 3 | $obj = foreach($package in $packages){ 4 | $package = $package -split '\s+' 5 | [PSCustomObject]@{ 6 | Date = $package[2..4] -join ' ' 7 | Time = $package[5..7] -join ' ' 8 | Package = $package[0] 9 | } 10 | } 11 | 12 | $obj 13 | -------------------------------------------------------------------------------- /Web/Invoke-IISLogParser: -------------------------------------------------------------------------------- 1 | $logs = Get-childitem C:\inetpub\logs\LogFiles 2 | 3 | foreach($log in $logs){ 4 | $objectHead = ((Get-Content -Path $log -TotalCount 4 | Select -Skip 3 |Tee-Object -Variable content)[9..($content.length-1)] -join '') -split ' ' 5 | Get-Content $log | ConvertFrom-Csv -Delimiter ' ' -Header $objectHead | out-gridview 6 | } 7 | -------------------------------------------------------------------------------- /Active_Directory/Get-ADUserPasswordChangeDate2.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Lists all Domain Admins and displays the date the password was last changed. 4 | #> 5 | 6 | 7 | import-module activedirectory 8 | 9 | Get-ADGroupMember -Identity "Domain Admins" | Get-ADUser -Properties PasswordLastSet | Select-Object -Property Name,PasswordLastSet | sort PasswordLastSet -------------------------------------------------------------------------------- /Linux/Invoke-ScriptBlockParser.ps1: -------------------------------------------------------------------------------- 1 | # Scriptblock 2 | $logs = get-content "/var/log/messages" 3 | $obj = @() 4 | $obj = foreach($log in $logs){ 5 | $logSplit = $log -Split '#012' 6 | $time = ($logSplit[0] -Split ' CentOS')[0] 7 | 8 | [PSCustomObject]@{ 9 | Time = $time 10 | Command = $logSplit[1] 11 | } 12 | } 13 | 14 | $obj 15 | -------------------------------------------------------------------------------- /Processes and Services/Get-PPID.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Returns the process name, PPID, and handle(s) from a given PID 4 | 5 | #> 6 | $some_pid = read-host Input the PID 7 | get-wmiobject win32_process -Filter -computername localhost "processid = $some_pid" | select Name, ProcessID, ParentProcessID, Handle, HandleCount, CreationDate, ExecutablePath | ft -autosize -------------------------------------------------------------------------------- /System_Information/Get-OSArchitecture.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Retrieves the OS architecture or the supplied systems 4 | #> 5 | 6 | write-host 'Input the path to the list of systems to retrieve the OS architecture for.' -ForegroundColor Cyan 7 | $list = read-host " " 8 | 9 | Get-WmiObject Win32_OperatingSystem -computername $list | select PSComputerName, OSArchitecture -------------------------------------------------------------------------------- /Active_Directory/Get-ADUserPasswordChangeDate.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Searches for accounts containing specified key words and displays the last time their password was changed. 4 | 5 | #> 6 | 7 | import-module activedirectory 8 | 9 | Get-ADUser -Filter 'name -Like "svc*"' | Get-ADUser -Properties PasswordLastSet | Select-Object -Property Name,PasswordLastSet | sort PasswordLastSet -------------------------------------------------------------------------------- /System_Information/Get-EnvPaths.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets the environment paths from group of systems and outputs the data as a csv 4 | 5 | #> 6 | 7 | $computers = Get-Content C:\users\blue\Desktop\computers.txt 8 | Get-WMIObject -Class Win32_Environment -Namespace root\cimv2 -filter "Name = 'Path'" -ComputerName $computers | select PSComputerName, VariableValue | Out-GridView -------------------------------------------------------------------------------- /System_Information/Get-HashBaseline.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets hashes used for baselines. 4 | #> 5 | 6 | Get-ChildItem C:\windows\system32 -Recurse | Get-FileHash -Algorithm md5 | export-csv .\baseline_MD5_$env:COMPUTERNAME.csv -NoTypeInformation 7 | Get-ChildItem C:\windows\system32 -Recurse | Get-FileHash -Algorithm sha1 | export-csv .\baseline_SHA1_$env:COMPUTERNAME.csv -NoTypeInformation -------------------------------------------------------------------------------- /Linux/Invoke-SecureLogParse.ps1: -------------------------------------------------------------------------------- 1 | $logs = get-content "/var/log/secure" 2 | $obj = @() 3 | $obj = foreach($log in $logs){ 4 | $log = $log -split "]: " 5 | $data = ($log[0] -split "\[") -split '\s+' 6 | [PSCustomObject]@{ 7 | Time = ($data[0..2]) -join ' ' 8 | Process = $data[4] 9 | ID = $data[-1] 10 | Message = $log[1] 11 | } 12 | } 13 | 14 | $obj 15 | -------------------------------------------------------------------------------- /Disk/Invoke-USNJRNL/README.txt: -------------------------------------------------------------------------------- 1 | 1) Ensure you have the USNJRNL 2 | 2) In the directory where the USNJRNL file is, create anew directory and move the file into it 3 | 3) Open UsnJrnl2Csv.exe 4 | 4) Select the 'Browse $USNJRNL' button and navigate to the USNJRNL file 5 | 5) Click the 'Start Parsing' button 6 | 6) Once complete, open the .csv produced in Excel. Be sure to set the time column to "text". The times in the file are on UTC. -------------------------------------------------------------------------------- /Processes and Services/Get-ProcessHash.ps1: -------------------------------------------------------------------------------- 1 | foreach ($proc in get-process) 2 | { 3 | try 4 | { 5 | Get-FileHash $proc.path -Algorithm SHA1 -ErrorAction stop 6 | } 7 | catch 8 | { 9 | #error handling... log contains names of processes where there was no path listed or we lack the rights 10 | $proc.name | out-file c:\proc_hash_error.log -Append 11 | } 12 | } -------------------------------------------------------------------------------- /System_Information/Get-LocalUser2Sid.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will return the sid for the specified local user account. 4 | 5 | .EXAMPLE 6 | PS C:\> .\LocalUser2Sid.ps1 -user joe 7 | 8 | #> 9 | 10 | Param( 11 | [string]$user 12 | ) 13 | 14 | $objUser = New-Object System.Security.Principal.NTAccount("$user") 15 | $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) 16 | $strSID.Value -------------------------------------------------------------------------------- /Active_Directory/Get-ADUser2Sid.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will return the sid for the specified Domain user account. 4 | 5 | .EXAMPLE 6 | DomainUser2Sid.ps1 -domain contoso -user joe 7 | #> 8 | 9 | Param( 10 | [string]$domain, 11 | [string]$user 12 | ) 13 | 14 | $objUser = New-Object System.Security.Principal.NTAccount("$domain", "$user") 15 | $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) 16 | $strSID.Value -------------------------------------------------------------------------------- /GRR/Remove-GRR_Agent.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | 3 | .SYNOPSIS 4 | Deletes the GRR Agent on a system. 5 | 6 | #> 7 | 8 | 9 | (Get-WmiObject Win32_Service -filter "name='GRR Monitor'").StopService() 10 | 11 | (Get-WmiObject Win32_Service -filter "name='GRR Monitor'").delete() 12 | 13 | Remove-Item HKLM:\SOFTWARE\GRR -Recurse 14 | 15 | Remove-Item c:\windows\system32\grr -force -recurse 16 | 17 | Remove-item c:\windows\system32\grr_installer.txt 2>1 | out-null 18 | 19 | 20 | -------------------------------------------------------------------------------- /Active_Directory/Get-ADGroup2SID.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will return the group name for the specified SID. 4 | 5 | .PARAMETER sid 6 | Used to specify the SID the get the group name for. 7 | 8 | .EXAMPLE 9 | PS C:\> .\Get-ADGroup2SID -sid 's-1-5-32-544' 10 | 11 | Retrieving the group name for the specified SID. 12 | 13 | .LINK 14 | #> 15 | 16 | 17 | param( 18 | [Parameter(Mandatory=$true)][string]$sid 19 | ) 20 | 21 | 22 | import-module activedirectory 23 | Get-ADGroup -Identity $sid 24 | 25 | -------------------------------------------------------------------------------- /_Misc/Convert-Base64ToText.ps1: -------------------------------------------------------------------------------- 1 | Function Convert-Base64ToText { 2 | 3 | <# 4 | .SYNOPSIS 5 | Convert a Base64 string to plain text. 6 | 7 | .PARAMETER decode 8 | String to Base64 decode. 9 | 10 | .EXAMPLE 11 | PS c:\> Convert-Base64ToText -decode aABhAG0AYgB1AHIAZwBlAHIA 12 | 13 | Convert a Base64 string to plain text. 14 | #> 15 | 16 | 17 | param( 18 | [Parameter(Mandatory=$true)][string]$decode 19 | ) 20 | 21 | 22 | [System.Text.Encoding]::UTF8.GetString(([System.Convert]::FromBase64String($decode)|?{$_})) 23 | 24 | } -------------------------------------------------------------------------------- /System_Information/Get-FileSignatureData.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Checks to see if the files in a suppied directory are signed. 4 | #> 5 | 6 | # The directory we will look for files in 7 | $dir2search = "c:\windows" 8 | $some_files = Get-ChildItem $dir2search | where-object {! $_.PSIsContainer} | select name | select name -ExpandProperty name 9 | 10 | 11 | foreach($each_file in $some_files) 12 | { 13 | #(Get-AuthenticodeSignature $each_file).SignerCertificate.Subject 14 | Get-AuthenticodeSignature $dir2search\$each_file 15 | } 16 | 17 | -------------------------------------------------------------------------------- /_Misc/Convert-TextToBase64.ps1: -------------------------------------------------------------------------------- 1 | Function Convert-TextToBase64 { 2 | 3 | <# 4 | .SYNOPSIS 5 | Base64 encodes inputted data. 6 | 7 | .PARAMETER encode 8 | String to Base64 encode. 9 | 10 | .EXAMPLE 11 | PS c:\> Convert-TextToBase64 -encode hamburger 12 | 13 | Base64 encoding the string "hamburger". 14 | #> 15 | 16 | 17 | param( 18 | [Parameter(Mandatory=$true)][string]$encode 19 | ) 20 | 21 | 22 | $bytes = [system.text.encoding]::unicode.getbytes($encode) 23 | $encodedCommand = [convert]::ToBase64String($bytes) 24 | $encodedCommand 25 | 26 | } -------------------------------------------------------------------------------- /Active_Directory/Get-ADUserSID2User.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will return the Domain user account for the specified SID. 4 | 5 | .PARAMETER 6 | 7 | 8 | .USAGE 9 | Get-ADUserSID2User.ps1 -domain -sid 10 | 11 | .EXAMPLE 12 | PS C:\> .\Get-ADUserSID2User.ps1 -sid S-1-5-21-1489596007-1899944082-3082231942-1000 13 | #> 14 | 15 | Param( 16 | [string]$sid 17 | ) 18 | 19 | $objSID = New-Object System.Security.Principal.SecurityIdentifier ` 20 | ("$sid") 21 | $objUser = $objSID.Translate( [System.Security.Principal.NTAccount]) 22 | $objUser.Value -------------------------------------------------------------------------------- /_Misc/Convert-BinaryToBase64.ps1: -------------------------------------------------------------------------------- 1 | Function Convert-BinaryToBase64 { 2 | 3 | param ( 4 | [Parameter(Mandatory=$true)][string]$FilePath 5 | ) 6 | 7 | try 8 | { 9 | $ByteArray = [System.IO.File]::ReadAllBytes($FilePath) 10 | } 11 | catch 12 | { 13 | throw "Failed to read file. Ensure that you have permission to the file, and that the file path is correct." 14 | } 15 | if ($ByteArray) 16 | { 17 | $Base64String = [System.Convert]::ToBase64String($ByteArray) 18 | } 19 | else 20 | { 21 | throw '$ByteArray is $null.' 22 | } 23 | 24 | $Base64String 25 | 26 | } -------------------------------------------------------------------------------- /Active_Directory/Get-DomainTrusts.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets domain trust information 4 | 5 | .NOTES: 6 | UNDERSTANDING OUTPUT: 7 | TrustedAttributes = Direction of Trust 8 | 1 = Non-Transitive 9 | 2 = Transitive 10 | 11 | TrustedDirection = Direction of Trust 12 | 1 = Incoming only 13 | 2 = Outgoing only 14 | 3 = Two-way 15 | 16 | #> 17 | 18 | Get-WmiObject -Class Microsoft_DomainTrustStatus -Namespace ROOT\MicrosoftActiveDirectory | Select-Object PSComputername, TrustedDomain, TrustAttributes, TrustDirection, TrustType |fl 19 | -------------------------------------------------------------------------------- /Active_Directory/Get-ADUserRecentlyCreated.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Lists all users who have been created within the days specified. 4 | 5 | .PARAMETER when 6 | Used to specify the number of days to go back to search for results. 7 | 8 | .EXAMPLE 9 | PS C:\> .\Get-ADUserRecentlyCreated.ps1 -When 30 10 | 11 | Returns accounts created within the last 30 days. 12 | 13 | #> 14 | 15 | param( 16 | [Parameter(Mandatory=$true)][string]$when 17 | ) 18 | 19 | 20 | import-module activedirectory 21 | 22 | $my_date = ((Get-Date).AddDays(-$when)).Date 23 | Get-ADUser -Filter {whenCreated -ge $my_date} -Properties whenCreated -------------------------------------------------------------------------------- /Linux/nix_simpleHTTP.psl: -------------------------------------------------------------------------------- 1 | $byteFile = [System.IO.File]::ReadAllBytes("/home/nando/Desktop/test.ps1") 2 | $httpListener = New-Object System.Net.HttpListener 3 | $httpListener.Prefixes.Add("http://+:9046/") 4 | $httpListener.Start() 5 | 6 | try 7 | { 8 | while ($httpListener.IsListening) { 9 | 10 | $httpListenerContext = $httpListener.GetContext() 11 | $httpResponse = $httpListenerContext.Response 12 | $httpResponse.ContentType = "text/html" 13 | $httpResponse.ContentLength64 = $byteFile.Length 14 | $httpResponse.OutputStream.Write($byteFile,0,$byteFile.Length) 15 | $httpResponse.Close() 16 | } 17 | } 18 | finally 19 | { 20 | $httpListener.Close() 21 | } -------------------------------------------------------------------------------- /_Misc/Convert-ImageToBase64.ps1: -------------------------------------------------------------------------------- 1 | Function Convert-ImageToBase64 { 2 | 3 | <# 4 | .SYNOPSIS 5 | Generates a Base64 encoded string from an image file. 6 | 7 | .PARAMETER input_file 8 | Name of file to convert to Base64. 9 | 10 | .EXAMPLE 11 | PS c:\> Convert-ImageToBase64 -input_file c:\my_pic.png 12 | 13 | Converts "my_pic.png" in a Base64 string. 14 | #> 15 | 16 | 17 | param( 18 | [Parameter(Mandatory=$true)][string]$Input_file 19 | ) 20 | 21 | 22 | $image = [System.Drawing.Image]::FromFile("$Input_file") 23 | $ms = New-Object IO.MemoryStream 24 | $image.Save($ms, "png") 25 | $imageBytes = $ms.ToArray() 26 | $b64String = [Convert]::ToBase64String($imageBytes) 27 | $b64String 28 | 29 | } -------------------------------------------------------------------------------- /System_Information/Get-File_Hash.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets MD5 hash of specified file. 4 | 5 | .LINKS 6 | http://jongurgul.com/blog/get-stringhash-get-filehash/ 7 | #> 8 | 9 | $input = Read-Host "Input path to file to hash" 10 | 11 | Function Get-Hash([String] $FileName,$HashName = "MD5") 12 | { 13 | $FileStream = New-Object System.IO.FileStream($FileName,[System.IO.FileMode]::Open) 14 | $StringBuilder = New-Object System.Text.StringBuilder 15 | [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash($FileStream)|%{[Void]$StringBuilder.Append($_.ToString("x2"))} 16 | $FileStream.Close() 17 | $StringBuilder.ToString() 18 | } 19 | 20 | Get-Hash $input -------------------------------------------------------------------------------- /Eventlogs/Service_Creation_Eventlog_Parse.ps1: -------------------------------------------------------------------------------- 1 | # Parse the Message property into individual properties and then filter... 2 | Get-WinEvent -FilterHashtable @{logname='system';id='7045'} | Select-Object timecreated, @{Label="ServiceName";Expression={$_.properties.value[0]}}, 3 | @{Label="ImagePath";Expression={$_.properties.value[1]}}, @{Label="ServiceType";Expression={$_.properties.value[2]}}, @{Label="StartType";Expression={$_.properties.value[3]}}, 4 | @{Label="AccountName";Expression={$_.properties.value[4]}} | Where-Object{$_.servicename -eq "Bluetooth Port Driver"} 5 | 6 | # Return only the Service names... 7 | Get-WinEvent -FilterHashtable @{logname='system';id='7045'} | Select-Object timecreated, @{Label="ServiceName";Expression={$_.properties.value[0]}} -------------------------------------------------------------------------------- /_Misc/Convert-Base64ToFile.ps1: -------------------------------------------------------------------------------- 1 | Function Convert-Base64ToFile{ 2 | <# 3 | .SYNOPSIS 4 | Converts a Base64 string into a file. 5 | 6 | .PARAMETER b64_string 7 | Base64 string to decode. 8 | 9 | .PARAMETER output_file 10 | Name of file to convert Base64 encoded string to. 11 | 12 | .EXAMPLE 13 | PS c:\> Convert-Base64ToFile -b64_string 'MTcyLjE2LjE1NS4yMDANCjE3Mi4xNi4xNTUuMjAxDQoxNzIuMTYuMTU1LjIwMw==' -output_file c:\text.txt 14 | 15 | Decodes specified string into a file called "text.txt". 16 | #> 17 | 18 | 19 | param( 20 | [Parameter(Mandatory=$true)][string]$B64_string, 21 | [Parameter(Mandatory=$true)][string]$Output_file 22 | ) 23 | 24 | 25 | $bytes = [Convert]::FromBase64String($b64_string) 26 | [IO.File]::WriteAllBytes($Output_file, $bytes) 27 | } -------------------------------------------------------------------------------- /Processes and Services/Get-AutoNotStartedServices.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets a table of services that are set to Automatic and are not started. 4 | 5 | .PARAMETERS computer 6 | Used to feed a file containing names or IPs. A single IP can be used as well 7 | 8 | .EXAMPLE 9 | PS C:\> .Get-AutoNotStartedServices.ps1 -computer c:\users\blue\desktop\computers.txt 10 | 11 | Runs the script on all systems in the 'coputers.txt' file. 12 | 13 | #> 14 | 15 | 16 | param( 17 | [Parameter(Mandatory=$true)][string]$Computer 18 | ) 19 | 20 | Get-wmiobject win32_service -ComputerName $computer -Filter "startmode = 'Auto' AND state != 'running' "| select PSComputername, name, pathname, startname | Export-CSV .\Get-AutoNotStartedServices.csv -NoTypeInformation -------------------------------------------------------------------------------- /Splunk/Get-SplunkStatus.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Checks for the status of the Splunk Forwarder service. It also logs the status and start time to two local files. 4 | 5 | #> 6 | 7 | 8 | $computers = get-content C:\users\blue\Desktop\computers.txt 9 | $service = "splunkforwarder" 10 | $process_name = "splunkd" 11 | $service_stat = "service_status.txt" 12 | $start_times = "service_start_time.txt" 13 | 14 | # Gets the status of a service 15 | get-service -computername $computers -name $service| Select MachineName, Name, Status | ft -AutoSize >> $service_stat 16 | 17 | # Gets the start time of a process, which is tied to a service 18 | foreach($computer in $computers) 19 | { 20 | echo $computer >> $start_times 21 | get-process -Name $process_name | select Name, StartTime | ft >> $start_times 22 | } -------------------------------------------------------------------------------- /System_Information/Get-SoftwareInstall.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets a list of all software installed on a local or remote system. 4 | 5 | #> 6 | 7 | param( 8 | [Parameter(Mandatory=$true)][string]$ComputerName 9 | ) 10 | 11 | function software{ 12 | Get-WmiObject -Class win32_product -ComputerName $cpu | select PSComputername, Name, PackageCache, Vendor, Version, IdentifyingNumber | Export-CSV .\Software.csv -NoTypeInformation 13 | } 14 | 15 | 16 | # Parameters received at the start of running the script 17 | if($ComputerName -like '*.txt') 18 | { 19 | $cpu = Get-content $computername 20 | software 21 | } 22 | elseif($ComputerName -notcontains '.txt') 23 | { 24 | $cpu = $ComputerName 25 | software 26 | } 27 | else{Echo 'No IP or a file containing IPs were specified'} -------------------------------------------------------------------------------- /Active_Directory/Set-PasswordByGroup.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Sets a specific password to all users that are members of a specified group. 4 | 5 | NOTE: Be aware that a user can be a member of multiple groups. For example, admin accounts are commonly part of the Domain Users group as well as a privileged group. 6 | 7 | #> 8 | 9 | write-host "Input the Group name containing users" -ForegroundColor Cyan 10 | $some_group = Read-host " " 11 | Write-host "Input the new password to set" -ForegroundColor Cyan 12 | $new_pass = Read-host " " 13 | 14 | 15 | import-module activedirectory 16 | 17 | 18 | Get-ADGroupMember -Identity $some_group | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $new_pass -Force) 19 | 20 | Get-ADGroupMember -Identity $some_group | Set-aduser -changepasswordatlogon $true -------------------------------------------------------------------------------- /Active_Directory/Set-PasswordByOU.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Sets a specific password to all users within a specific OU. 4 | 5 | NOTE: If the OU you want to do is the main Users OU, use "CN=users". For all other OUs, use "OU=Texas". 6 | 7 | #> 8 | 9 | write-host "Input the OU you want to search in. Example: OU=Texas,DC=sandbox,DC=local" -ForegroundColor Cyan 10 | $searchbase = Read-host " " 11 | Write-host "Input the new password to set" -ForegroundColor Cyan 12 | $new_pass = Read-host " " 13 | 14 | 15 | import-module activedirectory 16 | 17 | Get-ADUser -Filter * -SearchScope Subtree -SearchBase $searchbase | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $new_pass -Force) 18 | 19 | Get-ADUser -Filter * -SearchScope Subtree -SearchBase $searchbase | Set-aduser -changepasswordatlogon $true -------------------------------------------------------------------------------- /_Misc/Set-ServerPrefetch.ps1: -------------------------------------------------------------------------------- 1 | function Set-ServerPrefetch{ 2 | 3 | #Requires -RunAsAdministrator 4 | 5 | <# 6 | .SYNOPSIS 7 | Enables prefetch on a Server 2008 R2 and newer server operating systems. No restart is needed but it does need to be ran with elevated rights. 8 | #> 9 | 10 | 11 | New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" 12 | New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name EnablePrefetcher -Value 3 -PropertyType dword 13 | 14 | New-Item "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" 15 | New-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" -name MaxPrefetchFiles -Value 8192 -PropertyType dword 16 | 17 | Enable-MMAgent –OperationAPI 18 | 19 | Restart-Service sysmain 20 | 21 | } -------------------------------------------------------------------------------- /System_Information/Get-Hostname2IP.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Takes in a text file containing hostnames and returns the IP associated with them in DNS. Results are sent to .\Hostname-2-IP.csv. 4 | 5 | #> 6 | 7 | 8 | Write-Host "Input path to text file containing hostnames" -ForegroundColor Cyan 9 | $cpu_list = Read-Host ' ' 10 | 11 | if(Test-Path .\sat_ip_addresses.txt) 12 | {Remove-Item .\sat_ip_addresses.txt} 13 | 14 | 15 | function Get-HostToIP($hostname) { 16 | $result = [system.Net.Dns]::GetHostByName($hostname) 17 | $result.AddressList | ForEach-Object {$hostname + ' ' + $_.IPAddressToString} 18 | } 19 | 20 | Get-Content $cpu_list | ForEach-Object {(Get-HostToIP($_)) >> .\sat_ip_addresses.txt} 21 | 22 | import-csv ".\sat_ip_addresses.txt" -Delimiter ' ' -Header 'Hostname', 'IP' |export-csv .\Hostname-2-IP.csv 23 | 24 | Remove-Item .\sat_ip_addresses.txt 25 | 26 | -------------------------------------------------------------------------------- /Splunk/Restart-SplunkFwd.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Retarts the Splunk Forwarder service. It also logs the status and start time to two local files. 4 | 5 | #> 6 | 7 | $computers = get-content C:\users\blue\Desktop\computers.txt 8 | $service = "splunkforwarder" 9 | $process_name = "splunkd" 10 | $service_stat = "service_status.txt" 11 | $start_times = "service_start_time.txt" 12 | 13 | # Gets the start time of a process, which is tied to a service 14 | foreach($computer in $computers) 15 | { 16 | restart-service -name $service 17 | get-service -name $service | restart-service 18 | sleep 4 19 | echo $computer >> $start_times 20 | get-process -Name $process_name | select Name, StartTime | ft >> $start_times 21 | } 22 | 23 | # Gets the status of a service 24 | get-service -computername $computers -name $service| Select MachineName, Name, Status | ft -AutoSize >> $service_stat -------------------------------------------------------------------------------- /Active_Directory/Get-BaselineUsers.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets a baseline list of user accounts that can be used to compare against at a later time. To get a snapshot at another point in 4 | time, run the Get-BaselineUsersCompare.ps1 script. 5 | #> 6 | 7 | import-module activedirectory 8 | 9 | # Create directory for baseline file storage. 10 | New-item .\User_Check -ItemType directory 11 | Set-Location .\User_Check 12 | 13 | # Gather a list of admins. You may need to alter this to fit your organization's structure. 14 | "Domain Users" >> .\Baseline_Users.txt 15 | get-adgroupmember "Domain Users" -recursive | findstr "distinguishedName" >> .\Baseline_Users.txt 16 | 17 | # Add white space and title. 18 | " " >> .\_Domain_Changes_Log.txt 19 | " " >> .\_Domain_Changes_Log.txt 20 | "Domain Users Checked" >> .\_Domain_Changes_Log.txt 21 | 22 | # Add date\time stamp to log 23 | Get-Date >> .\_Domain_Changes_Log.txt 24 | -------------------------------------------------------------------------------- /System_Information/Set-WMI_Logging.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Enables WMI logging (Trace) and sets the log size to 10 MB. Once enabled, logs can be found in Event Viewer > 4 | 5 | .VIEWING LOGS 6 | GUI: 7 | 1. Open Event Viewer 8 | 2. Click View and select 'Show Analytic and Debug Logs' 9 | 3. Expand Application and Services > Mirosoft > Windows > WMI-Activity > Trace 10 | 4. Event ID 11 contains the good information 11 | 12 | Command-Line 13 | 1. In PowerShell, type: Get-WinEvent -LogName 'Microsoft-Windows-WMI-Activity/Trace' | Out-GridView 14 | #> 15 | 16 | $computers = '192.168.60.202','192.168.60.201' 17 | 18 | 19 | foreach($cpu in $computers) 20 | { 21 | wevtutil sl Microsoft-Windows-WMI-Activity/Trace /rt:true /ms:100000000 /r:$cpu 22 | Write-Output 'y' | wevtutil sl Microsoft-Windows-WMI-Activity/Trace /e:true /r:$cpu 23 | } 24 | 25 | -------------------------------------------------------------------------------- /_Misc/Disable-Cortana.ps1: -------------------------------------------------------------------------------- 1 | Function Disable-Cortana 2 | { 3 | 4 | <# 5 | .SYNOPSIS 6 | Disables Cortana in Windows10. 7 | 8 | #> 9 | $path1 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" 10 | $path2 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" 11 | 12 | if(!(Test-Path -Path $path1)) 13 | { 14 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows" -Name "Windows Search" 15 | } 16 | if(!(Test-Path -Path $path2)) 17 | { 18 | New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\" -Name "Windows Search" 19 | } 20 | 21 | Set-ItemProperty -Path $path1 -Name "AllowCortana" -Value 0 22 | Set-ItemProperty -Path $path2 -Name "AllowCortana" -Value 0 23 | # Restart Explorer to change it immediately... it will take a minute or so your taskbar to return 24 | Stop-Process -name explorer 25 | } 26 | 27 | -------------------------------------------------------------------------------- /Active_Directory/Get-ADUserInactivity.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets a list of users who have been inactive for 90 days 4 | 5 | .LINK 6 | 7 | #> 8 | 9 | 10 | Import-Module ActiveDirectory 11 | $date = get-date 12 | 13 | 14 | $90Days = $date.adddays(-90) 15 | # From those OU's accounts will be checked 16 | #$ou1="OU=insert,DC=insert,DC=com" 17 | #$ou2="OU=insert,OU=insert,DC=insert,DC=com" 18 | 19 | $usersAttributes = {(lastlogondate -notlike "*" -OR lastlogondate -le $90days) -AND (passwordlastset -le $90days) -AND (enabled -eq $True) -and (PasswordNeverExpires -eq $false) -and (whencreated -le $90days)} 20 | $oldusers = Get-ADUser -properties * -filter $usersAttributes 21 | 22 | # Create file with information on the disabled accounts 23 | $oldusers | select-object name, SAMaccountname, passwordExpired, PasswordNeverExpires, logoncount, whenCreated, lastlogondate, PasswordLastSet, lastlogontimestamp, CanonicalName | Out-GridView 24 | 25 | -------------------------------------------------------------------------------- /Active_Directory/Get-ADComputerSid.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will return the SID for all Domain computer accounts. 4 | 5 | .OUTPUTS 6 | Name SID 7 | ---- --- 8 | DC1-lab S-1-5-21-3259443097-3599676039-1305684680-1000 9 | WK1-lab S-1-5-21-3259443097-3599676039-1305684680-1103 10 | WK2-lab S-1-5-21-3259443097-3599676039-1305684680-1107 11 | 12 | .LINK 13 | 14 | #> 15 | 16 | 17 | import-module activedirectory 18 | get-adcomputer -filter * | select Name, SID -------------------------------------------------------------------------------- /Processes and Services/Get-ProcessCompare.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Compares two different process list and spits out the difference. 4 | 5 | To get the baseline process list, you would run the following: 6 | Get-Process | Export-CliXML reference.xml 7 | 8 | That will save the current running processes to a file called reference.xml. Utilizing the below script, it will read back in the reference.xml file and compare 9 | the difference with the current running processes. The results of those actions will be displayed to the screen depicting the differences. 10 | #> 11 | 12 | $compare_2 = diff -reference (import-clixml .\reference.xml) -difference (get-process) -property Name 13 | Write-Host " " " ** LEGEND **" -fore yellow -back green 14 | Write-Host "=> : In the new file, not in the baseline" -fore yellow -back green 15 | Write-Host "<= : In the baseline, not in the new file" -fore yellow -back green | ft -autosize 16 | $compare_2 -------------------------------------------------------------------------------- /System_Information/Get-TotalLinkProcessCount.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets a count of files that haave a link between a process and a data file indicating that the file participated in the execution of the process. 4 | #> 5 | 6 | $computers = Get-Content C:\users\blue\desktop\computers.txt 7 | 8 | $current_user = [Environment]::UserName 9 | $newline = "`r`n" 10 | 11 | foreach($cpu in $computers) 12 | { 13 | $ProcExes = Get-WmiObject -Namespace root\cimv2 -Class CIM_ProcessExecutable -ComputerName $cpu 14 | $combined += $cpu + '+' + $ProcExes.Count + $newline 15 | } 16 | 17 | Add-content -Path "c:\users\$current_user\desktop\total_exe.txt" -Value ($combined) 18 | 19 | Import-csv "c:\users\$current_user\desktop\total_exe.txt" -Delimiter '+' -Header 'System', 'Count' | export-csv c:\users\$current_user\desktop\Total_Link_Process_Count.csv 20 | 21 | remove-item "c:\users\$current_user\desktop\total_exe.txt" 22 | Remove-Variable combined, ProcExes -------------------------------------------------------------------------------- /Processes and Services/Invoke-TerminateProcess.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will remotely terminate a process by name on a system using the IP or hostname. 4 | 5 | #> 6 | 7 | $ComputerName = Read-Host -Prompt "Input the computer name or IP" 8 | $ProcessName = Read-Host -Prompt "Input the process name" 9 | 10 | # Lists the specific process 11 | $Processes = Get-WmiObject -Class Win32_Process -ComputerName $ComputerName -Filter "name='$ProcessName'" 12 | 13 | foreach ($process in $processes) 14 | { 15 | echo "Found the process, I am trying to terminate it now..." 16 | $returnval = $process.terminate() 17 | echo "Almost done..." 18 | $processid = $process.handle 19 | 20 | if($returnval.returnvalue -eq 0) 21 | { 22 | write-host "The process $ProcessName `($processid`) terminated successfully!" 23 | } 24 | else 25 | { 26 | write-host "The process to terminate $ProcessName `($processid`) has some problems :(" 27 | } 28 | } -------------------------------------------------------------------------------- /_Misc/Convert-Base64ToImage.ps1: -------------------------------------------------------------------------------- 1 | Function Convert-Base64ToImage { 2 | 3 | <# 4 | .SYNOPSIS 5 | Converts a Base64 string into an image. 6 | 7 | .PARAMETER b64_string 8 | Base64 string to decode. 9 | 10 | .PARAMETER output_file 11 | Name of image file to convert Base64 encoded string to. The script was tested with jpg and png; other formats may work. 12 | 13 | .EXAMPLE 14 | PS c:\> Convert-Base64ToImage -b64_string 'MTcyLjE2LjE1NS4yMDANCjE3Mi4xNi4xNTUuMjAxDQoxNzIuMTYuMTU1LjIwMw==' -output_file c:\my_pic.png 15 | 16 | Decodes specified string into an image called "my_pic.png". 17 | #> 18 | 19 | 20 | param( 21 | [Parameter(Mandatory=$true)][string]$B64_string, 22 | [Parameter(Mandatory=$true)][string]$Output_file 23 | ) 24 | 25 | 26 | $imageBytes = [Convert]::FromBase64String($b64String) 27 | $ms = New-Object IO.MemoryStream($imageBytes, 0, $imageBytes.Length) 28 | $ms.Write($imageBytes, 0, $imageBytes.Length); 29 | $image = [System.Drawing.Image]::FromStream($ms, $true) 30 | $image.Save("$output_file") 31 | 32 | } -------------------------------------------------------------------------------- /Linux/Get-CronJobs.ps1: -------------------------------------------------------------------------------- 1 | 2 | $users = get-content /etc/passwd 3 | $obj = @() 4 | $obj = foreach($user in $users){ 5 | $user = $user -split ':' 6 | $task = crontab -u $user[0] -l 2>&1 7 | if($task -notlike "no*"){ 8 | foreach($userTask in $task){ 9 | $settings = $usertask -split ' ' 10 | [PSCustomObject]@{ 11 | User = $user[0] 12 | Minute = $settings[0] 13 | Hour = $settings[1] 14 | DayOfMonth = $settings[2] 15 | Month = $settings[3] 16 | DayOfWeek = $settings[4] 17 | Command = $settings[5..$settings.length[-1]] -join ' ' 18 | } 19 | } 20 | } 21 | else{ 22 | [PSCustomObject]@{ 23 | User = $user[0] 24 | Minute = "None" 25 | Hour = "None" 26 | DayOfMonth = "None" 27 | Month = "None" 28 | DayOfWeek = "None" 29 | Command = "None" 30 | } 31 | } 32 | } 33 | 34 | $obj 35 | -------------------------------------------------------------------------------- /Exchange/Find and delete.txt: -------------------------------------------------------------------------------- 1 | # NOTE: The user you use to query Excahnge with must have the Discovery Management RBAC Role. 2 | 3 | # Add a user to the Discovery Management RBAC Role 4 | Add-RoleGroupMember "discovery management" -member [some_user] 5 | 6 | # Creates a search called "phishingCampaign" that searches for emails that contain "nov" in the subject 7 | New-ComplianceSearch -name "phishingCampaign" -exchangelocation all - contentmatchquery 'subject:*nov*' 8 | 9 | # Actually executes the search from above 10 | Start-ComplianceSearch -Identity "phishingCampaign" 11 | 12 | # Returns any hits from the search 13 | Get-ComplianceSearch -Identity "phishingCampaign" | select-object name, runby, jobendtime, status, successresults 14 | 15 | # Moves any messages that match the criteria to the Deletion folder in the user's Recoverable Items folder. 16 | New-ComplianceSearchAction -SearchName "phishingCampaign" -Purge -PurgeType softdelete 17 | 18 | # Retrieves the results and serves as a method to validate deletion. 19 | Get-ComplianceSearchAction 20 | -------------------------------------------------------------------------------- /Linux/Get-CronLogs.ps1: -------------------------------------------------------------------------------- 1 | $logs = Get-Content "/var/log/cron" 2 | $obj = @() 3 | $obj = foreach($log in $logs){ 4 | $logSplit = $log.Split(' ',6) 5 | if($log -like "*: (*)*" ){ 6 | $logSplit2 = $logSplit[-1].Split(' ',2) 7 | [PSCustomObject]@{ 8 | Date = $log[0..5] -join '' 9 | Time = $log[7..14] -join '' 10 | Hostname = $logSplit[3] 11 | Deamon = ($logSplit[4] -split '\[' -split '\]')[0] 12 | PID = ($logSplit[4] -split '\[' -split '\]')[1] 13 | User = ($logSplit2[0]).Trim('\(').Trim('\)') 14 | Command = $logSplit2[1] 15 | } 16 | } 17 | else{ 18 | [PSCustomObject]@{ 19 | Date = $log[0..5] -join '' 20 | Time = $log[7..14] -join '' 21 | Hostname = $logSplit[3] 22 | Deamon = ($logSplit[4] -split '\[' -split '\]')[0] 23 | PID = ($logSplit[4] -split '\[' -split '\]')[1] 24 | User = "N/A" 25 | Command = $logSplit[-1] 26 | } 27 | } 28 | } 29 | 30 | $obj 31 | -------------------------------------------------------------------------------- /Linux/Get-Service.ps1: -------------------------------------------------------------------------------- 1 | $systemctl = systemctl list-units --type=service --no-legend --all #| select -skip 2 -first 4 2 | 3 | $obj = @() 4 | $obj = foreach($sys in $systemctl){ 5 | $sys = $sys -split '\s+',5 6 | $stat = service $sys[0] status 2>&1 7 | $time = $path = $id = '' 8 | if($sys[2] -eq 'active'){ 9 | $active = $true 10 | } 11 | else{ 12 | $active = $false 13 | } 14 | foreach($item in $stat){ 15 | if($item -like "*active:*"){ 16 | $time = ($item -split '\s+')[6..7] -join ' ' 17 | } 18 | if($item -like "*main pid*"){ 19 | $id = ($item -split '\s+')[3] 20 | } 21 | if($item -like "*$id*/*"){ 22 | $path = ($item -split '[0-9] ')[-1] 23 | } 24 | } 25 | [PSCustomObject]@{ 26 | Name = $sys[0] 27 | PID = $id 28 | Path = $path 29 | State = $sys[1] 30 | Active = $active 31 | Status = $sys[3] 32 | StartTime = $time 33 | Description = $sys[-1] 34 | } 35 | } 36 | 37 | $obj 38 | -------------------------------------------------------------------------------- /Active_Directory/Get-BaselineAdmins.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets a baseline list of Admins that can be used to compare against at a later time. To get a snapshot at another point in 4 | time, run the Get-BaselineAdminsCompare.ps1 script. 5 | 6 | #> 7 | 8 | import-module activedirectory 9 | 10 | # Create directory for baseline file storage. 11 | New-item .\Admin_Check -ItemType directory 12 | Set-Location .\Admin_Check 13 | 14 | # Gather a list of admins. You may need to alter this to fit your organization's structure. 15 | "Domain Admins" > .\Baseline_Admins.txt 16 | get-adgroupmember "Domain Admins" | findstr "distinguishedName" >> .\Baseline_Admins.txt 17 | 18 | "Administrators" >> .\Baseline_Admins.txt 19 | get-adgroupmember "Administrators" -recursive | findstr "distinguishedName" >> .\Baseline_Admins.txt 20 | 21 | # Add white space and title. 22 | " " >> .\_Domain_Changes_Log.txt 23 | " " >> .\_Domain_Changes_Log.txt 24 | "Domain Admins Checked" >> .\_Domain_Changes_Log.txt 25 | 26 | # Add date\time stamp to log 27 | Get-Date >> .\_Domain_Changes_Log.txt 28 | -------------------------------------------------------------------------------- /Processes and Services/Get-TotalLinkProcessCount.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets a count of files that have a link between a process and a data file. This indicates that the file participates in the execution of the process. 4 | 5 | #> 6 | 7 | write-host "Input the path the file containing names\IPs or input a single IP" -ForegroundColor Cyan 8 | $computers = read-host " " 9 | 10 | $current_user = [Environment]::UserName 11 | $newline = "`r`n" 12 | 13 | foreach($cpu in $computers) 14 | { 15 | $ProcExes = Get-WmiObject -Namespace root\cimv2 -Class CIM_ProcessExecutable -ComputerName $cpu 16 | $combined += $cpu + '+' + $ProcExes.Count + $newline 17 | } 18 | 19 | Add-content -Path "c:\users\$current_user\desktop\total_exe.txt" -Value ($combined) 20 | 21 | Import-csv "c:\users\$current_user\desktop\total_exe.txt" -Delimiter '+' -Header 'System', 'Count' | export-csv c:\users\$current_user\desktop\Total_Link_Process_Count.csv 22 | 23 | remove-item "c:\users\$current_user\desktop\total_exe.txt" 24 | Remove-Variable combined, ProcExes -------------------------------------------------------------------------------- /Splunk/Invoke-SplunkFwdRemover2.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Initiator for removing the Splunk Forwarder. This script requires the a Splunk forwarder .msi, which is used to delete a forwarder on a remote system. 4 | 5 | #> 6 | 7 | # Reads in a list of computer names or IPs that you want the forwarder deleted from 8 | $computers = Get-Content .\computers.txt 9 | 10 | # The Splunk Forwarder to be deleted 11 | $fowarder = "splunkforwarder-6.4.3-b03109c2bad4-x64-release.msi" 12 | 13 | 14 | foreach($computer in $computers) 15 | { 16 | 17 | # Copies Splunk Forwarder to the distant workstation 18 | Copy-Item .\$fowarder \\$computer\c$\. 19 | 20 | # Creates a variable for WMI process 21 | $Action = [wmiclass] "\\$computer\ROOT\CIMv2:Win32_Process" 22 | $Method = $Action.create('powershell /c msiexec.exe /uninstall "c:\splunkforwarder-6.4.3-b03109c2bad4-x64-release.msi" /quiet ') 23 | 24 | # Allow time for the command to run 25 | sleep 15 26 | 27 | # Deletes the .msi after the uninstall is complete 28 | remove-item \\$computer\c$\$fowarder 29 | } -------------------------------------------------------------------------------- /Splunk/Splunk-StartFowarder.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Starts a Splunk Forwarder. It also logs the status and start time to two local files. 4 | #> 5 | 6 | $computers = get-content C:\users\blue\Desktop\computers.txt 7 | $service = "splunkforwarder" 8 | $process_name = "splunkd" 9 | $service_stat = "service_status.txt" 10 | $start_times = "service_start_time.txt" 11 | 12 | # Starts service 13 | get-service -computername $computers -name $service | start-service 14 | 15 | # This is an alternate method in case the above doesn't work. 16 | #get-service -computername $computer -name $service | Set-service -Status running 17 | 18 | # Gets the status of a service (stopped or running) 19 | get-service -computername $computers -name $service | Select MachineName, Name, Status | ft -AutoSize >> $service_stat 20 | 21 | # Gets the start time of a proces,s which is tied to a service 22 | foreach($computer in $computers) 23 | { 24 | echo $computer >> $start_times 25 | get-process -Name $process_name | select Name, StartTime | ft >> $start_times 26 | } -------------------------------------------------------------------------------- /System_Information/Get-DirListing.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Reads in a list of Computers and returns a directory listing of a specified directory along with the creation time\date, and whether or not it is hidden 4 | within the filesystem. This script can be run remotely but it is not the fastest. 5 | #> 6 | 7 | $computers = Get-Content .\computers.txt 8 | 9 | # Signifies the root of the c:\ and all it's sub-directories 10 | # Get-WmiObject -namespace root\cimv2 -class win32_directory -ComputerName $computers | select PSComputerName, Name, @{label='CreationTime';expression={$_.ConvertToDateTime($_.CreationDate)}}, Hidden | Export-CSV ./dir_listing.csv -NoTypeInformation 11 | 12 | # Specifies everything in the c:\windows\syswow directory and all sub-directories 13 | Get-WmiObject -namespace root\cimv2 -class win32_directory -ComputerName $computers -filter "Name LIKE 'C:\\windows\\syswow64%'" | select PSComputerName, Name, @{label='CreationTime';expression={$_.ConvertToDateTime($_.CreationDate)}}, Hidden | Export-CSV ./dir_listing.csv -NoTypeInformation 14 | 15 | -------------------------------------------------------------------------------- /Splunk/Invoke-SplunkFwd.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Initiator for deploying the Splunk Forwarder. 4 | 5 | NOTE: Be sure to change the file name on line 10 and line 11. Also be sure to change the IP for the Deployment server on line 24. 6 | #> 7 | 8 | 9 | # Variables to change 10 | $computers = Get-Content .\computers.txt 11 | $fowarder = "splunkforwarder-6.4.3-b03109c2bad4-x64-release.msi" 12 | 13 | 14 | foreach($computer in $computers) 15 | { 16 | 17 | # Copies Splunk Forwarder to the distant workstation 18 | Copy-Item .\$fowarder \\$computer\c$\. 19 | 20 | # Creates a variable for WMI process 21 | $Action = [wmiclass] "\\$computer\ROOT\CIMv2:Win32_Process" 22 | 23 | # Creates a process call to invoke the Splunk Fowarder we copied 24 | $Method = $Action.create('powershell /c msiexec.exe /i c:\splunkforwarder-6.4.3-b03109c2bad4-x64-release.msi DEPLOYMENT_SERVER="172.16.123.141:8089" AGREETOLICENSE=Yes /quiet ') 25 | 26 | # Allow time for the command to run 27 | sleep 15 28 | 29 | # Deletes the .msi after installation is complete 30 | remove-item \\$computer\c$\$fowarder 31 | 32 | } -------------------------------------------------------------------------------- /MIR/Invoke-MIR_Agent.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Initiator used to install the MIR Agent. 4 | 5 | .REQUIREMENTS 6 | - Requires an account on the remote computer (Hopefully one with permissions) 7 | - Requires C$ or Admin Share 8 | 9 | .USAGE 10 | 1 - Replace the $computers and $script2run variable to represent your situation 11 | 2 - Save your changes 12 | 3 - Execute the script 13 | #> 14 | 15 | 16 | $computers = Get-Content .\computers.txt 17 | $mir_dir = 'C:\users\blue\Desktop\MIR_Agent' 18 | 19 | foreach($computer in $computers) 20 | { 21 | # Copies directory to distant workstation 22 | Copy-Item $mir_dir -recurse \\$cpu\c$\. 23 | 24 | # Creates variable for WMI process 25 | $Action = [wmiclass] "\\$cpu\ROOT\CIMv2:Win32_Process" 26 | 27 | # Creates process creation to invoke the agent install 28 | $Method = $Action.create("powershell /c msiexec /i c:\MIR_Agent\mir_agent.msi /qn ") 29 | 30 | # Allows time for the agent to install 31 | sleep 10 32 | 33 | # Deletes the script and log file on the distant machine 34 | remove-item \\$cpu\c$\MIR_Agent -Recurse 35 | } 36 | -------------------------------------------------------------------------------- /Active_Directory/Test-ADCredential.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Takes a user name and a password as input and will verify if the combination is correct. The script returns a boolean based on the result. 4 | 5 | .PARAMETER UserName 6 | The samaccountname of the Active Directory user account 7 | 8 | .PARAMETER Password 9 | The password of the Active Directory user account 10 | 11 | .EXAMPLE 12 | PS C:\> Test-ADCredential.ps1 -username blue -password Secret01 13 | 14 | Attempts to verify if the user 'blue' exists with a password of 'Secret01' 15 | 16 | .LINKS 17 | https://gallery.technet.microsoft.com/scriptcenter/Verify-the-Local-User-1e365545/view/Discussions 18 | #> 19 | 20 | 21 | param( 22 | [Parameter(Mandatory=$true)][string]$Username, 23 | [Parameter(Mandatory=$true)][string]$Password 24 | ) 25 | 26 | 27 | if (!($UserName) -or !($Password)) 28 | { 29 | Write-Warning 'Test-ADCredential: Please specify both user name and password' 30 | } 31 | else 32 | { 33 | Add-Type -AssemblyName System.DirectoryServices.AccountManagement 34 | $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('domain') 35 | $DS.ValidateCredentials($UserName, $Password) 36 | } -------------------------------------------------------------------------------- /Active_Directory/Get-DomainChanges.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets the changes in the domain since a specified date. 4 | 5 | .PARAMETER when 6 | Used to specify how many days back for include in the search. 7 | 8 | .EXAMPLE 9 | PS C:\> .\Get-DomainChanges.ps1 -when 365 10 | 11 | Specifies to include 365 days back from today's date in the search 12 | 13 | #> 14 | 15 | param( 16 | [Parameter(Mandatory=$true)][string]$when 17 | ) 18 | 19 | 20 | Import-Module ActiveDirectory 21 | 22 | $StartDate = (get-date).AddDays(-$when) 23 | 24 | #Find all changes in the domain since the date and assign them to $changes_made 25 | $changes_made = Get-ADObject -Filter 'whenChanged -gt $StartDate' -IncludeDeletedObjects -properties * | sort-object objectclass | format-table deleted, Name, ObjectClass, WhenCreated, WhenChanged 26 | 27 | #Loop through all the changes and count them 28 | $x = 0 29 | foreach ($change in $changes_made) 30 | {$x = $x + 1} 31 | echo "#########################################" >> .\Domain_Changes_Rolling_Log.txt 32 | echo "Number of Changes made since $StartDate is $x." >> .\Domain_Changes_Rolling_Log.txt 33 | echo "#########################################" >> .\Domain_Changes_Rolling_Log.txt 34 | $changes_made >> .\Domain_Changes_Rolling_Log.txt 35 | 36 | -------------------------------------------------------------------------------- /_Misc/Convert-Rot13.ps1: -------------------------------------------------------------------------------- 1 | Function Convert-Rot13 { 2 | 3 | <# 4 | .SYNOPSIS 5 | Convert given string to rot13 6 | 7 | .NOTES 8 | File Name : Convert-Rot13.ps1 9 | Version : v.0.1 10 | Created : 06 MAY 16 11 | 12 | .PARAMETER Rot13String 13 | Used to input a string to convert. 14 | 15 | .EXAMPLE 16 | PS c:\> Convert-Rot13 -rot13string hamburger 17 | 18 | Converts the string 'hamburger' to Rot13. 19 | 20 | #> 21 | 22 | 23 | [CmdletBinding()] 24 | param( 25 | [Parameter( 26 | Mandatory = $true, 27 | ValueFromPipeline = $true 28 | )] 29 | [String] 30 | $rot13string 31 | ) 32 | 33 | 34 | [String] $string = $null; 35 | $rot13string.ToCharArray() | 36 | ForEach-Object 37 | { 38 | Write-Verbose "$($_): $([int] $_)" 39 | if((([int] $_ -ge 97) -and ([int] $_ -le 109)) -or (([int] $_ -ge 65) -and ([int] $_ -le 77))) 40 | { 41 | $string += [char] ([int] $_ + 13); 42 | } 43 | elseif((([int] $_ -ge 110) -and ([int] $_ -le 122)) -or (([int] $_ -ge 78) -and ([int] $_ -le 90))) 44 | { 45 | $string += [char] ([int] $_ - 13); 46 | } 47 | else 48 | { 49 | $string += $_ 50 | } 51 | } 52 | 53 | $string 54 | 55 | } -------------------------------------------------------------------------------- /Processes and Services/Get-MassServiceStatus.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Checks for the status of a specified service and logs the status of the servicee start time to two local files. 4 | 5 | .PARAMETER computer 6 | Used to feed the script a file containing computer names or IPs. A single IP can be used as well. 7 | 8 | .PARAMETER service 9 | Used to specify a service name. 10 | 11 | .PARAMETER process 12 | Used to specify a process name. 13 | 14 | .EXAMPLE 15 | PS C:\> .\Get-MassServiceStatus.ps1 -computer c:\computers.txt -service 'splunkforwarder service' -process 'splunkd' 16 | 17 | #> 18 | 19 | 20 | param( 21 | [Parameter(Mandatory=$true)][string]$Computer, 22 | [Parameter(Mandatory=$true)][string]$Service, 23 | [Parameter(Mandatory=$true)][string]$Process 24 | ) 25 | 26 | 27 | $service_stat = "service_status.txt" 28 | $start_times = "service_start_time.txt" 29 | 30 | # Gets the status of a service 31 | get-service -computername $computer -name $service| Select MachineName, Name, Status | ft -AutoSize >> $service_stat 32 | 33 | # Gets the start time of a process, which is tied to a service 34 | foreach($cpu in $computer) 35 | { 36 | echo $cpu >> $start_times 37 | get-process -Name $process | select Name, StartTime | ft >> $start_times 38 | } -------------------------------------------------------------------------------- /System_Information/Get-OS.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Retrieve Operating System version from a single system or a group of systems. 4 | #> 5 | 6 | function Get-OS 7 | { 8 | param ( 9 | [string]$Title = 'Get-OS' 10 | ) 11 | cls 12 | Write-Host "================ $Title ================" 13 | 14 | Write-Host "1: Enter an IP" 15 | Write-Host "2: Read from a file" 16 | Write-Host " " 17 | $answer = read-host "Please Make a Selection" 18 | if ($answer -eq 1) 19 | { 20 | $sServer = Read-host "Enter an IP" 21 | foreach($sProperty in $sServer) 22 | { 23 | Get-WmiObject -class Win32_OperatingSystem -computername $sProperty | select PSComputerName, Caption, OSArchitecture, ServicePackMajorVersion, Description | FT -AutoSize 24 | } 25 | } 26 | if ($answer -eq 2) 27 | { 28 | $reading = Read-host "Enter the path to the text file containing a list of systems" 29 | $sServer = get-content $reading 30 | foreach($sProperty in $sServer) 31 | { 32 | Get-WmiObject -class Win32_OperatingSystem -computername $sProperty | select PSComputerName, Caption, OSArchitecture, ServicePackMajorVersion, Description | FT -AutoSize 33 | } 34 | } 35 | } 36 | 37 | Get-OS -------------------------------------------------------------------------------- /_Misc/Get-TranscriptStatus.ps1: -------------------------------------------------------------------------------- 1 | function Get-TranscriptStatus 2 | { 3 | 4 | <# 5 | .SYNOPSIS 6 | Returns whether the host is transcribing and if so, provides the file name and creation date. This works 7 | in PowerShell version 2 only. 8 | #> 9 | 10 | 11 | 12 | try 13 | { 14 | $exHost = $host.gettype().getproperty("ExternalHost",[reflection.bindingflags]"nonpublic,instance").getvalue($host, @()) 15 | $scriptpath = $exhost.gettype().getfield("transcriptFileName", "nonpublic,instance").getvalue($externalhost) 16 | } 17 | catch 18 | { 19 | Write-Warning "The ISE doesn't support this feature." 20 | } 21 | 22 | $file = get-item $scriptpath 23 | 24 | try 25 | { 26 | $stream = New-Object system.IO.StreamReader $scriptpath 27 | if ($stream) 28 | { 29 | $stream.Close() 30 | Write-Warning "Host is not transcribing" 31 | } 32 | } 33 | catch 34 | { 35 | write-host "Host is transcribing..." -ForegroundColor green 36 | write-host "Transcript file : " -ForegroundColor green -NoNewline; write-host $file -ForegroundColor yellow 37 | write-host "Creation Time : " -ForegroundColor green -NoNewline; write-host $file.creationtime -ForegroundColor yellow 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /System_Information/Get-IP2Hostname.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Takes in a single IP or a text file containing IPs and returns the hostname associated with them in DNS. Single IPs queries are returned to the console while multiple IP 4 | queries via a text file will be sent to .\IP-2-Hostname.csv. 5 | 6 | .PARAMETER ip_address 7 | Used to specify a single IP or a text file containing multiple IPs. 8 | 9 | .EXAMPLE 10 | PS C:\> .\Get-IP2Hostname -ip_address 172.16.155.201 11 | 12 | Returns the hostname associated with 172.16.155.201 to the console. 13 | 14 | .EXAMPLE 15 | PS C:\> .\Get-IP2Hostname -ip_address c:\computers.txt 16 | 17 | Returns the hostname associated with the IPs in computers.txt to .\IP-2-Hostname.csv. 18 | 19 | #> 20 | 21 | 22 | param( 23 | [Parameter(Mandatory=$true)][string]$IP_Address 24 | ) 25 | 26 | 27 | 28 | # Parameters received at the start of running the script 29 | if($IP_Address -like '*.txt') 30 | { 31 | Get-Content $IP_Address | %{ Get-HostName $_ } | Export-Csv .\IP-2-Hostname.csv -NoTypeInformation 32 | } 33 | elseif($IP_Address -notcontains '.txt') 34 | { 35 | New-Object psobject -Property @{ 36 | IPAddress = $ip_Address 37 | HostName = try { [system.net.dns]::GetHostByAddress($ip_Address).HostName } catch { "UNKNOWN" } 38 | } 39 | } 40 | else{Echo 'No IP or a file containing IPs were specified'} -------------------------------------------------------------------------------- /DNS/Get-DNSOutsideQuery.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script finds all DNS queries that didnt come from domain controllers. The results will show the count and source IP. 4 | 5 | .OUTPUT 6 | Produces a the following files: 7 | .\DNSOutsideQuery.csv 8 | .\DNSOutsideWuery_hostnames.csv 9 | 10 | #> 11 | 12 | #### Variable to Change ##### 13 | # Create a pipe separated list of domain controllers in your domain, this will negate them from the search. 14 | $listOfDCs = "192.168.0.40|192.168.5.20|192.168.10.60" 15 | $loopbackIPv6 = [regex]::Escape("::1") 16 | 17 | $myResults = @() 18 | Get-Content .\dns.log | ?{$_ -match ' PACKET ' -and $_ -match "UDP Rcv " -and $_ -notmatch $listOfDCs -and $_ -notmatch $loopbackIPv6} | %{ 19 | $sourceIP = (($_ -split("UDP Rcv "))[1] -split(" "))[0] 20 | $myResults += New-Object psobject -Property @{ 21 | SourceIP = $sourceIP 22 | FullLine = $_ 23 | } 24 | } 25 | 26 | 27 | $myResults | Group-Object -Property SourceIP | Sort-Object Count -Descending | export-csv .\DNSOutsideQuery.csv 28 | 29 | 30 | $myResults | Group-Object -Property SourceIP | Sort-Object Count -Descending | %{ 31 | $sourceName = try { [system.net.dns]::GetHostByAddress($_.Name).HostName } catch { "UNKNOWN" } 32 | New-Object psobject -property @{ 33 | HostName = $sourceName 34 | IP = $_.Name 35 | Count = $_.Count 36 | } 37 | } | export-csv .\DNSOutsideQuery_hostnames.csv 38 | -------------------------------------------------------------------------------- /GRR/Invoke-GRR_Agent.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Initiates process call on specified systems to install the GRR agent from a share. 4 | 5 | .USAGE 6 | 1 - Create a share with suitable rights and put the GRR agent there 7 | 2 - Replace the $computers variable on line 17 in this script to point to your list of computers 8 | 3 - Input the share and executable name in line 28 9 | 4 - Execute the script 10 | #> 11 | 12 | Write-Host "Input the path to the file containing system names or IPs." 13 | $computers = read-host = " " 14 | 15 | Write-Host "Input path to GRR agent executable." 16 | $path = read-host = " " 17 | 18 | $exe = $path.split('\') | select -last 1 19 | 20 | foreach($computer in $computers) 21 | { 22 | # Copies script to be run on distant workstation 23 | Copy-Item $path \\$computer\c$\. 24 | 25 | $proc = Invoke-WmiMethod -ComputerName $computer -Class Win32_Process -Name Create -ArgumentList "powershell /c $exe" 26 | $my_var = Register-WmiEvent -ComputerName $computer -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $computer -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 27 | if($proc.processid -ne $null) 28 | { 29 | # Does nothing 30 | } 31 | elseif($proc.processid -eq $null) 32 | { 33 | "$computer : Not accessible via WMI" >> .\YarPoSh_Results\_Log.txt 34 | } 35 | } 36 | 37 | -------------------------------------------------------------------------------- /WMI_Process_Call/WMI_Process_Call.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Copies and runs a script on a remote system and outputs the data to a text file. After completion, retrieves 4 | the text file of data from the distant compter and saves it to the local machine. Lastly the copied script and 5 | text file of output are deleted from the distant machine. 6 | 7 | .USAGE 8 | 1 - Replace the $computers and $script2run variable to represent your situation 9 | 2 - Save your changes 10 | 3 - Execute the script 11 | #> 12 | 13 | 14 | $computers = Get-Content .\computers.txt 15 | $script2run = "test.ps1" 16 | 17 | foreach($computer in $computers) 18 | { 19 | 20 | # Copies script to be run on distant workstation 21 | 22 | Copy-Item .\$script2run \\$computer\c$\. 23 | 24 | # Creates variable for WMI process 25 | $Action = [wmiclass] "\\$computer\ROOT\CIMv2:Win32_Process" 26 | 27 | # Creates process creation to invoke the PowerShell script we copied and logs output to a file 28 | $Method = $Action.create("powershell /c c:\$script2run > c:\$computer.txt ") 29 | 30 | # Allow time for the command to run 31 | sleep 5 32 | 33 | # Retrieves the log from the distant machine and saves it locally 34 | Copy-Item \\$computer\c$\$computer.txt c:\users\blue\desktop\results\ 35 | 36 | # Deletes the script and log file on the distant machine 37 | remove-item \\$computer\c$\$computer.txt 38 | remove-item \\$computer\c$\$script2run 39 | 40 | } 41 | -------------------------------------------------------------------------------- /System_Information/Get-SchedTasks.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Retrieves scheduled tasks from all computers in the domain. 4 | 5 | .DESCRIPTION 6 | This script scan the content of the c:\Windows\System32\tasks and search the UserID XML value. 7 | The output of the script is a comma-separated log file containing the Computername, Task name, UserID. 8 | #> 9 | 10 | Import-Module ActiveDirectory 11 | $VerbosePreference = "continue" 12 | $list = (Get-ADComputer -filter *).name 13 | Write-Verbose -Message "Trying to query $($list.count) servers found in AD" 14 | $logfilepath = "$home\Desktop\TasksLog.csv" 15 | $ErrorActionPreference = "SilentlyContinue" 16 | 17 | foreach ($computername in $list) 18 | { 19 | $path = "\\" + $computername + "\c$\Windows\System32\Tasks" 20 | $tasks = Get-ChildItem -Path $path -File 21 | 22 | if ($tasks) 23 | { 24 | Write-Verbose -Message "I found $($tasks.count) tasks for $computername" 25 | } 26 | 27 | foreach ($item in $tasks) 28 | { 29 | $AbsolutePath = $path + "\" + $item.Name 30 | $task = [xml] (Get-Content $AbsolutePath) 31 | [STRING]$check = $task.Task.Principals.Principal.UserId 32 | 33 | if ($task.Task.Principals.Principal.UserId) 34 | { 35 | Write-Verbose -Message "Writing the log file with values for $computername" 36 | Add-content -path $logfilepath -Value "$computername,$item,$check" 37 | } 38 | 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /Processes and Services/Invoke-RestartServices.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Restarts a specifiec service and logs the status along with the start time. Start time and status are written to two local files. 4 | 5 | .PARAMETER computer 6 | Used to feed the script a file containing computer names or IPs. A single IP can be used as well. 7 | 8 | .PARAMETER service 9 | Used to specify a service name. 10 | 11 | .PARAMETER process 12 | Used to specify a process name. 13 | 14 | .EXAMPLE 15 | PS C:\> .\Invoke-RestartServices.ps1 -computer c:\computers.txt -service 'splunkforwarder service' -process 'splunkd' 16 | 17 | Restarts the splunk service and logs the time the service and process restarted. 18 | #> 19 | 20 | 21 | param( 22 | [Parameter(Mandatory=$true)][string]$Computer, 23 | [Parameter(Mandatory=$true)][string]$Service, 24 | [Parameter(Mandatory=$true)][string]$Process 25 | ) 26 | 27 | $service_stat = "service_status.txt" 28 | $start_times = "service_start_time.txt" 29 | 30 | # Gets the start time of a process, which is tied to a service 31 | foreach($computer in $computers) 32 | { 33 | restart-service -name $service 34 | get-service -name $service | restart-service 35 | sleep 4 36 | echo $computer >> $start_times 37 | get-process -Name $process | select Name, StartTime | ft >> $start_times 38 | } 39 | 40 | # Gets the status of a service 41 | get-service -computername $computers -name $service| Select MachineName, Name, Status | ft -AutoSize >> $service_stat -------------------------------------------------------------------------------- /Processes and Services/Restart-MassServices.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Restarts a specifiec service and logs the status along with the start time. Start time and status are written to two local files. 4 | 5 | .PARAMETER computer 6 | Used to feed the script a file containing computer names or IPs. A single IP can be used as well. 7 | 8 | .PARAMETER service 9 | Used to specify a service name. 10 | 11 | .PARAMETER process 12 | Used to specify a process name. 13 | 14 | .EXAMPLE 15 | PS C:\> .\Invoke-RestartServices.ps1 -computer c:\computers.txt -service 'splunkforwarder service' -process 'splunkd' 16 | 17 | Restarts the splunk service and logs the time the service and process restarted. 18 | #> 19 | 20 | 21 | param( 22 | [Parameter(Mandatory=$true)][string]$Computer, 23 | [Parameter(Mandatory=$true)][string]$Service, 24 | [Parameter(Mandatory=$true)][string]$Process 25 | ) 26 | 27 | $service_stat = "service_status.txt" 28 | $start_times = "service_start_time.txt" 29 | 30 | # Gets the start time of a process, which is tied to a service 31 | foreach($cpu in $computer) 32 | { 33 | restart-service -name $service 34 | get-service -name $service | restart-service 35 | sleep 4 36 | echo $cpu >> $start_times 37 | get-process -Name $process | select Name, StartTime | ft >> $start_times 38 | } 39 | 40 | # Gets the status of a service 41 | get-service -computername $cpu -name $service| Select MachineName, Name, Status | ft -AutoSize >> $service_stat -------------------------------------------------------------------------------- /Active_Directory/Get-UserLastLogonTime.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Retrieves the last logon time for a domain user. 4 | 5 | .PARAMETER domain 6 | Used to specify the domain name 7 | 8 | .EXAMPLE 9 | PS C:\> .\Get-UserLastLogonTime.ps1 -domain 'sandbox' 10 | 11 | Specifies the sandbox domain 12 | #> 13 | 14 | param( 15 | [Parameter(Mandatory=$true)][string]$Domain 16 | ) 17 | 18 | 19 | 20 | import-module activedirectory 21 | cls 22 | $domain = (Get-ADDomain).name 23 | import-module activedirectory 24 | cls 25 | "The domain is " + $domain 26 | $samaccountname = Read-Host 'What is the User samaccountname?' 27 | "Processing the checks ..." 28 | $myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() 29 | $domaincontrollers = $myforest.Sites | % { $_.Servers } | Select Name 30 | $RealUserLastLogon = $null 31 | $LastusedDC = $null 32 | $domainsuffix = "*."+$domain 33 | foreach ($DomainController in $DomainControllers) 34 | { 35 | if ($DomainController.Name -like $domainsuffix ) 36 | { 37 | $UserLastlogon = Get-ADUser -Identity $samaccountname -Properties LastLogon -Server $DomainController.Name 38 | if ($RealUserLastLogon -le [DateTime]::FromFileTime($UserLastlogon.LastLogon)) 39 | { 40 | $RealUserLastLogon = [DateTime]::FromFileTime($UserLastlogon.LastLogon) 41 | $LastusedDC = $DomainController.Name 42 | } 43 | } 44 | } 45 | "The last logon for " + $samaccountname + " occured on " + $RealUserLastLogon + "" 46 | "It was done against " + $LastusedDC + "" 47 | -------------------------------------------------------------------------------- /Web/Get-MalwareDomains.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Downloads the latest malware domains listing from www.malwaredomains.com, uncompresses the zip, takes only the domain 4 | names and outputs it to a file called domains_only.txt. The file can then be read into DNS using Jason Fossen's 5 | script (https://cyber-defense.sans.org/blog/2010/08/31/windows-dns-server-blackhole-blacklist). 6 | 7 | .REQUIREMENTS 8 | At least PowerShell v3 9 | #> 10 | 11 | # Downloads the domains.zip the the local directory 12 | $url = "http://malware-domains.com/files/domains.zip" 13 | $current_user = [Environment]::UserName 14 | $output = "c:\users\$current_user\desktop\domains.zip" 15 | Invoke-WebRequest -Uri $url -OutFile $output 16 | 17 | # Unzips the zip and stores it on the user's desktop 18 | $shell = new-object -com shell.application 19 | $zip = $shell.NameSpace("domains.zip”) 20 | foreach($item in $zip.items()) 21 | { 22 | $shell.Namespace(“c:\users\$current_user\desktop”).copyhere($item) 23 | } 24 | 25 | # Returns only the website names within the file 26 | $sites_spaces = Get-Content .\domains.txt | select -skip 4 | Foreach {($_ -split '\s+',4)[0..1]} 27 | 28 | # Removes empty (blank) lines 29 | $just_sites = $sites_spaces | where {$_ -ne ""} 30 | 31 | # Count the number of lines in the file 32 | $total_lines = $just_sites.count 33 | 34 | # Created the file with just the domains 35 | Add-Content -Path "domains_only.txt" -Value ($just_sites) 36 | 37 | # cleanup 38 | Remove-Item C:\users\$current_user\desktop\domains.txt 39 | Remove-Item C:\users\$current_user\desktop\domains.zip -------------------------------------------------------------------------------- /WMI_Process_Call/WMI_Process_Call (Bypass Exe Policy).ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | *** Bypasses Execution Policy *** 4 | Copies and runs a script on a remote system and outputs the data to a text file. After completion, retrieves the text file of data from the distant compter and 5 | saves it to the local machine. Lastly the copied script and text file of output are deleted from the distant machine. 6 | 7 | .USAGE 8 | 1 - Replace the $computers and $script2run variable to represent your situation 9 | 2 - Save your changes 10 | 3 - Execute the script 11 | #> 12 | 13 | 14 | $computers = Get-Content .\computers.txt 15 | $script2run = "test.ps1" 16 | 17 | foreach($computer in $computers) 18 | { 19 | 20 | # Copies script to be run on distant workstation 21 | 22 | Copy-Item .\$script2run \\$computer\c$\. 23 | 24 | # Creates variable for WMI process 25 | $Action = [wmiclass] "\\$computer\ROOT\CIMv2:Win32_Process" 26 | 27 | # Creates process creation to invoke the PowerShell script we copied and logs output to a file. It also bypasses any execution policy 28 | $Method = $Action.create("powershell /c get-content c:\$script2run | powershell -noprofile - > c:\$computer.txt ") 29 | 30 | # Allow time for the command to run 31 | sleep 5 32 | 33 | # Retrieves the log from the distant machine and saves it locally 34 | Copy-Item \\$computer\c$\$computer.txt c:\users\blue\desktop\results\ 35 | 36 | # Deletes the script and log file on the distant machine 37 | remove-item \\$computer\c$\$computer.txt 38 | remove-item \\$computer\c$\$script2run 39 | 40 | } 41 | -------------------------------------------------------------------------------- /System_Information/Get-HashDiff.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Reads in baseline hashes previously captured, gets new hashes, and compares the two based on MD5 and SHA1. The difference is output to the screen. 4 | 5 | .REQUIREMENTS 6 | - PowerShell version 4 7 | - A baseline of hashes made using the following syntax "Get-ChildItem C:\windows\system32 -Recurse | Get-FileHash -Algorithm md5 8 | | export-csv .\baseline_MD5_$env:COMPUTERNAME.csv -NoTypeInformation" 9 | 10 | #> 11 | 12 | #Requires -Version 4.0 13 | 14 | Get-ChildItem "C:\windows\system32" -Recurse | Get-FileHash -Algorithm md5 | export-csv .\New_MD5_$env:COMPUTERNAME.csv -NoTypeInformation 15 | Get-ChildItem "C:\windows\system32" -Recurse | Get-FileHash -Algorithm sha1 | export-csv .\New_SHA1_$env:COMPUTERNAME.csv -NoTypeInformation 16 | 17 | $base_md5 = import-csv ".\baseline_md5_$env:COMPUTERNAME.csv" 18 | $base_sha1 = import-csv ".\baseline_sha1_$env:COMPUTERNAME.csv" 19 | 20 | $New_md5 = import-csv ".\New_MD5_$env:COMPUTERNAME.csv" 21 | $new_sha1 = import-csv ".\New_SHA1_$env:COMPUTERNAME.csv" 22 | 23 | Write-host "" 24 | Write-host "###################"-ForegroundColor Cyan 25 | Write-host "# MD5 Differences #"-ForegroundColor Cyan 26 | Write-host "###################"-ForegroundColor Cyan 27 | Compare-Object $base_md5 $New_md5 -Property Hash, Path | format-table -AutoSize 28 | 29 | Write-host "" 30 | Write-host "####################"-ForegroundColor Cyan 31 | Write-host "# SHA1 Differences #"-ForegroundColor Cyan 32 | Write-host "####################"-ForegroundColor Cyan 33 | Compare-Object $base_sha1 $New_sha1 -Property Hash, Path | format-table -AutoSize -------------------------------------------------------------------------------- /_Misc/Get-PortScan.ps1: -------------------------------------------------------------------------------- 1 | Function Get-PortScan { 2 | 3 | <# 4 | .SYNOPSIS 5 | Scans a range of IPs and informs you if a specific port is listening. 6 | 7 | .PARAMETER port 8 | Port to scan. 9 | 10 | .PARAMETER net 11 | Network ID. Ex: 172.16.155. 12 | 13 | .PARAMETER start 14 | IP to start with... only input the last octect. Ex: .10. 15 | 16 | .PARAMETER end 17 | IP to end with... only input the last octect. Ex: .30. 18 | 19 | .EXAMPLE 20 | PS c:\> Get-PortScan 21 | Input a port to scan: 135 22 | Input a Network to scan (first three octects): 172.16.155 23 | Input a starting range (last octect only): 10 24 | Input an ending range (last octect only): 30 25 | 26 | Executing the script and answer the following questions with the above would scan 172.16.155.10 - 172.16.155.30 to see 27 | if port 135 is listening. 28 | #> 29 | 30 | 31 | $port = read-host "Input a port to scan" 32 | $net = read-host "Input a Network to scan (first three octects)" 33 | $start = read-host "Input a starting range (last octect only)" 34 | $end = read-host "Input an ending range (last octect only)" 35 | 36 | $range = $start..$end 37 | 38 | foreach ($r in $range) 39 | 40 | { 41 | 42 | $ip = “{0}.{1}” -F $net,$r 43 | 44 | if(Test-Connection -BufferSize 32 -Count 1 -Quiet -ComputerName $ip) 45 | { 46 | $socket = new-object System.Net.Sockets.TcpClient($ip, $port) 47 | If($socket.Connected) 48 | { 49 | “$ip is listening on port $port” 50 | $socket.Close() } 51 | } 52 | } 53 | 54 | } -------------------------------------------------------------------------------- /Web/Get-Webserver.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will deploy a temporary webserver on the local system and will listen of the port of you choice. Once it is listening, you will be able to 4 | transfer .txt and .html files from the directory in which the script is ran from (not located). The webserver will continue to run as long as the script is running. 5 | 6 | To execute, run the script and when prompted, input a port to listen on. To access the system and the data in the directory that the script ran from, use the below syntax. 7 | 8 | .EXAMPLE 9 | Invoke-WebRequest http:/:/file_in_dir.txt -OutFile 10 | 11 | Invoke-WebRequest http:/192.168.1.1:8001/passwords.txt -OutFile passwords.txt 12 | #> 13 | 14 | # gets IP address of the system 15 | $ip = (gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null }).ipaddress 16 | # prompts user to input port 17 | $port = Read-Host -Prompt 'List a port for this webserver to listen on' 18 | 19 | $Hso = New-Object Net.HttpListener 20 | $Hso.Prefixes.Add('http://'+$ip+':'+$port+'/') 21 | $Hso.Start() 22 | 23 | $url = 'http://'+$ip+':'+$port+'/' 24 | 25 | Write-Host Listening at $url ... 26 | 27 | While ($Hso.IsListening) { 28 | $HC = $Hso.GetContext() 29 | $HRes = $HC.Response 30 | # Various cont types can be found here -> https://msdn.microsoft.com/en-us/library/ms526971(v=exchg.10).aspx 31 | $HRes.Headers.Add("Content-Type","text/html") 32 | $Buf = [Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl))) 33 | $HRes.ContentLength64 = $Buf.Length 34 | $HRes.OutputStream.Write($Buf,0,$Buf.Length) 35 | $HRes.Close() 36 | } 37 | $Hso.Stop() -------------------------------------------------------------------------------- /Processes and Services/Start-MassServices.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Starts a specifiec service and logs the status along with the start time. Start time and status are written to two local files. 4 | 5 | .PARAMETER computer 6 | Used to feed the script a file containing computer names or IPs. A single IP can be used as well. 7 | 8 | .PARAMETER service 9 | Used to specify a service name. 10 | 11 | .PARAMETER process 12 | Used to specify a process name. 13 | 14 | .EXAMPLE 15 | PS C:\> .\Start-MassServices.ps1 -computers c:\computers.txt -service 'splunkforwarder service' -process 'splunkd' 16 | 17 | Restarts the splunk service and logs the time the service and process restarted. 18 | #> 19 | 20 | param( 21 | [Parameter(Mandatory=$true)][string]$Computers, 22 | [Parameter(Mandatory=$true)][string]$Service, 23 | [Parameter(Mandatory=$true)][string]$Process 24 | ) 25 | 26 | 27 | $service_stat = "service_status.txt" 28 | $start_times = "service_start_time.txt" 29 | 30 | # Starts service 31 | get-service -computername $computers -name $service | start-service 32 | 33 | # This is an alternate method in case the above doesn't work. 34 | #get-service -computername $computer -name $service | Set-service -Status running 35 | 36 | # Gets the status of a service (stopped or running) 37 | get-service -computername $computers -name $service | Select MachineName, Name, Status | ft -AutoSize >> $service_stat 38 | 39 | # Gets the start time of a proces,s which is tied to a service 40 | foreach($computer in $computers) 41 | { 42 | echo $computer >> $start_times 43 | get-process -Name $process | select Name, StartTime | ft >> $start_times 44 | } -------------------------------------------------------------------------------- /Active_Directory/Get-BaselineUsersCompare.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | SYNOPSIS: 3 | Gets a list of Domain Users and compares it with the baseline from the Baseline_Users.txt from the Get-BaselineUsers.ps1 script. 4 | 5 | NOTES: 6 | - This script should be ran from the Users_Check folder created from the Get-BaselineUsers.ps1 script. 7 | - This scripts will run in an infinite loop while doing comparisons at some specified interval. 8 | #> 9 | 10 | Import-Module activedirectory 11 | 12 | # Gather a list of Domain Users. You may need to alter this to fit your organization's structure. 13 | "Domain Users" >> .\Baseline_Users_Compare.txt 14 | get-adgroupmember "Domain Users" -recursive | findstr "distinguishedName" >> .\Baseline_Users_Compare.txt 15 | 16 | # Add white space and title. 17 | " " >> .\_Domain_Changes_Log.txt 18 | " " >> .\_Domain_Changes_Log.txt 19 | "Domain Users Checked" >> .\_Domain_Changes_Log.txt 20 | 21 | # Add date\time stamp to log. 22 | Get-Date >> .\_Domain_Changes_Log.txt 23 | 24 | # Infinite loop to do the comparisons. 25 | While($true) 26 | { 27 | # Compare the known good baseline to the new list. 28 | Compare-Object $(Get-Content .\Baseline_Userss.txt) $(Get-Content .\Baseline_Users_Compare.txt) >> .\_Domain_Changes_Log.txt 29 | # Sleeps for a specified time and runs the While script block again and again. 30 | Start-Sleep -seconds 300 31 | if ((Compare-Object $(Get-Content .\Baseline_Users.txt) $(Get-Content .\Baseline_Userss_Compare.txt)) -ne $null) 32 | { 33 | $date = Get-Date 34 | Write-Host $date - "NEW USER ADDED! VERIFY CHANGE IN THE _Domain_Changes_Log.txt AND UPDATE THE Baseline_Users.txt FILE IF NEEDED." -foregroundColor Red 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /Linux/nix_webshell.ps1: -------------------------------------------------------------------------------- 1 | $url = 'http://+:9035/' 2 | 3 | $listener = New-Object System.Net.HttpListener 4 | $listener.Prefixes.Add($url) 5 | $listener.Start() 6 | 7 | try 8 | { 9 | while ($listener.IsListening) { 10 | $context = $listener.GetContext() 11 | $Request = $context.Request 12 | $Response = $context.Response 13 | 14 | if($request.url.localpath -like "*cmd=*"){ 15 | $r = $request.url.localpath -Split '=' 16 | $received = '{0} {1}' -f $Request.httpmethod, $r[0] 17 | $out = &$r[1] 18 | $htmlcontents = @{ 19 | 'GET /cmd' = ConvertTo-Html -precontent $out 20 | } 21 | $html = $htmlcontents[$received] 22 | } 23 | elseif($request.url.localpath -like "*ps=*"){ 24 | $r = $request.url.localpath -Split '=' 25 | $received = '{0} {1}' -f $Request.httpmethod, $r[0] 26 | $htmlcontents = @{ 27 | 'GET /ps' = &$r[1] | ConvertTo-Html 28 | } 29 | $html = $htmlcontents[$received] 30 | } 31 | else{ 32 | $received = '{0} {1}' -f $Request.httpmethod, $Request.url.localpath 33 | $htmlcontents = @{ 34 | 'GET /' = 'PowerShell Webshell' 35 | 'GET /proc' = Get-process | ConvertTo-Html 36 | 'GET /w' = whoami 37 | 'GET /tz' = get-timezone 38 | 'GET /u' = uname -a 39 | } 40 | $html = $htmlcontents[$received] 41 | } 42 | if ($html -eq $null) { 43 | $Response.statuscode = 404 44 | $html = 'Page not available!' 45 | } 46 | 47 | $buffer = [Text.Encoding]::UTF8.GetBytes($html) 48 | $Response.ContentLength64 = $buffer.length 49 | $Response.OutputStream.Write($buffer, 0, $buffer.length) 50 | 51 | $Response.Close() 52 | } 53 | } 54 | finally 55 | { 56 | $listener.Stop() 57 | } -------------------------------------------------------------------------------- /Active_Directory/Get-BaselineAdminCompare.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | SYNOPSIS: 3 | Gets a list of admins and compares it with the baseline from the Baseline_Admin.txt from the Get-BaselineAdmin.ps1 script. 4 | 5 | NOTES: 6 | - This script should be ran from the Admin_Check folder created from the Get-BaselineAdmin.ps1 script. 7 | - This scripts will run in an infinite loop while doing comparisons at some specified interval. 8 | #> 9 | 10 | Import-Module activedirectory 11 | 12 | # Gather a list of admins. You may need to alter this to fit your organization's structure. 13 | "Domain Admins" > .\Baseline_Admins_Compare.txt 14 | get-adgroupmember "Domain Admins" | findstr "distinguishedName" >> .\Baseline_Admins_Compare.txt 15 | 16 | "Administrators" >> .\Baseline_Admins_Compare.txt 17 | get-adgroupmember "Administrators" -recursive | findstr "distinguishedName" >> .\Baseline_Admins_Compare.txt 18 | 19 | # Add white space and title. 20 | " " >> .\_Domain_Changes_Log.txt 21 | " " >> .\_Domain_Changes_Log.txt 22 | "Domain Admins Checked" >> .\_Domain_Changes_Log.txt 23 | 24 | # Add date\time stamp to log. 25 | Get-Date >> .\_Domain_Changes_Log.txt 26 | 27 | # Infinite loop to do the comparisons. 28 | While($true) 29 | { 30 | # Compare the known good baseline to the new list. 31 | Compare-Object $(Get-Content .\Baseline_Admins.txt) $(Get-Content .\Baseline_Admins_Compare.txt) >> .\_Domain_Changes_Log.txt 32 | # Sleeps for a specified time and runs the While script block again and again. 33 | Start-Sleep -seconds 300 34 | if ((Compare-Object $(Get-Content .\Baseline_Admins.txt) $(Get-Content .\Baseline_Admins_Compare.txt)) -ne $null) 35 | { 36 | $date = Get-Date 37 | Write-Host $date - "NEW ADMIN ADDED! VERIFY CHANGE IN THE _Domain_Changes_Log.txt AND UPDATE THE Baseline_Admins.txt FILE IF NEEDED." -foregroundColor Red 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /Active_Directory/Get-ADComputersList.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets a perfectly formatted list of computer names from a domain and writes it to c:\. 4 | 5 | .LINK 6 | 7 | #> 8 | 9 | 10 | $DN = "" 11 | $DNSName = "" 12 | $DNSArray = "" 13 | $objSearcher = "" 14 | $colProplist = "" 15 | $objComputer = "" 16 | $objResults = "" 17 | $colResults = "" 18 | $Computer = "" 19 | $comp = "" 20 | New-Item -type file -force "$Script:Folder_Path\Computer_List.txt" | Out-Null 21 | $Script:Compute = "$Script:Folder_Path\Computer_List.txt" 22 | $strCategory = "(ObjectCategory=Computer)" 23 | $DNSName = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name 24 | If($DNSName -ne $Null) { 25 | $DNSArray = $DNSName.Split(".") 26 | for ($x = 0; $x -lt $DNSArray.Length ; $x++) { 27 | if ($x -eq ($DNSArray.Length - 1)){$Separator = ""}else{$Separator =","} 28 | [string]$DN += "DC=" + $DNSArray[$x] + $Separator } } 29 | $Script:Domain = $DN 30 | Write-Host "Pulled computers from: "$Script:Domain -ForegroundColor Green 31 | $objSearcher = New-Object System.DirectoryServices.DirectorySearcher("LDAP://$Script:Domain") 32 | $objSearcher.Filter = $strCategory 33 | $objSearcher.PageSize = 100000 34 | $objSearcher.SearchScope = "SubTree" 35 | $colProplist = "name" 36 | foreach ($i in $colPropList) { 37 | $objSearcher.propertiesToLoad.Add($i) } 38 | $colResults = $objSearcher.FindAll() 39 | foreach ($objResult in $colResults) { 40 | $objComputer = $objResult.Properties 41 | $comp = $objComputer.name 42 | Write-output $comp | Out-File $Script:Compute -Append } 43 | $Script:Computers = (Get-Content $Script:Compute) | Sort-Object 44 | Write-Host "List of computers written to c:\computer_list.txt" -ForegroundColor Green -------------------------------------------------------------------------------- /Registry/Get-RegKeyValueRecurse.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Recursively gets Sub-Keys, Values, and Value data of a specified Key. 4 | #> 5 | 6 | write-host "Input computer name or IP to grab Registry data from" -ForegroundColor cyan 7 | $cpu = read-host " " 8 | 9 | write-host "Input the registry path to grab data from." -ForegroundColor cyan 10 | write-host " " 11 | write-host " Example: SYSTEM\CurrentControlSet\Services\w32time" -ForegroundColor Green 12 | write-host " Example: SOFTWARE\Microsoft\Windows NT\CurrentVersion" -ForegroundColor Green 13 | write-host " " 14 | $regpath = read-host " " 15 | 16 | # Registry data to retrieve 17 | $reg = $regpath.split('\') | select -last 1 18 | $Filter = ".*" 19 | $newline = "`r`n" 20 | 21 | # Loops through and recursively gets Sub-Keys, Value, and Value data for a Key 22 | function Grab-SystemKeys 23 | { 24 | Param($regkey,$Server) 25 | $ServerKey = 26 | [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine", $Cpu) 27 | $SubKey = $ServerKey.OpenSubKey($regkey,$false) 28 | If(!($SubKey)) 29 | { 30 | Return 31 | } 32 | $SubKeyValues = $SubKey.GetValueNames() 33 | if($SubKeyValues) 34 | { 35 | foreach($SubKeyValue in $SubKeyValues) 36 | { 37 | $subber = $subkey.name 38 | $vall = $_ 39 | $Key = @{n="Key";e={$SubKey.Name -replace "HKEY_LOCAL_MACHINE\\",""}} 40 | $ValueName = @{n="ValueName";e={$SubKeyValue}} 41 | $Value = @{n="Value";e={$_}} 42 | $SubKey.GetValue($SubKeyValue) | ?{$_ -match $filter} | Select-Object $Key,$ValueName,$Value 43 | } 44 | } 45 | $SubKeyName = $SubKey.GetSubKeyNames() 46 | foreach($subkey in $SubKeyName) 47 | { 48 | $SubKeyName = "$regkey\$subkey" 49 | Grab-SystemKeys $SubKeyName 50 | } 51 | } 52 | 53 | foreach($path in $regpath) 54 | { 55 | Write-Host "Getting $path Keys..." -ForegroundColor Cyan 56 | Grab-SystemKeys $path $cpu | out-file .\$cpu'_'$reg.txt 2>$null 57 | } 58 | 59 | -------------------------------------------------------------------------------- /DNS/Get-DNS_Data_SVR2012.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Retrieves relevant DNS data in Server 2012. 4 | 5 | #> 6 | 7 | New-Item .\DNS_Data -type directory 8 | Set-Location .\DNS_Data 9 | 10 | Get-DNSServerStatistics | out-file .\Stats.txt 11 | Get-DnsServer | out-file .\Server_Info.txt 12 | Get-DnsServerDiagnostics | out-file .\Server_Diag.txt 13 | Get-DnsServerDsSetting | out-file .\DirectoryServices_Settings.txt 14 | Get-DnsServerForwarder | out-file .\Forwarders.txt 15 | Get-DnsServerGlobalNameZone | out-file .\Global_Name_Zone.txt 16 | 17 | # The block list automatically applies to all zones for which the server is authoritative. For example, if the DNS server is authoritative for contoso.com and for europe.contoso.com, it ignores queries for wpad.contoso.com as well as for wpad.europe.contoso.com. However, the DNS Server service does not ignore queries for names in zones for which it is not authoritative. 18 | 19 | <# Identify the items in the list. If you want to add more to the list, take note of the items currently listed and as adding more will overwrite the current ones listed. With that said, you will need to add the current ones listed with the additional ones you want to add. To add to the list, use the following syntax: 20 | dnscmd /config /globalqueryblocklist WKGA1023, wpad, isatap 21 | #> 22 | dnscmd /info /globalqueryblocklist | out-file .\Blocked_items.txt 23 | 24 | # Determines if the blocklist is enabled or not. "1" = enabled, "0" = disabled 25 | dnscmd /info /enableglobalqueryblocklist | out-file .\Blocklist_status.txt 26 | 27 | # Gets DNS information 28 | dnscmd.exe /info | out-file .\DNS_Info.txt 29 | 30 | Get-DnsServerRecursion | out-file .\Recursion.txt 31 | Get-DNSServerRootHint | out-file .\Roothints.txt 32 | Get-DnsServerScavenging | out-file .\Scavenging.txt 33 | Get-DnsServerSetting | out-file .\Server_Settings.txt 34 | Get-DnsServerZone | out-file .\Zones.txt 35 | 36 | get-wmiobject -Namespace root\MicrosoftDNS -class microsoftdns_resourcerecord | select __Class, ContainerName, DomainName, RecordData, ownername | Export-CSV .\All_Records.csv 37 | 38 | -------------------------------------------------------------------------------- /Active_Directory/Set-PasswordChangeRandom.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Changes passwords to every account in a specified OU using a algorithm that randomly selects passwords. The newly implemented 4 | password, along with the samaccountname are written to a file for you to reference and inform the applicable people of the change. 5 | #> 6 | 7 | 8 | write-host "Input the OU you want to search in. Example: OU=Texas,DC=sandbox,DC=local" -ForegroundColor Cyan 9 | $searchbase = Read-host " " 10 | 11 | import-module activedirectory 12 | 13 | # Creates an emtpty file 14 | [String]$path= ".\NewStuff.txt" 15 | 16 | # Checks to see if password file already exists and if it does, deletes it. 17 | if ($path -ne $null){Remove-Item $path -ErrorAction SilentlyContinue} 18 | 19 | # Writes the time\date to the file so we know when it was done 20 | $date = Get-Date 21 | Write-Output "Generated on" $date >> NewStuff.txt 22 | 23 | # Gets the users inside the OU specified 24 | $users = Get-ADUser -filter * -SearchBase $searchbase 25 | 26 | # Loops through each samaccountname 27 | foreach($Name in $users.samaccountname) 28 | { 29 | # Generates a random password 30 | function RandomPassword() 31 | { 32 | $password = "" 33 | while($password.length -le 14) 34 | { 35 | $char = 36 | "a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","0","1","2","3","4","5","6","7","8","9","!","@","#","$","%","^","&","*","(",")" | Get-random 37 | $password = $password + $char 38 | } 39 | return $password 40 | } 41 | $NewPassword = RandomPassword 42 | 43 | # Changes the password and sets the option to change password upon next logon 44 | Set-ADAccountPassword -Identity $Name -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $NewPassword -Force) 45 | Get-ADUser -Identity $Name |Set-ADUser -ChangePasswordAtLogon:$true 46 | 47 | # Writing samaccountname and new password to file for reference 48 | Write-Output "UserID:$name `t Password:$NewPassword" `n`n| Format-Table -AutoSize >> NewStuff.txt 49 | } -------------------------------------------------------------------------------- /Group_Policy/Invoke-GPOHunter.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Enables an individual to be able to search Group Policy for Scheduled Tasks and logon/logoff scripts. The returned output will highlight which GPO 4 | contains the settings we are looking for along with some additional details regarding the settings. 5 | 6 | .USAGE 7 | 1. Run script 8 | 2. Analyze results that are returned to the screen 9 | #> 10 | 11 | 12 | Import-Module grouppolicy 13 | $ErrorActionPreference ='silentlycontinue' 14 | 15 | # Key strings for scheduled tasks and logon/logoff scripts 16 | $schedtasks = "scheduledtask" 17 | $on_off = "command>" 18 | 19 | $DomainName = $env:USERDNSDOMAIN 20 | $GPOs = Get-GPO -All -Domain $DomainName 21 | write-host "Finding all the GPOs in $DomainName" 22 | 23 | # Search through each GPO's XML for the specific strings 24 | Write-Host "Starting search...." 25 | foreach ($gpo in $GPOs) 26 | { 27 | $report = Get-GPOReport -Guid $gpo.Id -ReportType Xml 28 | if (($report -match $schedtasks) -or ($report -match $on_off)) 29 | { 30 | write-host "********** Match(es) found in: $($gpo.DisplayName) **********" 31 | $report1 = $report -split ' '| sls 'name=', 'starthour=', 'args=','startIn=', 'comment=', 'filters'| Get-Unique 32 | $report2 = $report -split ' '| sls 'command>' 33 | 34 | if ($report1 -ne $null) 35 | { 36 | "#######################" 37 | "# SCHEDULEDTASKS #" 38 | "#######################" 39 | 40 | $report_out = ($report1 -replace '"',"") 41 | for ($i=6;$i -lt $report_out.count;$i+=7) 42 | { 43 | $report_out[$i] = ' ' 44 | } 45 | $report_out 46 | "#######################" 47 | " " 48 | } 49 | if ($report2 -ne $null) 50 | { 51 | $r2 = [string]$report2 52 | "#############################" 53 | "# LOGON / LOGOFF SCRIPTS #" 54 | "#############################" 55 | ($r2.Split('<')).split('>')[2,6,10,14,18,22,26,30,34] 56 | "#############################" 57 | " " 58 | } 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /System_Information/Get-HashBaseline_v2.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS: 3 | Gets file hash of files in a directory recursively. The system name, hash, and file with path are exported to a CSV that is best read back into 4 | PowerShell using out-gridview. 5 | 6 | .USAGE: 7 | - Change variables on line 18 8 | - Execute script from elevated shell 9 | 10 | .REQUIREMENTS 11 | - PowerShell Version 2 12 | 13 | #> 14 | 15 | #Requires -Version 2 16 | 17 | # Variable to change. This specifies what directory recursively to hash files 18 | $file_list = Get-ChildItem "c:\windows\system32\*.*" -Recurse -Force -ErrorAction SilentlyContinue 19 | 20 | # Don't touch! 21 | $md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider 22 | $sha1 = New-Object -TypeName System.Security.Cryptography.sha1CryptoServiceProvider 23 | $newline = "`r`n" 24 | 25 | # Loops through and returns system name, hash type (MD5 or SHA1), hash, and file path 26 | foreach($file in $file_list.fullname) 27 | { 28 | try 29 | { 30 | $hash_md5 += $env:COMPUTERNAME + "+MD5+" + [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($file))) + "+" + $file + $newline 31 | } 32 | Catch 33 | { 34 | # Only here to catch errors from "Access denied" or "in use" messages 35 | } 36 | } 37 | 38 | foreach($file in $file_list.fullname) 39 | { 40 | try 41 | { 42 | $hash_sha1 += $env:COMPUTERNAME + "+SHA1+" + [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($file))) + "+" + $file + $newline 43 | } 44 | Catch 45 | { 46 | # Only here to catch errors from "Access denied" or "in use" messages 47 | } 48 | } 49 | 50 | $hash_md5 | Out-File .\Base_MD5_$env:COMPUTERNAME.txt 51 | $hash_sha1 | Out-File .\Base_SHA1_$env:COMPUTERNAME.txt 52 | Import-csv ".\Base_MD5_$env:COMPUTERNAME.txt" -Delimiter '+' -Header 'System', 'Type', 'Hash', 'File' |export-csv .\Base_Hash_MD5_$env:COMPUTERNAME.csv 53 | Import-csv ".\Base_SHA1_$env:COMPUTERNAME.txt" -Delimiter '+' -Header 'System', 'Type', 'Hash', 'File' |export-csv .\Base_Hash_SHA1_$env:COMPUTERNAME.csv 54 | 55 | Clear-Variable hash_md5, hash_Sha1 56 | Remove-Item .\Base_MD5_HUNTER.txt 57 | Remove-Item .\Base_SHA1_HUNTER.txt 58 | -------------------------------------------------------------------------------- /System_Information/Get-CreatedFilesLast24.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets all files created within the last 24 hours 4 | #> 5 | 6 | # ============================================================================== 7 | # Variables to change 8 | # ============================================================================== 9 | $computers = '127.0.0.1' 10 | 11 | # ============================================================================== 12 | # Important Variables 13 | # ============================================================================== 14 | $newline = "`r`n" 15 | $current_user = [Environment]::UserName 16 | 17 | # ============================================================================== 18 | # Loops through gets directory listing and sub-directories with creation time 19 | # ============================================================================== 20 | foreach($cpu in $computers) 21 | { 22 | $dir_list = Get-ChildItem -Path c:\ -recurse -force -erroraction 'silentlycontinue' | Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-1) } | Select-Object FullName, CreationTime, Length | sort creationtime -Descending 23 | foreach($new_dir in $dir_list) 24 | { 25 | $new_table += $cpu + '+' + ($new_dir -replace '@{FullName=','' -replace '; CreationTime=','+' -replace '; Length=','+' -replace '}','') + $newline 26 | } 27 | } 28 | 29 | # ============================================================================== 30 | # Writes data to a file 31 | # ============================================================================== 32 | add-content -Path "c:\users\$current_user\desktop\Last24.txt" -Value ($new_table) 33 | 34 | # ============================================================================== 35 | # Splits data into three columns and exports it as a csv 36 | # ============================================================================== 37 | import-csv "c:\users\$current_user\desktop\Last24.txt" -Delimiter '+' -Header 'System', 'Path', 'Time\Date' |export-csv c:\users\$current_user\desktop\CreatedLast24.csv 38 | 39 | # ============================================================================== 40 | # Cleanup 41 | # ============================================================================== 42 | Remove-Item "c:\users\$current_user\desktop\Last24.txt" 43 | Remove-Variable dir_list, new_table, new_dir 44 | -------------------------------------------------------------------------------- /System_Information/Get-TextPasswords.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Searches the filesystem for text files that contains passwords (potentially). The hits fit the criteria of at least four characters but no more than 15 4 | with one being an upper, lower, number, and special character. 5 | 6 | 7 | #> 8 | 9 | $dir2search = C:\ 10 | 11 | # ============================================================================== 12 | # Gets a listing of text files 13 | # ============================================================================== 14 | $items = Get-ChildItem $dir2search -Recurse -Force -ErrorAction ignore | where {$_.extension -eq ".txt"} 15 | 16 | # ============================================================================== 17 | # Important Variables 18 | # ============================================================================== 19 | $current_user = [Environment]::UserName 20 | $newline = "`r`n" 21 | 22 | # ============================================================================== 23 | # Loops through and searches for passwords 24 | # ============================================================================== 25 | foreach($item in $items){ 26 | $hits = Get-Content $item.fullname -ErrorAction ignore | Select-String -Pattern '^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s).{4,15}$' | select-object line, linenumber 27 | $file_hit += $item.fullname + '+' + ($hits -replace "@{line=",'' -replace "; linenumber=",'+' -replace "}",'') + $newline 28 | } 29 | 30 | # ============================================================================== 31 | # Writes data to a file 32 | # ============================================================================== 33 | add-content -Path "c:\users\$current_user\desktop\hits.txt" -Value ($file_hit) 34 | 35 | # ============================================================================== 36 | # Splits data into two columns and exports it as a csv 37 | # ============================================================================== 38 | import-csv "c:\users\$current_user\desktop\hits.txt" -Delimiter '+' -Header 'Path', 'Hits', 'LineNumber' |export-csv c:\users\$current_user\desktop\hits.xml 39 | 40 | # ============================================================================== 41 | # Cleanup 42 | # ============================================================================== 43 | Remove-Item "c:\users\$current_user\desktop\hits.txt" 44 | Remove-Variable file_hit, hits, item, items 45 | 46 | 47 | -------------------------------------------------------------------------------- /System_Information/Get-FileMonitor.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will monitor creations, deletions, changes, and renames that take place within a directory. The monitoring covers any sub-directories and 4 | files as well. Any hits will be written to the screen and to a log called FileChangeLog.txt in the directory from which the script is ran from. 5 | 6 | .USAGE 7 | Change the path to the directory you wish to monitor on the second line below with the variable "$watcher.Path" and run the script. An ignorelist can be read 8 | by the script as well and will read it from the current directory. It should be named "ignorelist.txt" an there should be one entry per line. 9 | 10 | #> 11 | 12 | 13 | 14 | $watcher = New-Object System.IO.FileSystemWatcher 15 | # Path to the directory to monitor 16 | $watcher.Path = "C:\Users\admin\desktop\170 packet" 17 | $watcher.IncludeSubdirectories = $true 18 | $watcher.EnableRaisingEvents = $true 19 | $log = ".\FileChangeLog.txt" 20 | 21 | $changed = Register-ObjectEvent $watcher "Changed" -Action { 22 | # Not doing anything yet. It is mostly junk like registry writes. 23 | # Lists and directories or files to ignore 24 | #$ignorelist = Get-Content .\ignorelist.txt 25 | $ignore = $false 26 | #foreach ($str in $ignorelist) { 27 | # if ($($eventArgs.FullPath).contains($str)) {$ignore = $true} 28 | #} 29 | if ($ignore -eq $false) 30 | { 31 | $output = $(get-date -f yyyy-MM-dd--hh:mm:ss) 32 | $output += " Changed: $($eventArgs.FullPath)" 33 | $output | Out-File $log -width 400 -append 34 | write-host $output 35 | } 36 | } 37 | 38 | $created = Register-ObjectEvent $watcher "Created" -Action { 39 | $log = ".\FileChangeLog.txt" 40 | $output = $(get-date -f yyyy-MM-dd--hh:mm:ss) 41 | $output += " Created: $($eventArgs.FullPath)" 42 | $output | Out-File $log -width 400 -append 43 | write-host $output 44 | } 45 | $deleted = Register-ObjectEvent $watcher "Deleted" -Action { 46 | $log = ".\FileChangeLog.txt" 47 | $output = $(get-date -f yyyy-MM-dd--hh:mm:ss) 48 | $output += " Deleted: $($eventArgs.FullPath)" 49 | $output | Out-File $log -width 400 -append 50 | write-host $output 51 | } 52 | $renamed = Register-ObjectEvent $watcher "Renamed" -Action { 53 | $log = ".\FileChangeLog.txt" 54 | $output = $(get-date -f yyyy-MM-dd--hh:mm:ss) 55 | $output += " Renamed: $($eventArgs.FullPath)" 56 | $output | Out-File $log -width 400 -append 57 | write-host $output 58 | } 59 | 60 | -------------------------------------------------------------------------------- /_Misc/Invoke-IPScanner.ps1: -------------------------------------------------------------------------------- 1 | Function Invoke-IPScanner{ 2 | 3 | <# 4 | .SYNOPSIS 5 | Asynchronous IP range scanner (ping sweep). 6 | 7 | .PARAMETER net 8 | First three octects of the IP range. 9 | 10 | .PARAMETER startrange 11 | Octect to start with. 12 | 13 | .PARAMETER endrange 14 | Octect to end with. 15 | 16 | .EXAMPLE 17 | PS c:\> Invoke-IPScanner -net '192.168.0' -startrange '80' -endrange '127' 18 | 19 | Scans 192.168.080 - 192.168.0.127". 20 | 21 | .LINKS 22 | http://www.sherweb.com/blog/fun-with-powershell-the-less-than-simple-way-to-scan-an-ip-range/ 23 | #> 24 | 25 | 26 | param( 27 | [Parameter(Mandatory=$true)][string]$Net, 28 | [Parameter(Mandatory=$true)][int]$StartRange, 29 | [Parameter(Mandatory=$true)][int]$EndRange 30 | ) 31 | 32 | 33 | # define the range 34 | 35 | #[string]$firstThree = “192.168.1” 36 | #[int]$startRange = 165 37 | #[int]$endRange = 175 38 | 39 | # defines how many IPs to scan at a time. Used to limit the amount of resources used by the scan. 40 | $groupMax = 50 41 | 42 | # start the range scan as jobs 43 | $count = 1 44 | $startRange..$endRange | %{ 45 | # start a test-connection job for each IP in the range, return the IP and boolean result from test-connection 46 | start-job -ArgumentList “$firstThree`.$_” -scriptblock { $test = test-connection $args[0] -count 2 -quiet; return $args[0],$test } | out-null 47 | # sleep for 3 seconds once groupMax is reached. This code helps prevent security filters from flagging port traffic as malicious for large IP ranges. 48 | if ($count -gt $groupMax) { 49 | sleep 3 50 | $count = 1 51 | } else { 52 | $count++ 53 | } 54 | } 55 | 56 | # wait for all the jobs to finish 57 | get-job | wait-job 58 | 59 | # store the jobs into an array 60 | $jobs = get-job 61 | # holds the results of the jobs 62 | $results = @() 63 | foreach ($job in $jobs) { 64 | # grab the job output 65 | $temp = receive-job -id $job.id -keep 66 | $results += ,($temp[0],$temp[1]) 67 | } 68 | 69 | # stop and remove all jobs 70 | get-job | stop-job 71 | get-job | remove-job 72 | 73 | # sort the results 74 | $results = $results | sort @{Expression={$_[0]}; Ascending=$false} 75 | # report the results 76 | foreach ($result in $results) { 77 | if ($result[1]) { 78 | write-host -f Green “$($result[0]) is responding” 79 | } else { 80 | write-host -f Red “$($result[0]) is not responding” 81 | } 82 | } 83 | 84 | } -------------------------------------------------------------------------------- /Web/Get-WebserverDataOnly.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will create a temporary webserver on the local system and will listen on the host IP and specified port. You will then be able to post some raw data that 4 | will be accessible on the network. When running the script you will be asked what port to listen on and what raw data you to post. This script does not supporting the 5 | posting of files or folders. 6 | 7 | .EXAMPLE 8 | Option 1: PowerShell -- Using the below syntax to view it on the screen. It will be in 9 | the raw content section. 10 | 11 | Invoke-WebRequest http://:/default 12 | 13 | Option 2: Powershell -- Using the below syntax to save the data to a local file 14 | Invoke-WebRequest http://:/default -OutFile downloaded_data.txt 15 | 16 | Option 3: Internet browser -- Using the below syntaxto view it in the browser 17 | http://:/default 18 | #> 19 | 20 | # gets IP address of the system 21 | $ip = (gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null }).ipaddress 22 | # prompts user to input port 23 | $port = Read-Host -Prompt 'List a port for this webserver to listen on' 24 | # prompts user to input raw data they want to post to the webserver 25 | $raw_data = Read-Host -Prompt 'Input the raw data that you want accessible' 26 | $default_url = "default" 27 | 28 | # "default" is the end of the URL (ex: http://192.168.0.2:8080/default) 29 | $routes = @{ 30 | "/default" = { return ''+$raw_data+'' } 31 | } 32 | 33 | $url = 'http://'+$ip+':'+$port+'/' 34 | $listener = New-Object System.Net.HttpListener 35 | $listener.Prefixes.Add($url) 36 | $listener.Start() 37 | 38 | Write-Host Listening at $url$default_url... 39 | 40 | while ($listener.IsListening) 41 | { 42 | $context = $listener.GetContext() 43 | $requestUrl = $context.Request.Url 44 | $response = $context.Response 45 | 46 | Write-Host '' 47 | Write-Host "> $requestUrl" 48 | 49 | $localPath = $requestUrl.LocalPath 50 | $route = $routes.Get_Item($requestUrl.LocalPath) 51 | 52 | if ($route -eq $null) 53 | { 54 | $response.StatusCode = 404 55 | } 56 | else 57 | { 58 | $content = & $route 59 | $buffer = [System.Text.Encoding]::UTF8.GetBytes($content) 60 | $response.ContentLength64 = $buffer.Length 61 | $response.OutputStream.Write($buffer, 0, $buffer.Length) 62 | } 63 | 64 | $response.Close() 65 | 66 | $responseStatus = $response.StatusCode 67 | Write-Host "< $responseStatus" 68 | } 69 | 70 | -------------------------------------------------------------------------------- /System_Information/Get-HashDiffExplanations.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Reads in baseline hashes previously captured, gets new hashes, and compares the two based on MD5 and SHA1. The difference is output to the screen. 4 | 5 | .REQUIREMENTS 6 | - PowerShell version 4 7 | - A baseline of hashes made using the following syntax "Get-ChildItem C:\windows\system32 -Recurse | Get-FileHash -Algorithm md5 8 | | export-csv .\baseline_MD5_$env:COMPUTERNAME.csv -NoTypeInformation" 9 | 10 | #> 11 | 12 | #Requires -Version 4.0 13 | 14 | Get-ChildItem "C:\windows\system32" -Recurse | Get-FileHash -Algorithm md5 | export-csv .\New_MD5_$env:COMPUTERNAME.csv -NoTypeInformation 15 | Get-ChildItem "C:\windows\system32" -Recurse | Get-FileHash -Algorithm sha1 | export-csv .\New_SHA1_$env:COMPUTERNAME.csv -NoTypeInformation 16 | 17 | $base_md5 = import-csv ".\baseline_md5_$env:COMPUTERNAME.csv" 18 | $base_sha1 = import-csv ".\baseline_sha1_$env:COMPUTERNAME.csv" 19 | 20 | $new_md5 = import-csv "New_MD5_$env:COMPUTERNAME.csv" 21 | $new_sha1 = import-csv "New_SHA1_$env:COMPUTERNAME.csv" 22 | 23 | $compare_md5 = Compare-Object $base_md5 $new_md5 -Property Hash, Path 24 | $compare_sha1 = Compare-Object $base_sha1 $new_sha1 -Property Hash, Path 25 | 26 | $compare_md5 | %{ 27 | $element=$_ 28 | $ListSameElement=$compare_md5 | where { $_.Path -eq $element.Path -and $_.Hash -ne $element.Hash} | select -First 1 29 | 30 | if ($_.SideIndicator -eq '=>') 31 | { 32 | if ($ListSameElement.Count -eq 0) 33 | { 34 | $Explain="New File Created" 35 | $OldHash="" 36 | } 37 | else 38 | { 39 | $Explain="Hash Modified" 40 | $OldHash=$ListSameElement.Hash 41 | } 42 | 43 | [pscustomobject]@{Hash=$element.hash;File=$element.Path;"Old HAsh"=$OldHash; Explanation=$Explain} 44 | 45 | } 46 | 47 | elseif ($_.SideIndicator -eq '<=' -and $ListSameElement.Count -eq 0) 48 | { 49 | [pscustomobject]@{Hash="";File=$element.Path;"Old HAsh"=$element.hash; Explanation="File Deleted"} 50 | } 51 | } 52 | 53 | 54 | $compare_sha1 | %{ 55 | $element=$_ 56 | $ListSameElement=$compare_sha1 | where { $_.Path -eq $element.Path -and $_.Hash -ne $element.Hash} | select -First 1 57 | 58 | if ($_.SideIndicator -eq '=>') 59 | { 60 | if ($ListSameElement.Count -eq 0) 61 | { 62 | $Explain="New File Created" 63 | $OldHash="" 64 | } 65 | else 66 | { 67 | $Explain="Hash Modified" 68 | $OldHash=$ListSameElement.Hash 69 | } 70 | 71 | [pscustomobject]@{Hash=$element.hash;File=$element.Path;"Old HAsh"=$OldHash; Explanation=$Explain} 72 | 73 | } 74 | 75 | elseif ($_.SideIndicator -eq '<=' -and $ListSameElement.Count -eq 0) 76 | { 77 | [pscustomobject]@{Hash="";File=$element.Path;"Old HAsh"=$element.hash; Explanation="File Deleted"} 78 | } 79 | 80 | } 81 | 82 | 83 | -------------------------------------------------------------------------------- /Disk/Invoke-MemCapture/Invoke-MemCapture.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script is a wrapper for WinPmem. With it, memory captures are created remotely to C:\ on the distant end. 4 | 5 | 6 | .PARAMETER ComputerName 7 | Used to specify the remote system to run the script on. 8 | 9 | .EXAMPLE 10 | PS C:\> .\Invoke-MemCapture.ps1 -ComputerName 172.16.155.10 -Path c:\users\blue\desktop\winpmem.exe 11 | 12 | Runs WinPmem on 172.16.155.10. 13 | 14 | .LINK 15 | https://github.com/google/rekall/releases 16 | 17 | #> 18 | 19 | param( 20 | [Parameter(Mandatory=$true)][string]$ComputerName, 21 | [Parameter(Mandatory=$true)][string]$Path 22 | ) 23 | 24 | Write-host "*** Memory Captures will be copied to C:\ ***" -ForegroundColor Cyan 25 | 26 | $newline = "`r`n" 27 | $ErrorActionPreference = "silentlycontinue" 28 | 29 | if(test-path .\memcap.ps1) 30 | { 31 | remove-item .\memcap.ps1 32 | } 33 | 34 | Function call 35 | { 36 | write-host "Executing memory capture on specified system(s)..." -ForegroundColor Cyan 37 | foreach($computer in $cpu) 38 | { 39 | if (!(test-path "\\$computer\c$\$exe")) 40 | { 41 | if(!(test-path "\\$computer\c$\")) 42 | { 43 | "$computer : No connection path" >> .\MemCapture_Results\_Log.txt 44 | } 45 | Copy-item $Path \\$computer\c$\ -force -ErrorAction SilentlyContinue 46 | Copy-item .\memcap.ps1 \\$computer\c$\ -force -ErrorAction SilentlyContinue 47 | } 48 | $proc = Invoke-WmiMethod -ComputerName $computer -Class Win32_Process -Name Create -ArgumentList "powershell /c c:\memcap.ps1" 49 | $my_var = Register-WmiEvent -ComputerName $computer -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $computer -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 50 | if($proc.processid -ne $null) 51 | { 52 | # Does nothing 53 | } 54 | elseif($proc.processid -eq $null) 55 | { 56 | "$computer : Not accessible via WMI" >> .\MemCapture_Results\_Log.txt 57 | } 58 | } 59 | } 60 | 61 | 62 | # Making script 63 | "c:\winpmem.exe c:\`$env:computername.raw" >> .\memcap.ps1 64 | "remove-item c:\winpmem.exe" >> .\memcap.ps1 65 | "remove-item c:\memcap.ps1" >> .\memcap.ps1 66 | 67 | # Parameters received at the start of running the script 68 | if($ComputerName -like '*.txt') 69 | { 70 | $exe = $path.split('\') | select -last 1 71 | $cpu = Get-content $computername 72 | call 73 | } 74 | elseif($ComputerName -notcontains '.txt') 75 | { 76 | $exe = $path.split('\') | select -last 1 77 | $cpu = $ComputerName 78 | call 79 | } 80 | else{Echo 'No IP or a file containing IPs were specified'} 81 | 82 | remove-item .\memcap.ps1 -------------------------------------------------------------------------------- /Registry/Invoke-MUICache/Invoke-MUICacheView.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script is a wrapper for MUICacheView, which displays the list of all MUICache item. 4 | 5 | .PARAMETER ComputerName 6 | Used to specify the remote system to run the script on. 7 | 8 | .EXAMPLE 9 | PS C:\> .\Invoke-MUICache.ps1 -ComputerName 172.16.155.10 -Path c:\users\blue\desktop\MUICacheView.exe 10 | 11 | Runs MUICacheView on 172.16.155.10. 12 | 13 | .LINK 14 | https://github.com/google/rekall/releases 15 | 16 | #> 17 | 18 | param( 19 | [Parameter(Mandatory=$true)][string]$ComputerName, 20 | [Parameter(Mandatory=$true)][string]$Path 21 | ) 22 | 23 | 24 | $syntax = 'C:\MUICacheView.exe /scomma c:\users\public\MUICache.csv' 25 | 26 | if(!(test-path c:\users\$env:USERNAME\desktop\MUICache)) 27 | { 28 | new-item c:\users\$env:USERNAME\desktop\MUICache -ItemType directory | out-null 29 | } 30 | 31 | 32 | Function call 33 | { 34 | foreach($cpu in $computers) 35 | { 36 | if(!(test-path \\$cpu\c$\$path)) 37 | {Copy-Item $path \\$cpu\c$\.} 38 | $proc = Invoke-WmiMethod -ComputerName $cpu -Class Win32_Process -Name Create -ArgumentList "powershell /c $syntax" 39 | $my_var = Register-WmiEvent -ComputerName $cpu -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $cpu -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 40 | if($proc.processid -ne $null) 41 | { 42 | # Does nothing 43 | } 44 | elseif($proc.processid -eq $null) 45 | { 46 | "$cpu : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\MUICache\_Log.txt 47 | } 48 | 49 | write-host 'Process call initiated on'$cpu'...' -ForegroundColor cyan 50 | } 51 | # Allow time for the command to run 52 | sleep 20 53 | } 54 | 55 | 56 | Function retrieve 57 | { 58 | foreach($cpu in $computers) 59 | { 60 | copy-Item \\$cpu\c$\users\public\MUICache.csv c:\users\$env:USERNAME\desktop\MUICache\ 61 | rename-item c:\users\$env:USERNAME\desktop\MUICache\MUICache.csv c:\users\$env:USERNAME\desktop\MUICache\$cpu-$env:USERNAME-MUICache.csv 62 | 63 | remove-item \\$cpu\c$\MUICacheView.exe 64 | remove-item \\$cpu\c$\users\public\MUICache.csv 65 | 66 | write-host 'Pulling data back from'$cpu'...' -ForegroundColor green 67 | } 68 | } 69 | 70 | 71 | # Parameters received at the start of running the script 72 | if($ComputerName -like '*.txt') 73 | { 74 | $computers = Get-content $computername 75 | call 76 | retrieve 77 | } 78 | elseif($ComputerName -notcontains '.txt') 79 | { 80 | $computers = $ComputerName 81 | call 82 | retrieve 83 | } 84 | else{Echo 'No IP or a file containing IPs were specified'} -------------------------------------------------------------------------------- /DNS/Invoke-DNSLogParser.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Reads the specified DNS debug log. 4 | 5 | .DESCRIPTION 6 | Retrives all entries in the DNS debug log for further processing using powershell out-gridview or exporting to Excel. 7 | 8 | .PARAMETER Path 9 | Specifies the path to the DNS debug logfile. 10 | 11 | .PARAMETER Ignore 12 | Specifies which IPs to ignore. 13 | 14 | .EXAMPLE 15 | PS C:\> .\Invoke-DNSLogParser -Path ".\dns.log" |group-Object "Client IP"| Sort-Object -Descending Count| Select -First 10 Name, Count | format-table 16 | 17 | Returns a table depicting the top ten IPs in the log and the number of times they appear. 18 | 19 | .EXAMPLE 20 | PS C:\> .\Invoke-DNSLogParser -Path ".\dns.log" |group-Object "Client IP"| Sort-Object -Descending Count | format-table 21 | 22 | Returns a table depicting IPs in the log and the number of times they appear. 23 | 24 | .EXAMPLE 25 | PS C:\> .\Invoke-DNSLogParser -Path ".\dns.log" | format-table 26 | 27 | Parses the log file and returns the data in a human-readable format. 28 | 29 | .LINK 30 | https://gallery.technet.microsoft.com/scriptcenter/Get-DNSDebugLog-Easy-ef048bdf 31 | #> 32 | 33 | 34 | 35 | [CmdletBinding()] 36 | Param( 37 | [Parameter(Mandatory=$true)] 38 | [string] 39 | [ValidateScript({Test-Path($_)})] 40 | $Path, 41 | [Parameter(Mandatory=$False)] 42 | [string[]] 43 | $Ignore 44 | ) 45 | 46 | 47 | Write-Verbose "Storing DNS logfile format" 48 | $dnspattern = "^([0-9]{1,2}\/[0-9]{2}\/[0-9]{2,4}|[0-9]{2,4}-[0-9]{2}-[0-9]{2}) ([0-9: ]{7,8}\s?P?A?M?) ([0-9A-Z]{3,4} PACKET\s*[0-9A-Za-z]{8,16}) (UDP|TCP) (Snd|Rcv) ([0-9 .]{7,15}) ([0-9a-z]{4}) (.) (.) \[.*\] (.*) (\(.*)" 49 | Write-Verbose "Storing storing returning customobject format" 50 | $returnselect = @{label="Client IP";expression={[ipaddress] ($temp[6]).trim()}}, 51 | @{label="DateTime";expression={[DateTime] (Get-Date("$($temp[1]) $($temp[2])"))}}, 52 | @{label="QR";expression={switch($temp[8]){" " {'Query'};"R" {'Response'}}}}, 53 | @{label="OpCode";expression={switch($temp[9]){'Q' {'Standard Query'};'N' {'Notify'};'U' {'Update'};'?' {'Unknown'}}}}, 54 | @{label="Way";expression={$temp[5]}}, 55 | @{label="QueryType";expression={($temp[10]).Trim()}}, 56 | @{label="Query";expression={$temp[11] -replace "(`\(.*)","`$1" -replace "`\(.*?`\)","." -replace "^.",""}} 57 | 58 | 59 | Write-Verbose "Getting the contents of $Path, and matching for correct rows." 60 | $rows = (Get-Content $Path) -match $dnspattern -notmatch 'ERROR offset' -notmatch 'NOTIMP' 61 | Write-Verbose "Found $($rows.count) in debuglog, processing 1 at a time." 62 | ForEach ($row in $rows) 63 | { 64 | Try 65 | { 66 | $temp = $Null 67 | $temp = [regex]::split($row,$dnspattern) 68 | if ($Ignore -notcontains ([ipaddress] ($temp[6]).trim())) 69 | { 70 | $true | Select-Object $returnselect 71 | } 72 | } 73 | Catch 74 | { 75 | Write-Verbose 'Failed to interpet row.' 76 | Write-Debug 'Failed to interpet row.' 77 | Write-Debug $row 78 | } 79 | } 80 | 81 | 82 | -------------------------------------------------------------------------------- /McAfee/Get-MalwareDomains.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script takes the domains.txt file that you will download from www.maledomains.com and creates a perfectly formatted .xml file to be imported into McAfee HIPS 4 | Firewall. 5 | 6 | .USAGE 7 | 1) Download and uncompress the domains file located at http://malware-domains.com/files/domains.zip 8 | 2) Run this script from the same directory in which the domains.text file is located 9 | 3) Once complete, a file called Domains_DNS_Policy.xml will be created 10 | 4) Import the policy into McAfee Hips Firewall 11 | 12 | WARNING 13 | When I uploaded over 14000 entries to HIPS, the system began moving really slow. I recommend that you slim down the amount of records you upload. I could not 14 | find any documentation from McAfee concerning the matter. 15 | #> 16 | 17 | 18 | # Returns only the website name 19 | $sites_spaces = Get-Content .\domains.txt | select -skip 4 | Foreach {($_ -split '\s+',4)[0..1]} 20 | 21 | # Removes empty (blank) lines 22 | $just_sites = $sites_spaces | where {$_ -ne ""} 23 | 24 | # Count the number of lines in the file 25 | $total_lines = $just_sites.count 26 | 27 | # Makes a list of the numbers 28 | $lines = 0..$total_lines | select -skiplast 1 29 | 30 | # Loops through the numbers and the site names and combines them in the desired format 31 | for($i=0; $i -lt $just_sites.length; $i++) 32 | { 33 | '' >> block.txt 34 | } 35 | 36 | # Adds the other parts of the file 37 | $top_part = ' 38 | 39 | 40 | 41 |
' 42 | 43 | $bottom_part = ' 44 | 45 | 46 |
47 | 48 | 49 | Media2::Settings (E539ADEB-BAA4-46D3-833E-5A6C400D9DAE) 50 | 51 | ' 52 | 53 | # Combines all parts of the file together 54 | Add-Content -Path "Domains_DNS_Policy.txt" -Value ($top_part) 55 | Add-Content -Path "Domains_DNS_Policy.txt" -Value (Get-Content ".\block.txt") 56 | Add-Content -Path "Domains_DNS_Policy.txt" -Value ($bottom_part) 57 | 58 | # Renames the .txt file to .xml... the format needed to import the file into McAfee HIPs 59 | Rename-Item .\Domains_DNS_Policy.txt .\Domains_DNS_Policy.xml -------------------------------------------------------------------------------- /Registry/Get-RegKeyExport.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Gets the specified Registry Hive or Key from a supplied list of systems. The hive can be imported into another machine for analysis, if desired. 4 | 5 | .PARAMETER computername 6 | Specifies a single IP or text file containing computer names or IPs. 7 | 8 | .PARAMETER Reg 9 | Specifies the Registry Hive or Key to export 10 | 11 | .PARAMETER RegOutput 12 | Specifies the name of the exported Registry Hive or Key 13 | 14 | .EXAMPLE 15 | PS C:\> .\Get-RegKeyExport.ps1 -computername 172.16.155.201 -Reg system\currentcontrolset\services -RegOutput Export_Services.reg 16 | 17 | Exports the 'Services' Key on 172.16.155.201 and names it 'Export_Services.reg' 18 | 19 | .EXAMPLE 20 | PS C:\> .\Get-RegKeyExport.ps1 -computername c:\users\blue\desktop\computers.txt -Reg software\microsoft\windows -RegOutput Export_Windows.reg 21 | 22 | Exports the 'Windows' Key on the systems listed in computers.txt and names it 'Export_Windows.reg' 23 | 24 | 25 | .NOTES: 26 | In my testing, some Registry Keys did not work but backing up one or two Keys above, worked well. In the end, the targeted Key 27 | was retrieve, it just required getting a little more than desired. 28 | 29 | For example: 30 | When trying to get 'reg export hklm\software\microsoft\windows\currentverion\run', it error appeared but doing 'reg export 31 | hklm\software\microsoft\windows' worked well. We not only got the data from the Run Key but also everything else within the 32 | Windows Key and its Sub-Keys. 33 | #> 34 | 35 | 36 | param( 37 | [Parameter(Mandatory=$true)][string]$ComputerName, 38 | [Parameter(Mandatory=$true)][string]$Reg, 39 | [Parameter(Mandatory=$true)][string]$RegOutput 40 | ) 41 | 42 | 43 | Function call 44 | { 45 | # Loops through the supplied list of computers and exports the Hive or Key 46 | foreach($computer in $cpu) 47 | { 48 | $name = $computer + '_' + $RegOutput 49 | # Creates variable for WMI process 50 | $Action = [wmiclass] "\\$computer\ROOT\CIMv2:Win32_Process" 51 | 52 | # Creates process creation to invoke the PowerShell script we copied and logs output to a file 53 | $Method = $Action.create("reg export hklm\$reg c:\$name") 54 | 55 | # Allow time for the command to run 56 | sleep 5 57 | 58 | #Retrieves the Registry Hive or Key from the distant machine and saves it locally 59 | Copy-Item \\$computer\c$\$name .\ 60 | 61 | # Deletes the script and log file on the distant machine 62 | Remove-item \\$computer\c$\$name 63 | } 64 | } 65 | 66 | # Parameters received at the start of running the script 67 | if($ComputerName -like '*.txt') 68 | { 69 | $exe = $path.split('\') | select -last 1 70 | $cpu = Get-content $computername 71 | Call 72 | } 73 | elseif($ComputerName -notcontains '.txt') 74 | { 75 | $exe = $path.split('\') | select -last 1 76 | $cpu = $ComputerName 77 | Call 78 | } 79 | else{Echo 'No IP or a file containing IPs were specified'} 80 | -------------------------------------------------------------------------------- /Registry/Get-ShellBags/Get-ShellBags.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script is a wrapper to remotely execute ShellbagsView.exe across multiple systems and returns the data to the local machine in a csv. The results 4 | are consolidated on the local machine and are best read in using 'out-gridview'. 5 | 6 | 7 | **** IMPORTANT ***** 8 | This will only get Shellbags of the user that ran this script. With that said, running it as admin may not be what you want to do. 9 | 10 | .PARAMETER computername 11 | Used to specify a computer or list of computers 12 | 13 | .PATH 14 | Used to specify the path to shellbagview.exe 15 | 16 | .EXAMPLE 17 | PS C:\> .\Get-UserAssist.ps1 -computername 172.16.155.201 -path c:\shellbagview.exe 18 | 19 | Runs shellbagview.exe on 172.16.155.201. 20 | 21 | .NOTES 22 | http://www.nirsoft.net/utils/shell_bags_view.html 23 | 24 | #> 25 | 26 | 27 | param( 28 | [Parameter(Mandatory=$true)][string]$ComputerName, 29 | [Parameter(Mandatory=$true)][string]$Path 30 | ) 31 | 32 | 33 | $syntax = 'C:\shellbagsview.exe /scomma c:\users\public\shellbags.csv' 34 | 35 | if(!(test-path c:\users\$env:USERNAME\desktop\shellbags)) 36 | { 37 | new-item c:\users\$env:USERNAME\desktop\shellbags -ItemType directory | out-null 38 | } 39 | 40 | 41 | Function call 42 | { 43 | foreach($cpu in $computers) 44 | { 45 | if(!(test-path \\$cpu\c$\$path)) 46 | {Copy-Item $path \\$cpu\c$\.} 47 | $proc = Invoke-WmiMethod -ComputerName $cpu -Class Win32_Process -Name Create -ArgumentList "powershell /c $syntax" 48 | $my_var = Register-WmiEvent -ComputerName $cpu -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $cpu -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 49 | if($proc.processid -ne $null) 50 | { 51 | # Does nothing 52 | } 53 | elseif($proc.processid -eq $null) 54 | { 55 | "$cpu : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\shellbags\_Log.txt 56 | } 57 | 58 | write-host 'Process call initiated on'$cpu'...' -ForegroundColor cyan 59 | } 60 | # Allow time for the command to run 61 | sleep 20 62 | } 63 | 64 | 65 | Function retrieve 66 | { 67 | foreach($cpu in $computers) 68 | { 69 | copy-Item \\$cpu\c$\users\public\shellbags.csv c:\users\$env:USERNAME\desktop\shellbags\ 70 | rename-item c:\users\$env:USERNAME\desktop\shellbags\shellbags.csv c:\users\$env:USERNAME\desktop\shellbags\$cpu-$env:USERNAME-shellbags.csv 71 | 72 | remove-item \\$cpu\c$\shellbagsView.exe 73 | remove-item \\$cpu\c$\users\public\shellbags.csv 74 | 75 | write-host 'Pulling data back from'$cpu'...' -ForegroundColor green 76 | } 77 | } 78 | 79 | 80 | # Parameters received at the start of running the script 81 | if($ComputerName -like '*.txt') 82 | { 83 | $computers = Get-content $computername 84 | call 85 | retrieve 86 | } 87 | elseif($ComputerName -notcontains '.txt') 88 | { 89 | $computers = $ComputerName 90 | call 91 | retrieve 92 | } 93 | else{Echo 'No IP or a file containing IPs were specified'} -------------------------------------------------------------------------------- /Exchange/Search Exchange Mailbox.txt: -------------------------------------------------------------------------------- 1 | # NOTE: The user you use to query Excahnge with must have the Discovery Management RBAC Role. 2 | 3 | # Add a user to the Discovery Management RBAC Role 4 | Add-RoleGroupMember "discovery management" -member [some_user] 5 | 6 | <# 7 | Searches for emails with attachments that begin with the names "document1" or "document2", regardless of the file extension. For any hits, a log file containing metadata about 8 | the message (user, read status, sent date/time, etc.) will be saved to a folder called "Search_Nov13" within the "ftomlinson" mailbox. 9 | #> 10 | Get-Mailbox | Search-Mailbox -SearchQuery 'Attachment:"document1.*" or "document2.*"' -TargetMailbox "ftomlinson" -TargetFolder "Search_Nov13" -LogLevel Full 11 | 12 | <# 13 | Searches for emails with attachments that end with the names "*.docx" or "*.pdf". For any hits, a log file containing metadata about the message (user, read status, sent 14 | date/time, etc.) will be saved to a folder called "Search_Nov13" within the "ftomlinson" mailbox. 15 | #> 16 | Get-Mailbox | Search-Mailbox -SearchQuery 'Attachment:"*.doc" or "*.pdf"' -TargetMailbox "ftomlinson" -TargetFolder "Search_Nov13" -LogLevel Full 17 | 18 | <# 19 | Searches for emails where "pineapples@sandbox.local" is in the From field. For any hits, a log file containing metadata about the message (user, read status, sent date/time, 20 | etc.) will be saved to a folder called "Search_Nov13" within the "ftomlinson" mailbox. 21 | #> 22 | Get-Mailbox | Search-Mailbox -SearchQuery 'from:"pineapples@sandbox.local"' -TargetMailbox "ftomlinson" -TargetFolder "Search_Nov13" -LogLevel Full 23 | 24 | <# 25 | Searches for emails where "pineapples@sandbox.local" is in the To field. For any hits, a log file containing metadata about the message (user, read status, sent date/time, 26 | etc.) will be saved to a folder called "Search_Nov13" within the "ftomlinson" mailbox. 27 | #> 28 | Get-Mailbox | Search-Mailbox -SearchQuery 'to:"pineapples@sandbox.local"' -TargetMailbox "ftomlinson" -TargetFolder "Search_Nov13" -LogLevel Full 29 | 30 | <# 31 | Searches for emails where "pineapples@sandbox.local" is in the CC field. For any hits, a log file containing metadata about the message (user, read status, sent date/time, 32 | etc.) will be saved to a folder called "Search_Nov13" within the "ftomlinson" mailbox. 33 | #> 34 | Get-Mailbox | Search-Mailbox -SearchQuery 'cc:"pineapples@sandbox.local"' -TargetMailbox "ftomlinson" -TargetFolder "Search_Nov13" -LogLevel Full 35 | 36 | <# 37 | Searches for emails where "bojangles@sandbox.local" is in the From, To, CC, or BCC fields. For any hits, a log file containing metadata about the message (user, read status, 38 | sent date/time, etc.) will be saved to a folder called "Search_Nov13" within the "ftomlinson" mailbox. 39 | #> 40 | Get-Mailbox | Search-Mailbox -SearchQuery 'Participants:"bojangles@sandbox.local"' -TargetMailbox "ftomlinson" -TargetFolder "Search_Nov13" -LogLevel Full 41 | 42 | <# 43 | Searches emails for the keyword of "badword1" or "badword2". For any hits, a log file containing metadata about the message (user, read status, 44 | sent date/time, etc.) will be saved to a folder called "Search_Nov13" within the "ftomlinson" mailbox. 45 | #> 46 | Get-Mailbox | Search-Mailbox -SearchQuery "badword1" or "badword2" -TargetMailbox "ftomlinson" -TargetFolder "Search_Nov13" -LogLevel Full 47 | -------------------------------------------------------------------------------- /Disk/Invoke-$MFT/Invoke-$MFT.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script uses RawCopy to get $MFTs on remote systems and pulls that file back to the local machine. 4 | 5 | .PARAMETER ComputerName 6 | Specify a single IP or a text file containing multiple IPs. 7 | 8 | .PARAMETER Path 9 | Specify path to rawcopy.exe. 10 | 11 | .EXAMPLE 12 | PS C:\> .\Invoke-$MFT.ps1 -ComputerName 172.16.155.201 -Path c:\users\blue\desktop\rawcopy.exe 13 | 14 | Runs rawcopy.exe from the local machine's desktop on 172.16.155.201 in order to get the $MFT. 15 | 16 | .LINKS 17 | https://github.com/jschicht/RawCopy 18 | https://github.com/jschicht/Mft2Csv 19 | 20 | #> 21 | 22 | param( 23 | [Parameter(Mandatory=$true)][string]$ComputerName, 24 | [Parameter(Mandatory=$true)][string]$Path 25 | ) 26 | 27 | 28 | if(!(test-path c:\users\$env:USERNAME\desktop\MFTs)) 29 | { 30 | new-item c:\users\$env:USERNAME\desktop\MFTs -ItemType directory | out-null 31 | } 32 | 33 | 34 | Function call 35 | { 36 | foreach($cpu in $computers) 37 | { 38 | if(test-path \\$cpu\c$\rawcopy.exe) 39 | { 40 | remove-item \\$cpu\c$\rawcopy.exe 41 | } 42 | Copy-Item $path \\$cpu\c$\. 43 | copy-item rawcopy.ps1 \\$cpu\c$\. 44 | 45 | $proc = Invoke-WmiMethod -ComputerName $cpu -Class Win32_Process -Name Create -ArgumentList "powershell /c c:\rawcopy.ps1" 46 | $my_var = Register-WmiEvent -ComputerName $cpu -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $cpu -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 47 | if($proc.processid -ne $null) 48 | { 49 | # Does nothing 50 | } 51 | elseif($proc.processid -eq $null) 52 | { 53 | "$pu : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\MFTs\_Log.txt 54 | } 55 | 56 | write-host 'Process call initiated on' $cpu'...' -ForegroundColor cyan 57 | } 58 | } 59 | 60 | 61 | Function retrieve 62 | { 63 | foreach($cpu in $computers) 64 | { 65 | copy-Item \\$cpu\c$\users\public\$mft_record c:\users\$env:USERNAME\Desktop\MFTs 66 | rename-item c:\users\$env:USERNAME\Desktop\MFTs\$mft_record c:\users\$env:USERNAME\Desktop\MFTs\$cpu-$mft_record 67 | remove-item \\$cpu\c$\RawCopy.ps1 68 | remove-item \\$cpu\c$\RawCopy.exe 69 | remove-item \\$cpu\c$\users\public\$mft_record 70 | 71 | write-host 'Pulling data back from' $cpu'...' -ForegroundColor green 72 | } 73 | } 74 | 75 | 76 | # making script 77 | "c:\RawCopy.exe /FileNamePath:\\.\PhysicalDrive0:0 /ImageVolume:1 /OutputPath:c:\users\public" >> .\rawcopy.ps1 78 | 79 | if($ComputerName -like '*.txt') 80 | { 81 | $exe = $path.split('\') | select -last 1 82 | $computers = Get-content $computername 83 | call 84 | # Allow time for the command to run 85 | sleep 25 86 | $mft_record = '$mft' 87 | retrieve 88 | } 89 | elseif($ComputerName -notcontains '.txt') 90 | { 91 | $exe = $path.split('\') | select -last 1 92 | $computers = $ComputerName 93 | call 94 | # Allow time for the command to run 95 | sleep 25 96 | $mft_record = '$mft' 97 | retrieve 98 | } 99 | else{Echo 'No IP or a file containing IPs were specified'} 100 | 101 | 102 | 103 | 104 | -------------------------------------------------------------------------------- /Disk/Invoke-USNJRNL/Invoke-USNJRNL.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script uses RawCopy to get $MFTs on remote systems and pulls that file back to the local machine. 4 | 5 | .PARAMETER ComputerName 6 | Specify a single IP or a text file containing multiple IPs. 7 | 8 | .PARAMETER Path 9 | Specify path to rawcopy.exe. 10 | 11 | .EXAMPLE 12 | PS C:\> .\Invoke-$MFT.ps1 -ComputerName 172.16.155.201 -Path c:\users\blue\desktop\rawcopy.exe 13 | 14 | Runs rawcopy.exe from the local machine's desktop on 172.16.155.201 in order to get the $MFT. 15 | 16 | .LINKS 17 | https://github.com/jschicht/RawCopy 18 | https://github.com/jschicht/Mft2Csv 19 | 20 | #> 21 | 22 | param( 23 | [Parameter(Mandatory=$true)][string]$ComputerName, 24 | [Parameter(Mandatory=$true)][string]$Path 25 | ) 26 | 27 | 28 | if(!(test-path c:\users\$env:USERNAME\desktop\USNJRNL)) 29 | { 30 | new-item c:\users\$env:USERNAME\desktop\USNJRNL -ItemType directory | out-null 31 | } 32 | 33 | if(test-path .\usnjrnl.ps1) 34 | { 35 | remove-item .\usnjrnl.ps1 -ErrorAction SilentlyContinue 36 | } 37 | 38 | 39 | Function call 40 | { 41 | foreach($cpu in $computers) 42 | { 43 | if(test-path \\$cpu\c$\ExtractUsnJrnl.exe) 44 | { 45 | remove-item \\$cpu\c$\ExtractUsnJrnl.exe 46 | } 47 | Copy-Item $path \\$cpu\c$\. 48 | copy-item usnjrnl.ps1 \\$cpu\c$\. 49 | 50 | $proc = Invoke-WmiMethod -ComputerName $cpu -Class Win32_Process -Name Create -ArgumentList "powershell /c c:\usnjrnl.ps1" 51 | $my_var = Register-WmiEvent -ComputerName $cpu -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $cpu -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 52 | if($proc.processid -ne $null) 53 | { 54 | # Does nothing 55 | } 56 | elseif($proc.processid -eq $null) 57 | { 58 | "$pu : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\USNJRNL\_Log.txt 59 | } 60 | 61 | write-host 'Process call initiated on' $cpu'...' -ForegroundColor cyan 62 | } 63 | } 64 | 65 | 66 | Function retrieve 67 | { 68 | foreach($cpu in $computers) 69 | { 70 | copy-Item \\$cpu\c$\users\public\*-jrnl.cab c:\users\$env:USERNAME\Desktop\usnjrnl 71 | remove-item \\$cpu\c$\usnjrnl.ps1 72 | remove-item \\$cpu\c$\ExtractUsnJrnl.exe 73 | remove-item \\$cpu\c$\users\public\*J.bin 74 | remove-item \\$cpu\c$\users\public\*-jrnl.cab 75 | Remove-Item .\usnjrnl.ps1 76 | 77 | write-host 'Pulling data back from' $cpu'...' -ForegroundColor green 78 | } 79 | } 80 | 81 | 82 | # making script 83 | "C:\ExtractUsnJrnl.exe /DevicePath:c: /OutputPath:C:\users\public | out-null " >> .\usnjrnl.ps1 84 | "makecab 'C:\users\public\`$UsnJrnl_`$J.bin' C:\users\public\`$env:COMPUTERNAME-jrnl.cab | Out-Null " >> .\usnjrnl.ps1 85 | 86 | if($ComputerName -like '*.txt') 87 | { 88 | $computers = Get-content $computername 89 | call 90 | # Allow time for the command to run 91 | sleep 45 92 | retrieve 93 | } 94 | elseif($ComputerName -notcontains '.txt') 95 | { 96 | $computers = $ComputerName 97 | call 98 | # Allow time for the command to run 99 | sleep 45 100 | retrieve 101 | } 102 | else{Echo 'No IP or a file containing IPs were specified'} 103 | 104 | 105 | 106 | 107 | -------------------------------------------------------------------------------- /System_Information/Get-LastActivity/Get-LastActivity.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script is a wrapper to remotely execute LastActivity.exe across multiple systems and returns the data to the local machine in a csv. The results 4 | are consolidated on the local machine and are best read in using 'out-gridview'. 5 | 6 | LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made 7 | by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening 8 | file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more... 9 | 10 | # **** IMPORTANT ***** 11 | # This will only get the UserAssist of the user that ran this script. With that said, running it as admin may not be what you want to do. 12 | 13 | .NOTES 14 | http://www.nirsoft.net/utils/computer_activity_view.html 15 | 16 | $computers = Get-Content c:\users\blue\desktop\computers.txt 17 | $path = 'C:\Users\blue\Desktop\Tools\userassistview\UserAssistView.exe' 18 | #> 19 | 20 | 21 | param( 22 | [Parameter(Mandatory=$true)][string]$ComputerName, 23 | [Parameter(Mandatory=$true)][string]$Path 24 | ) 25 | 26 | 27 | $syntax = 'C:\LastActivityView.exe /scomma c:\users\public\LastActivity.csv' 28 | 29 | if(!(test-path c:\users\$env:USERNAME\desktop\LastActivity)) 30 | { 31 | new-item c:\users\$env:USERNAME\desktop\LastActivity -ItemType directory | out-null 32 | } 33 | 34 | 35 | Function call 36 | { 37 | foreach($cpu in $computers) 38 | { 39 | if(!(test-path \\$cpu\c$\$path)) 40 | {Copy-Item $path \\$cpu\c$\.} 41 | $proc = Invoke-WmiMethod -ComputerName $cpu -Class Win32_Process -Name Create -ArgumentList "powershell /c $syntax" 42 | $my_var = Register-WmiEvent -ComputerName $cpu -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $cpu -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 43 | if($proc.processid -ne $null) 44 | { 45 | # Does nothing 46 | } 47 | elseif($proc.processid -eq $null) 48 | { 49 | "$cpu : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\LastActivity\_Log.txt 50 | } 51 | 52 | write-host 'Process call initiated on'$cpu'...' -ForegroundColor cyan 53 | } 54 | # Allow time for the command to run 55 | sleep 20 56 | } 57 | 58 | 59 | Function retrieve 60 | { 61 | foreach($cpu in $computers) 62 | { 63 | copy-Item \\$cpu\c$\users\public\LastActivity.csv c:\users\$env:USERNAME\desktop\LastActivity\ 64 | rename-item c:\users\$env:USERNAME\desktop\LastActivity\LastActivity.csv c:\users\$env:USERNAME\desktop\LastActivity\$cpu-$env:USERNAME-LastActivity.csv 65 | 66 | remove-item \\$cpu\c$\LastActivityView.exe 67 | remove-item \\$cpu\c$\users\public\LastActivity.csv 68 | 69 | write-host 'Pulling data back from'$cpu'...' -ForegroundColor green 70 | } 71 | } 72 | 73 | 74 | # Parameters received at the start of running the script 75 | if($ComputerName -like '*.txt') 76 | { 77 | $ccomputers = Get-content $computername 78 | call 79 | retrieve 80 | } 81 | elseif($ComputerName -notcontains '.txt') 82 | { 83 | $computers = $ComputerName 84 | call 85 | retrieve 86 | } 87 | else{Echo 'No IP or a file containing IPs were specified'} -------------------------------------------------------------------------------- /Registry/Get-UserAssist/Get-UserAssist.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script is a wrapper to remotely execute UserAssistView.exe across multiple systems and returns the data to the local machine in a csv. The results 4 | are consolidated on the local machine and are best read in using 'out-gridview'. 5 | 6 | UserAssistView.exe decrypts and displays the list of all UserAssist entries stored under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer 7 | \UserAssist key. The UserAssist key contains information about the exe files and links that you open frequently. The program will only get this data from the user currently logged in. In you want to parse this data for other users on the system, get the 8 | NTUSER.dat file and user RegRipper against it. 9 | 10 | **** IMPORTANT ***** 11 | This will only get the UserAssist of the user that ran this script. With that said, running it as admin may not be what you want to do. 12 | 13 | .PARAMETER computername 14 | Used to specify a computer or list of computers 15 | 16 | .PATH 17 | Used to specify the path to userassistview.exe 18 | 19 | .EXAMPLES 20 | PS C:\> .\Get-UserAssist.ps1 -computername 172.16.155.201 -path c:\userassistview.exe 21 | 22 | Runs userassistview.exe on 172.16.155.201. 23 | 24 | .NOTES 25 | http://www.nirsoft.net/utils/userassist_view.html 26 | 27 | #> 28 | 29 | 30 | param( 31 | [Parameter(Mandatory=$true)][string]$ComputerName, 32 | [Parameter(Mandatory=$true)][string]$Path 33 | ) 34 | 35 | 36 | $syntax = 'C:\UserAssistView.exe /scomma c:\users\public\UserAssist.csv' 37 | 38 | if(!(test-path c:\users\$env:USERNAME\desktop\UserAssist)) 39 | { 40 | new-item c:\users\$env:USERNAME\desktop\UserAssist -ItemType directory | out-null 41 | } 42 | 43 | 44 | Function call 45 | { 46 | foreach($cpu in $computers) 47 | { 48 | if(!(test-path \\$cpu\c$\$path)) 49 | {Copy-Item $path \\$cpu\c$\.} 50 | $proc = Invoke-WmiMethod -ComputerName $cpu -Class Win32_Process -Name Create -ArgumentList "powershell /c $syntax" 51 | $my_var = Register-WmiEvent -ComputerName $cpu -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $cpu -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 52 | if($proc.processid -ne $null) 53 | { 54 | # Does nothing 55 | } 56 | elseif($proc.processid -eq $null) 57 | { 58 | "$cpu : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\UserAssist\_Log.txt 59 | } 60 | 61 | write-host 'Process call initiated on'$cpu'...' -ForegroundColor cyan 62 | } 63 | # Allow time for the command to run 64 | sleep 20 65 | } 66 | 67 | 68 | Function retrieve 69 | { 70 | foreach($cpu in $computers) 71 | { 72 | copy-Item \\$cpu\c$\users\public\UserAssist.csv c:\users\$env:USERNAME\desktop\UserAssist\ 73 | rename-item c:\users\$env:USERNAME\desktop\UserAssist\UserAssist.csv c:\users\$env:USERNAME\desktop\UserAssist\$cpu-$env:USERNAME-UserAssist.csv 74 | 75 | remove-item \\$cpu\c$\UserAssistView.exe 76 | remove-item \\$cpu\c$\users\public\UserAssist.csv 77 | 78 | write-host 'Pulling data back from'$cpu'...' -ForegroundColor green 79 | } 80 | } 81 | 82 | 83 | # Parameters received at the start of running the script 84 | if($ComputerName -like '*.txt') 85 | { 86 | $computers = Get-content $computername 87 | call 88 | retrieve 89 | } 90 | elseif($ComputerName -notcontains '.txt') 91 | { 92 | $computers = $ComputerName 93 | call 94 | retrieve 95 | } 96 | else{Echo 'No IP or a file containing IPs were specified'} -------------------------------------------------------------------------------- /System_Information/Invoke-SysMon/Invoke-SysMon.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Deploys SysInternals' Sysmon against remote systems. 4 | 5 | .PARAMETER ComputerName 6 | Specify a single IP or a text file containing multiple IPs. 7 | 8 | .PARAMETER Path 9 | Specify path to the executable. 10 | 11 | .EXAMPLE 12 | PS C:\> .\Invoke-Sysmon.ps1 -ComputerName 172.16.155.201 -Path C:\users\blue\Desktop\SysMon64.exe 13 | 14 | Runs SysMon against 172.16.155.201. 15 | 16 | .EXAMPLE 17 | PS C:\> .\Invoke-SysMon.ps1 -ComputerName .\computers.txt -Path C:\users\blue\Desktop\SysMon64.exe 18 | 19 | Runs SysMon against systems in the computers.txt file. 20 | 21 | .LINK 22 | https://technet.microsoft.com/en-us/sysinternals/sysmon 23 | #> 24 | 25 | 26 | param( 27 | [Parameter(Mandatory=$true)][string]$ComputerName, 28 | [Parameter(Mandatory=$true)][string]$Path 29 | ) 30 | 31 | $newline = "`r`n" 32 | $current_user = [Environment]::UserName 33 | 34 | 35 | 36 | if(test-path c:\users\$env:USERNAME\desktop\SysMon_Install.txt) 37 | { 38 | remove-item c:\users\$env:USERNAME\desktop\SysMon_Install.txt 39 | } 40 | 41 | 42 | Function call 43 | { 44 | foreach($cpu in $computers) 45 | { 46 | if(test-path \\$cpu\c$\SysMon64.exe) 47 | { 48 | remove-item \\$cpu\c$\SysMon64.exe -ErrorAction SilentlyContinue 49 | } 50 | if(test-path \\$cpu\c$\SysMon.ps1) 51 | { 52 | remove-item \\$cpu\c$\SysMon.ps1 -ErrorAction SilentlyContinue 53 | } 54 | 55 | Copy-Item $path \\$cpu\c$\. 56 | copy-item SysMon.ps1 \\$cpu\c$\. 57 | 58 | $proc = Invoke-WmiMethod -ComputerName $cpu -Class Win32_Process -Name Create -ArgumentList "powershell /c c:\SysMon.ps1" 59 | $my_var = Register-WmiEvent -ComputerName $cpu -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $cpu -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 60 | if($proc.processid -ne $null) 61 | { 62 | # Does nothing 63 | } 64 | elseif($proc.processid -eq $null) 65 | { 66 | "$cpu : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\SysMon_Install.txt 67 | } 68 | 69 | write-host 'Process call initiated on' $cpu'...' -ForegroundColor cyan 70 | } 71 | } 72 | 73 | 74 | Function retrieve 75 | { 76 | foreach($cpu in $computers) 77 | { 78 | remove-item \\$cpu\c$\SysMon.ps1 79 | remove-item \\$cpu\c$\SysMon64.exe 80 | remove-item c:\users\$env:USERNAME\Desktop\SysMon.ps1 81 | 82 | write-host 'Pulling data back from' $cpu'...' -ForegroundColor green 83 | } 84 | } 85 | 86 | Function verify 87 | { 88 | foreach($computer in $computers) 89 | { 90 | Get-WmiObject -ComputerName $Computer -Query 'SELECT * FROM Win32_service WHERE name = "sysmon"'| select PSComputername, Name, State | out-file c:\users\$env:USERNAME\Desktop\SysMon_Installs.txt 91 | } 92 | Write-host 'Successful SysMon installation log written to "SysMon_Installs.txt" on the desktop' -ForegroundColor cyan 93 | } 94 | 95 | 96 | # making script 97 | "c:\SysMon64.exe -accepteula" >> .\SysMon.ps1 98 | "c:\Sysmon64.exe -i -n -accepteula" >> .\SysMon.ps1 99 | 100 | 101 | if($ComputerName -like '*.txt') 102 | { 103 | $exe = $path.split('\') | select -last 1 104 | $computers = Get-content $computername 105 | call 106 | # Allow time for the command to run 107 | sleep 5 108 | retrieve 109 | verify 110 | } 111 | elseif($ComputerName -notcontains '.txt') 112 | { 113 | $exe = $path.split('\') | select -last 1 114 | $computers = $ComputerName 115 | call 116 | # Allow time for the command to run 117 | sleep 5 118 | retrieve 119 | verify 120 | } 121 | else{Echo 'No IP or a file containing IPs were specified'} 122 | 123 | -------------------------------------------------------------------------------- /Registry/Get-RegKeyValueData.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS: 3 | Gets the Value data of specified Value. 4 | 5 | .PARAMETER computername 6 | Used to specify a system to retrieve data from. 7 | 8 | .EXAMPLE 9 | PS C:\> .\Get-RegValueData.ps1 -Computername 172.16.155.201 10 | 11 | Gets data from 172.16.155.201 12 | 13 | .EXAMPLE 14 | PS C:\> .\Get-RegValueData.ps1 -ComputerName c:\users\blue\desktop\computers.txt 15 | 16 | Gets data from systems listed in computers.txt 17 | 18 | .NOTES 19 | When prompted for the registry path, use the example below: 20 | 21 | Example 1: hklm:\system\currentcontrolset\services\fax 22 | Example 2: hklm:\software\microsoft\windows nt\currentversion 23 | 24 | #> 25 | 26 | 27 | param( 28 | [Parameter(Mandatory=$true)][string]$ComputerName 29 | ) 30 | 31 | write-host "Input the path the the Value you want to retrieve data on" -ForegroundColor Cyan 32 | $reg = read-host " " 33 | 34 | 35 | $newline = "`r`n" 36 | 37 | if (test-path .\regvalue.ps1) 38 | { 39 | remove-item .\regvalue.ps1 40 | } 41 | 42 | # ============================================================================== 43 | # Making script 44 | # ============================================================================== 45 | "Get-ItemProperty -path $reg" >> .\regvalue.ps1 46 | 47 | 48 | # ============================================================================== 49 | # Creating process call 50 | # ============================================================================== 51 | Function Call 52 | { 53 | foreach($computer in $cpu) 54 | { 55 | if (test-path \\$computer\c$\regvalue.ps1) 56 | { 57 | remove-item \\$computer\c$\regvalue.ps1 58 | } 59 | copy-item .\regvalue.ps1 \\$computer\C$\ 60 | Invoke-WmiMethod -Class Win32_Process -Name Create -Computername $computer -ArgumentList "powershell.exe /c c:\regvalue.ps1 > c:\$computer.txt" >$null 2>&1 61 | Write-Host "Script initiated on $computer" -ForegroundColor green 62 | } 63 | sleep 25 64 | } 65 | 66 | 67 | # ============================================================================== 68 | # Pulling data back 69 | # ============================================================================== 70 | Function Retrieve 71 | { 72 | foreach($computer in $cpu) 73 | { 74 | copy-item \\$computer\c$\$computer.txt .\ 75 | $read = get-content .\$computer.txt 76 | $stripped_data =$read[2..($read.count - 4)] 77 | 78 | Write-Host "Data pulled back from $computer" -ForegroundColor cyan 79 | foreach ($data in $stripped_data) 80 | { 81 | $new_data += $computer + '+' + $data.Replace(' : ','+') + $newline 82 | } 83 | remove-item \\$computer\c$\$computer.txt 84 | remove-item \\$computer\c$\regvalue.ps1 85 | } 86 | } 87 | 88 | # ============================================================================== 89 | # Combining files into a csv 90 | # ============================================================================== 91 | 92 | #Function combine 93 | # { 94 | # add-content -Path ".\Reg.txt" -Value ($new_data) 95 | # Import-csv ".\reg.txt" -Delimiter '+' -Header 'System', 'Value', 'ValueData' | export-csv .\RegKeyList.csv 96 | # Remove-Item .\reg.txt 97 | # Remove-Variable new_data 98 | # Remove-Item .\regvalue.ps1 99 | # } 100 | 101 | 102 | 103 | # ============================================================================== 104 | # Parameters received at the start of running the script 105 | # ============================================================================== 106 | if($ComputerName -like '*.txt') 107 | { 108 | $cpu = Get-content $computername 109 | call 110 | retrieve 111 | combine 112 | } 113 | elseif($ComputerName -notcontains '.txt') 114 | { 115 | $cpu = $ComputerName 116 | call 117 | retrieve 118 | combine 119 | } 120 | else{Echo 'No IP or a file containing IPs were specified'} 121 | 122 | 123 | 124 | 125 | 126 | -------------------------------------------------------------------------------- /System_Information/Get-LocalAccounts.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script can be list all of local user account. 4 | 5 | .DESCRIPTION 6 | This script can be list all of local user account. 7 | 8 | .PARAMETER 9 | Specifies the local user account you want to search. 10 | 11 | .PARAMETER 12 | Specifies the computers on which the command runs. The default is the local computer. 13 | 14 | .PARAMETER 15 | Specifies a user account that has permission to perform this action. 16 | 17 | .EXAMPLE 18 | C:\PS> C:\Script\GetLocalAccounts.ps1 19 | 20 | This example shows how to list all of local users on local computer. 21 | 22 | .EXAMPLE 23 | C:\PS> C:\Script\GetLocalAccounts.ps1 | Export-Csv -Path "D:\LocalUserAccountInfo.csv" -NoTypeInformation 24 | 25 | This example will export report to csv file. If you attach the parameter with command, it will omit the type information 26 | from the CSV file. By default, the first line of the CSV file contains "#TYPE " followed by the fully-qualified name of the object type. 27 | 28 | .EXAMPLE 29 | C:\PS> C:\Script\GetLocalAccounts.ps1 -AccountName "Administrator","Guest" 30 | 31 | This example shows how to list local Administrator and Guest account information on local computer. 32 | 33 | .EXAMPLE 34 | C:\PS> $Cre=Get-Credential 35 | C:\PS> C:\Script\GetLocalAccounts.ps1 -Credential $Cre -Computername "WINSERVER" 36 | 37 | This example lists all of local user accounts on the WINSERVER remote computer. 38 | #> 39 | 40 | Param 41 | ( 42 | [Parameter(Position=0,Mandatory=$false)] 43 | [ValidateNotNullorEmpty()] 44 | [Alias('cn')][String[]]$ComputerName=$Env:COMPUTERNAME, 45 | [Parameter(Position=1,Mandatory=$false)] 46 | [Alias('un')][String[]]$AccountName, 47 | [Parameter(Position=2,Mandatory=$false)] 48 | [Alias('cred')][System.Management.Automation.PsCredential]$Credential 49 | ) 50 | 51 | $Obj = @() 52 | 53 | Foreach($Computer in $ComputerName) 54 | { 55 | If($Credential) 56 | { 57 | $AllLocalAccounts = Get-WmiObject -Class Win32_UserAccount -Namespace "root\cimv2" ` 58 | -Filter "LocalAccount='$True'" -ComputerName $Computer -Credential $Credential -ErrorAction Stop 59 | } 60 | else 61 | { 62 | $AllLocalAccounts = Get-WmiObject -Class Win32_UserAccount -Namespace "root\cimv2" ` 63 | -Filter "LocalAccount='$True'" -ComputerName $Computer -ErrorAction Stop 64 | } 65 | 66 | Foreach($LocalAccount in $AllLocalAccounts) 67 | { 68 | $Object = New-Object -TypeName PSObject 69 | 70 | $Object|Add-Member -MemberType NoteProperty -Name "Name" -Value $LocalAccount.Name 71 | $Object|Add-Member -MemberType NoteProperty -Name "Full Name" -Value $LocalAccount.FullName 72 | $Object|Add-Member -MemberType NoteProperty -Name "Caption" -Value $LocalAccount.Caption 73 | $Object|Add-Member -MemberType NoteProperty -Name "Disabled" -Value $LocalAccount.Disabled 74 | $Object|Add-Member -MemberType NoteProperty -Name "Status" -Value $LocalAccount.Status 75 | $Object|Add-Member -MemberType NoteProperty -Name "LockOut" -Value $LocalAccount.LockOut 76 | $Object|Add-Member -MemberType NoteProperty -Name "Password Changeable" -Value $LocalAccount.PasswordChangeable 77 | $Object|Add-Member -MemberType NoteProperty -Name "Password Expires" -Value $LocalAccount.PasswordExpires 78 | $Object|Add-Member -MemberType NoteProperty -Name "Password Required" -Value $LocalAccount.PasswordRequired 79 | $Object|Add-Member -MemberType NoteProperty -Name "SID" -Value $LocalAccount.SID 80 | $Object|Add-Member -MemberType NoteProperty -Name "SID Type" -Value $LocalAccount.SIDType 81 | $Object|Add-Member -MemberType NoteProperty -Name "Account Type" -Value $LocalAccount.AccountType 82 | $Object|Add-Member -MemberType NoteProperty -Name "Domain" -Value $LocalAccount.Domain 83 | $Object|Add-Member -MemberType NoteProperty -Name "Description" -Value $LocalAccount.Description 84 | 85 | $Obj+=$Object 86 | } 87 | 88 | If($AccountName) 89 | { 90 | Foreach($Account in $AccountName) 91 | { 92 | $Obj|Where-Object{$_.Name -like "$Account"} 93 | } 94 | } 95 | else 96 | { 97 | $Obj 98 | } 99 | } -------------------------------------------------------------------------------- /Splunk/Invoke-SplunkFwdRemover.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Initiator for removing the Splunk Forwarder. This script copies the SplunkRemove.ps1 script to a distant machine and runs it. 4 | #> 5 | 6 | # Reads in a list of computer names or IPs that you want the forwarder deleted from 7 | $computers = Get-Content .\computers.txt 8 | 9 | # The Splunk Forwarder to be deployed 10 | $muscle = ".\SplunkRemove.ps1" 11 | 12 | # Makes script 13 | "<# This script removes the Splunk Forwarder called 'splunkforwarder-6.4.3-b03109c2bad4-x64-release.msi' from a group of supplied workstations. If you are not removing this " >> .\SplunkRemove.ps1 14 | "specific version, update line 52 with the applicable subject name." >> .\SplunkRemove.ps1 15 | "" >> .\SplunkRemove.ps1 16 | "#>" >> .\SplunkRemove.ps1 17 | "" >> .\SplunkRemove.ps1 18 | "Function Get-FileMetaData {" >> .\SplunkRemove.ps1 19 | "" >> .\SplunkRemove.ps1 20 | "[cmdletbinding()]" >> .\SplunkRemove.ps1 21 | "param(" >> .\SplunkRemove.ps1 22 | " [Parameter(Mandatory = `$true," >> .\SplunkRemove.ps1 23 | " ValueFromPipeline = `$true," >> .\SplunkRemove.ps1 24 | " ValueFromPipelineByPropertyName = `$true)]" >> .\SplunkRemove.ps1 25 | " [Alias('FullName', 'PSPath')]" >> .\SplunkRemove.ps1 26 | " [string[]]`$path" >> .\SplunkRemove.ps1 27 | " )" >> .\SplunkRemove.ps1 28 | "" >> .\SplunkRemove.ps1 29 | "begin {" >> .\SplunkRemove.ps1 30 | " `$oshell = New-Object -ComObject Shell.Application" >> .\SplunkRemove.ps1 31 | " }" >> .\SplunkRemove.ps1 32 | "" >> .\SplunkRemove.ps1 33 | "process {" >> .\SplunkRemove.ps1 34 | " `$path | ForEach-Object {" >> .\SplunkRemove.ps1 35 | "" >> .\SplunkRemove.ps1 36 | " if (test-path -path `$_ -pathtype leaf) {" >> .\SplunkRemove.ps1 37 | " `$fileitem = Get-Item -path `$_" >> .\SplunkRemove.ps1 38 | "" >> .\SplunkRemove.ps1 39 | " `$ofolder = `$oshell.namespace(`$fileitem.DirectoryName)" >> .\SplunkRemove.ps1 40 | " `$oitem = `$ofolder.Parsename(`$fileitem.Name)" >> .\SplunkRemove.ps1 41 | "" >> .\SplunkRemove.ps1 42 | " `$props = @{}" >> .\SplunkRemove.ps1 43 | "" >> .\SplunkRemove.ps1 44 | " 0..287 | ForEach-Object{" >> .\SplunkRemove.ps1 45 | " `$EXTPropName = `$ofolder.getdetailsof(`$ofolder.items, `$_)" >> .\SplunkRemove.ps1 46 | " `$EXTValName = `$ofolder.GetDetailsof(`$oitem, `$_)" >> .\SplunkRemove.ps1 47 | "" >> .\SplunkRemove.ps1 48 | " if (-not `$props.containskey(`$extpropname) -and" >> .\SplunkRemove.ps1 49 | " (`$EXTPropName -ne '')) {" >> .\SplunkRemove.ps1 50 | " `$props.add(`$extpropname, `$extvalname)" >> .\SplunkRemove.ps1 51 | " " >> .\SplunkRemove.ps1 52 | " }" >> .\SplunkRemove.ps1 53 | " }" >> .\SplunkRemove.ps1 54 | " New-object PSobject -property `$props" >> .\SplunkRemove.ps1 55 | " }" >> .\SplunkRemove.ps1 56 | " }" >> .\SplunkRemove.ps1 57 | " }" >> .\SplunkRemove.ps1 58 | " end {" >> .\SplunkRemove.ps1 59 | " `$oshell = `$null" >> .\SplunkRemove.ps1 60 | " }" >> .\SplunkRemove.ps1 61 | " }" >> .\SplunkRemove.ps1 62 | "" >> .\SplunkRemove.ps1 63 | "# Retrieves a listing of where all .msi are cached on the system and looks for the Splunk one. " >> .\SplunkRemove.ps1 64 | "`$installer_name = gci C:\windows\Installer | Get-FileMetaData | Where-Object {`$_.subject -eq 'splunk UniversalForwarder wix 1.0 installer'} | select name -ExpandProperty name" >> .\SplunkRemove.ps1 65 | "" >> .\SplunkRemove.ps1 66 | "# Uninstalls the Splunk Forwarder" >> .\SplunkRemove.ps1 67 | "msiexec.exe /uninstall c:\windows\installer\`$installer_name.msi /quiet" >> .\SplunkRemove.ps1 68 | 69 | 70 | 71 | foreach($computer in $computers) 72 | { 73 | 74 | # Copies the SplunkForwarder_Remover_Muscle.ps1 script to the distant machine 75 | Copy-Item .\$muscle \\$computer\c$\. 76 | 77 | # Creates a variable for WMI process 78 | $Action = [wmiclass] "\\$computer\ROOT\CIMv2:Win32_Process" 79 | 80 | # Creates a process call to invoke the the uninstall Splunk muscle uninstall script 81 | $Method = $Action.create('powershell /c c:\SplunkRemove.ps1') 82 | 83 | # Allow time for the command to run 84 | sleep 10 85 | 86 | # Deletes the .msi after the uninstall is complete 87 | remove-item \\$computer\c$\$muscle 88 | } -------------------------------------------------------------------------------- /System_Information/Get-SchedTasks2.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Script that returns scheduled tasks on a computer 4 | 5 | .DESCRIPTION 6 | This script uses the Schedule.Service COM-object to query the local or a remote computer in order to gather a formatted list including the Author, UserId and description of the task. This information is parsed from the XML attributed to provide a more human readable format 7 | 8 | .PARAMETER Computername 9 | The computer that will be queried by this script, local administrative permissions are required to query this information 10 | 11 | .EXAMPLE 12 | PS C:\> .\Get-ScheduledTask.ps1 -ComputerName server01 13 | 14 | This command query mycomputer1 and display a formatted list of all scheduled tasks on that computer 15 | 16 | .EXAMPLE 17 | PS C:\> .\Get-ScheduledTask.ps1 18 | 19 | This command query localhost and display a formatted list of all scheduled tasks on the local computer 20 | 21 | .EXAMPLE 22 | PS C:\> .\Get-ScheduledTask.ps1 -ComputerName server01 | Select-Object -Property Name,Trigger 23 | 24 | This command query server01 for scheduled tasks and display only the TaskName and the assigned trigger(s) 25 | 26 | .EXAMPLE 27 | PS C:\> .\Get-ScheduledTask.ps1 | Where-Object {$_.Name -eq 'TaskName') | Select-Object -ExpandProperty Trigger 28 | 29 | This command queries the local system for a scheduled task named 'TaskName' and display the expanded view of the assisgned trigger(s) 30 | 31 | .EXAMPLE 32 | Get-Content C:\Servers.txt | ForEach-Object { .\Get-ScheduledTask.ps1 -ComputerName $_ } 33 | 34 | Reads the contents of C:\Servers.txt and pipes the output to Get-ScheduledTask.ps1 and outputs the results to the console 35 | 36 | .LINK 37 | http://www.jaapbrasser.com 38 | 39 | 40 | #> 41 | 42 | param( 43 | [string]$ComputerName = $env:COMPUTERNAME, 44 | [switch]$RootFolder 45 | ) 46 | 47 | 48 | #region Functions 49 | function Get-AllTaskSubFolders { 50 | [cmdletbinding()] 51 | param ( 52 | # Set to use $Schedule as default parameter so it automatically list all files 53 | # For current schedule object if it exists. 54 | $FolderRef = $Schedule.getfolder("\") 55 | ) 56 | if ($FolderRef.Path -eq '\') { 57 | $FolderRef 58 | } 59 | if (-not $RootFolder) { 60 | $ArrFolders = @() 61 | if(($Folders = $folderRef.getfolders(1))) { 62 | $Folders | ForEach-Object { 63 | $ArrFolders += $_ 64 | if($_.getfolders(1)) { 65 | Get-AllTaskSubFolders -FolderRef $_ 66 | } 67 | } 68 | } 69 | $ArrFolders 70 | } 71 | } 72 | 73 | function Get-TaskTrigger { 74 | [cmdletbinding()] 75 | param ( 76 | $Task 77 | ) 78 | $Triggers = ([xml]$Task.xml).task.Triggers 79 | if ($Triggers) { 80 | $Triggers | Get-Member -MemberType Property | ForEach-Object { 81 | $Triggers.($_.Name) 82 | } 83 | } 84 | } 85 | #endregion Functions 86 | 87 | 88 | try { 89 | $Schedule = New-Object -ComObject 'Schedule.Service' 90 | } catch { 91 | Write-Warning "Schedule.Service COM Object not found, this script requires this object" 92 | return 93 | } 94 | 95 | $Schedule.connect($Computername) 96 | $AllFolders = Get-AllTaskSubFolders 97 | 98 | foreach ($Folder in $AllFolders) { 99 | if (($Tasks = $Folder.GetTasks(1))) { 100 | $Tasks | Foreach-Object { 101 | New-Object -TypeName PSCustomObject -Property @{ 102 | 'Name' = $_.name 103 | 'Path' = $_.path 104 | 'State' = switch ($_.State) { 105 | 0 {'Unknown'} 106 | 1 {'Disabled'} 107 | 2 {'Queued'} 108 | 3 {'Ready'} 109 | 4 {'Running'} 110 | Default {'Unknown'} 111 | } 112 | 'Enabled' = $_.enabled 113 | 'LastRunTime' = $_.lastruntime 114 | 'LastTaskResult' = $_.lasttaskresult 115 | 'NumberOfMissedRuns' = $_.numberofmissedruns 116 | 'NextRunTime' = $_.nextruntime 117 | 'Author' = ([xml]$_.xml).Task.RegistrationInfo.Author 118 | 'UserId' = ([xml]$_.xml).Task.Principals.Principal.UserID 119 | 'Description' = ([xml]$_.xml).Task.RegistrationInfo.Description 120 | 'Trigger' = Get-TaskTrigger -Task $_ 121 | 'ComputerName' = $Schedule.TargetServer 122 | } 123 | } 124 | } 125 | } 126 | -------------------------------------------------------------------------------- /Endgame/Deploy-Endgame_Sensor.ps1: -------------------------------------------------------------------------------- 1 | #Requires -runasadministrator 2 | 3 | <# 4 | .SYNOPSIS 5 | EndGame sensor deployment via PowerShell. 6 | 7 | .PARAMETER ComputerName 8 | Specify a single IP or a text file containing multiple IPs. 9 | 10 | .PARAMETER API_Key 11 | Specifiy the API of the Endgame server (Administration > Sensor Management). 12 | 13 | .PARAMETER Path 14 | Specify path to EndGame sensor agent to install. 15 | 16 | .EXAMPLE 17 | .\Deploy-EndGame_Sensor.ps1 -ComputerName c:\users\blue\desktop\computers.txt -API_Key F4B2029D8E4EEA451520 -Path c:\users\blue\SensorInstaller.exe 18 | 19 | Installing Endgame sensor on the specified IPs in computers.txt 20 | 21 | .EXAMPLE 22 | .\Deploy-EndGame_Sensor.ps1 -ComputerName 192.168.0.26 -API_Key F4B2029D8E4EEA451520 -Path c:\users\blue\SensorInstaller.exe 23 | 24 | Installing Endgame sensor on a specific IP. 25 | 26 | .OUTPUTS 27 | 28 | .NOTES 29 | Version: 1.0 30 | Author: @wiredPulse or @Wired_Pulse 31 | Creation Date: March 25, 2017 32 | 33 | .LINK 34 | 35 | #> 36 | 37 | param( 38 | [Parameter(Mandatory=$true)][string]$ComputerName, 39 | [Parameter(Mandatory=$true)][string]$API_Key, 40 | [Parameter(Mandatory=$true)][string]$Path 41 | ) 42 | 43 | $newline = "`r`n" 44 | New-Item .\Endgame_Install_Results -ItemType directory -ErrorAction SilentlyContinue | out-null 45 | $ErrorActionPreference = "silentlycontinue" 46 | 47 | function ENDGAME_CALL 48 | { 49 | write-host "Installing agent on specified systems..." -ForegroundColor Cyan 50 | foreach($computer in $cpu) 51 | { 52 | # Deletes agent executable we are copying if it already exists on distant machine 53 | if (!(test-path "\\$computer\c$\$exe")) 54 | { 55 | if(!(test-path "\\$computer\c$\")) 56 | { 57 | "$computer : No connection path" >> .\Endgame_Install_Results\_Log.txt 58 | } 59 | Copy-item $Path \\$computer\c$\ -force -ErrorAction SilentlyContinue 60 | Copy-Item .\endgame.ps1 \\$computer\c$\ -force -ErrorAction SilentlyContinue 61 | } 62 | $proc = Invoke-WmiMethod -ComputerName $computer -Class Win32_Process -Name Create -ArgumentList "powershell /c c:\endgame.ps1" 63 | $my_var = Register-WmiEvent -ComputerName $computer -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $computer -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 64 | if($proc.processid -ne $null) 65 | { 66 | # Does nothing 67 | } 68 | elseif($proc.processid -eq $null) 69 | { 70 | "$computer : Not accessible via WMI" >> .\Endgame_Install_Results\_Log.txt 71 | } 72 | } 73 | sleep 30 74 | } 75 | 76 | 77 | Function ENDGAME_RETRIEVE 78 | { 79 | foreach($computer in $cpu) 80 | { 81 | # Retrieves the results from the distant machine and saves it locally 82 | copy-Item \\$computer\c$\e-installer.txt .\Endgame_Install_Results -force -ErrorAction SilentlyContinue 83 | rename-item .\Endgame_Install_Results\e-installer.txt $computer-installer.txt 84 | remove-item \\$computer\c$\$env:COMPUTERNAME-installer.txt -ErrorAction SilentlyContinue 85 | remove-item \\$computer\c$\$exe -ErrorAction SilentlyContinue 86 | remove-item \\$computer\c$\endgame.ps1 -ErrorAction SilentlyContinue 87 | remove-item \\$computer\c$\e-installer.txt -ErrorAction SilentlyContinue 88 | } 89 | 90 | write-host "Retrieving installer logs from distant machine..." -ForegroundColor Cyan 91 | sleep 15 92 | remove-item .\Endgame.ps1 93 | } 94 | 95 | 96 | # Parameters received at the start of running the script 97 | if($ComputerName -like '*.txt') 98 | { 99 | $exe = $path.split('\') | select -last 1 100 | $full_path = "& 'c:\$exe' @('-k', 'F4B2029D8E4EEA451520', '-d', 'false', '-l', 'c:\e-installer.txt')" 101 | $full_path | Out-File .\Endgame.ps1 102 | $cpu = Get-content $computername 103 | endgame_call 104 | endgame_retrieve 105 | } 106 | elseif($ComputerName -notcontains '.txt') 107 | { 108 | $exe = $path.split('\') | select -last 1 109 | $full_path = "& 'c:\$exe' @('-k', 'F4B2029D8E4EEA451520', '-d', 'false', '-l', 'c:\e-installer.txt')" 110 | $full_path | Out-File .\Endgame.ps1 111 | $cpu = $ComputerName 112 | endgame_call 113 | endgame_retrieve 114 | } 115 | else{Echo 'No IP or a file containing IPs were specified'} 116 | 117 | 118 | 119 | -------------------------------------------------------------------------------- /Registry/Get-RemoteRegHive.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script uses reg.exe (c:\windows\system32\reg.exe) to remotely save the SYSTEM, SOFTWARE, or SAM hive on machine this script is ran from. Once the hives are local 4 | they can be ran through RegRipper (or your favorite Registry parsing tool) to make it human-readable. 5 | 6 | .PARAMETER ComputerName 7 | Specify a single IP or a text file containing multiple IPs. 8 | 9 | .PARAMETER Software_hive 10 | Used to specify the script to get the software hive. 11 | 12 | 13 | .PARAMETER System_hive 14 | Used to specify the script to get the system hive. 15 | 16 | .PARAMETER sam_hive 17 | Used to specify the script to get the sam hive. 18 | 19 | .PARAMETER CurrentUser_Hive 20 | Used to specify the script to get the currentuser hive. 21 | 22 | .EXAMPLE 23 | PS C:\> Get-RemoteRegHive.ps1 -ComputerName 172.16.155.201 -system_hive 24 | 25 | Grabbing the system hive from 172.16.155.201. 26 | 27 | .EXAMPLE 28 | PS C:\> Get-RemoteRegHive.ps1 -ComputerName c:\users\blue\desktop\computers.txt -system_hive 29 | 30 | Grabbing the system hive from the systems listed in computers.txt 31 | 32 | #> 33 | 34 | param( 35 | [Parameter(Mandatory=$true)][string]$ComputerName, 36 | [switch]$System_Hive, 37 | [switch]$Software_Hive, 38 | [switch]$Sam_Hive, 39 | [switch]$CurrentUser_Hive 40 | ) 41 | 42 | 43 | if($system_hive) 44 | { 45 | $System = 'reg save hklm\system c:\system.hiv' 46 | $hive = $System 47 | } 48 | 49 | if($software_hive) 50 | { 51 | $software = 'reg save hklm\software c:\software.hiv' 52 | $hive = $software 53 | } 54 | 55 | if($sam_hive) 56 | { 57 | $sam = 'reg save hklm\sam c:\sam.hiv' 58 | $hive = $sam 59 | } 60 | 61 | if($CurrentUser_Hive) 62 | { 63 | $hkcu = 'reg save hkcu\ c:\hkcu.hiv' 64 | $hive = $hkcu 65 | } 66 | 67 | 68 | if(!(test-path c:\users\$env:USERNAME\desktop\Remote_Hives)) 69 | { 70 | new-item c:\users\$env:USERNAME\desktop\Remote_Hives -ItemType directory | out-null 71 | } 72 | 73 | if (test-path c:\users\$env:USERNAME\desktop\grabhive.ps1) 74 | { 75 | remove-item c:\users\$env:USERNAME\desktop\grabhive.ps1 76 | } 77 | 78 | 79 | Function Call 80 | { 81 | foreach($computer in $cpu) 82 | { 83 | if(test-path \\$computer\c$\grabhive.ps1) 84 | { 85 | remove-item \\$computer\c$\grabhive.ps1 86 | } 87 | Copy-Item .\grabhive.ps1 \\$computer\C$ 88 | $proc = Invoke-WmiMethod -ComputerName $computer -Class Win32_Process -Name Create -ArgumentList "powershell /c c:\GrabHive.ps1" 89 | $my_var = Register-WmiEvent -ComputerName $computer -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $computer -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 90 | if($proc.processid -ne $null) 91 | { 92 | # Does nothing 93 | } 94 | elseif($proc.processid -eq $null) 95 | { 96 | "$computer : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\Remote_Hives\_Log.txt 97 | } 98 | write-host 'Process call initiated on'$computer'...' -ForegroundColor cyan 99 | } 100 | # Allow time for the command to run 101 | sleep 30 102 | } 103 | 104 | 105 | Function retrieve 106 | { 107 | foreach($computer in $cpu) 108 | { 109 | copy-item \\$computer\c$\$exe c:\users\$env:USERNAME\desktop\Remote_Hives 110 | rename-item c:\users\$env:USERNAME\desktop\Remote_Hives\$exe c:\users\$env:USERNAME\desktop\Remote_Hives\$computer-$exe 111 | 112 | Remove-Item \\$computer\c$\$exe 113 | Remove-Item \\$computer\c$\grabhive.ps1 114 | Remove-Item c:\users\$env:USERNAME\desktop\grabhive.ps1 -ErrorAction SilentlyContinue 115 | write-host 'Pulling hive back from'$computer'...' -ForegroundColor green 116 | } 117 | } 118 | 119 | 120 | # Parameters received at the start of running the script 121 | if($ComputerName -like '*.txt') 122 | { 123 | $cpu = Get-content $computername 124 | $exe = $hive.split('\') | select -last 1 125 | $syntax = $hive 126 | "$syntax" >> .\GrabHive.ps1 127 | Call 128 | Retrieve 129 | } 130 | elseif($ComputerName -notcontains '.txt') 131 | { 132 | $cpu = $ComputerName 133 | $exe = $hive.split('\') | select -last 1 134 | $syntax = $hive 135 | "$syntax" >> .\GrabHive.ps1 136 | Call 137 | Retrieve 138 | } 139 | else{Echo 'No IP or a file containing IPs were specified'} 140 | -------------------------------------------------------------------------------- /Registry/Get-NTUSER/Get-NTUSER.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | 3 | .SYNOPSIS 4 | Grabs NTUSER.dat on remote systems and stores it in .\Remote-NTUSER on this system. 5 | 6 | .PARAMETER ComputerName 7 | Specify a single IP or a text file containing multiple IPs. 8 | 9 | .PARAMETER Path 10 | Specify path to rawcopy.exe. 11 | 12 | .EXAMPLE 13 | PS C:\> .\Get-NTUSER.ps1 -ComputerName 172.16.155.201 -Path C:\users\blue\Desktop\rawcopy.exe 14 | 15 | Getting all the NTUSER.dat files for users on 172.16.155.201. 16 | 17 | .LINKS 18 | https://github.com/jschicht/RawCopy 19 | #> 20 | 21 | 22 | param( 23 | [Parameter(Mandatory=$true)][string]$ComputerName, 24 | [Parameter(Mandatory=$true)][string]$Path 25 | ) 26 | 27 | $newline = "`r`n" 28 | $ErrorActionPreference = "silentlycontinue" 29 | 30 | 31 | if(test-path c:\users\$env:USERNAME\desktop\Remote-NTUSER) 32 | { 33 | remove-item c:\users\$env:USERNAME\desktop\Remote-NTUSER -Force -Recurse 34 | } 35 | 36 | new-item c:\users\$env:USERNAME\desktop\Remote-NTUSER -ItemType directory | out-null 37 | 38 | if(test-path .\ntuser.ps1) 39 | { 40 | remove-item .\ntuser.ps1 41 | } 42 | 43 | Function call 44 | { 45 | write-host "Grabbing NTUSER.dat on specified system(s)..." -ForegroundColor Cyan 46 | foreach($computer in $cpu) 47 | { 48 | if (!(test-path "\\$computer\c$\$exe")) 49 | { 50 | if(!(test-path "\\$computer\c$\")) 51 | { 52 | "$computer : No connection path" >> .\Remote-NTUSER\_Log.txt 53 | } 54 | Copy-item $Path \\$computer\c$\ -force -ErrorAction SilentlyContinue 55 | Copy-item .\ntuser.ps1 \\$computer\c$\ -force -ErrorAction SilentlyContinue 56 | } 57 | $proc = Invoke-WmiMethod -ComputerName $computer -Class Win32_Process -Name Create -ArgumentList "powershell /c c:\ntuser.ps1" 58 | $my_var = Register-WmiEvent -ComputerName $computer -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $computer -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 59 | if($proc.processid -ne $null) 60 | { 61 | # Does nothing 62 | } 63 | elseif($proc.processid -eq $null) 64 | { 65 | "$computer : Not accessible via WMI" >> .\Remote-NTUSER\_Log.txt 66 | } 67 | } 68 | write-host "Sleeping for 60 seconds..." -ForegroundColor Cyan 69 | sleep 60 70 | } 71 | 72 | 73 | Function RETRIEVE 74 | { 75 | foreach($computer in $cpu) 76 | { 77 | # Retrieves the results from the distant machine and saves it locally 78 | copy-Item \\$computer\c$\users\public\*-ntuser.dat .\Remote-NTUSER -force -ErrorAction SilentlyContinue 79 | remove-item \\$computer\c$\users\public\*-ntuser.dat -ErrorAction SilentlyContinue 80 | remove-item \\$computer\c$\$exe -ErrorAction SilentlyContinue 81 | remove-item \\$computer\c$\ntuser.ps1 -ErrorAction SilentlyContinue 82 | } 83 | 84 | write-host "Retrieving NTUSER.dat from distant machine(s)..." -ForegroundColor Cyan 85 | } 86 | 87 | 88 | # Make script 89 | "`$ntuser_list = (gci C:\users\*\NTUSER.DAT -force -Exclude 'public', 'all users', 'default', 'default user' ).directoryname" >> .\ntuser.ps1 90 | "foreach(`$line in `$ntuser_list)" >> .\ntuser.ps1 91 | " {" >> .\ntuser.ps1 92 | " c:\RawCopy.exe /fileNamePath:`$line\ntuser.dat /OutputPath:c:\users\public" >> .\ntuser.ps1 93 | " `$dir_name = `$line.Substring(9)" >> .\ntuser.ps1 94 | " " >> .\ntuser.ps1 95 | " rename-item c:\users\public\ntuser.dat c:\users\public\`$env:COMPUTERNAME-`$dir_name-NTUSER.dat" >> .\ntuser.ps1 96 | " }" >> .\ntuser.ps1 97 | 98 | 99 | # Parameters received at the start of running the script 100 | if($ComputerName -like '*.txt') 101 | { 102 | $exe = $path.split('\') | select -last 1 103 | $cpu = Get-content $computername 104 | Call 105 | Retrieve 106 | } 107 | elseif($ComputerName -notcontains '.txt') 108 | { 109 | $exe = $path.split('\') | select -last 1 110 | $cpu = $ComputerName 111 | Call 112 | Retrieve 113 | } 114 | else{Echo 'No IP or a file containing IPs were specified'} 115 | 116 | remove-item .\ntuser.ps1 117 | 118 | 119 | -------------------------------------------------------------------------------- /System_Information/Get-Autoruns/Get-Autoruns.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Deploys SysInternals' Autoruns against remote systems and returns the data back to the local machine. The data is then merged together as a csv for easy parsing. 4 | 5 | .PARAMETER ComputerName 6 | Specify a single IP or a text file containing multiple IPs. 7 | 8 | .PARAMETER Path 9 | Specify path to the executable. 10 | 11 | .EXAMPLE 12 | PS C:\> .\Get-Autoruns.ps1 -ComputerName 172.16.155.201 -Path C:\users\blue\Desktop\autorunsc64.exe 13 | 14 | Runs autoruns against 172.16.155.201. 15 | 16 | .EXAMPLE 17 | PS C:\> .\Get-Autoruns.ps1 -ComputerName .\computers.txt -Path C:\users\blue\Desktop\autorunsc64.exe 18 | 19 | Runs autoruns against systems in the computers.txt file. 20 | 21 | .LINK 22 | https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx 23 | #> 24 | 25 | 26 | param( 27 | [Parameter(Mandatory=$true)][string]$ComputerName, 28 | [Parameter(Mandatory=$true)][string]$Path 29 | ) 30 | 31 | $newline = "`r`n" 32 | $current_user = [Environment]::UserName 33 | 34 | 35 | 36 | if(!(test-path c:\users\$env:USERNAME\desktop\Autoruns)) 37 | { 38 | new-item c:\users\$env:USERNAME\desktop\Autoruns -ItemType directory | out-null 39 | } 40 | 41 | if(test-path c:\users\$env:USERNAME\desktop\Autoruns.ps1) 42 | { 43 | Remove-Item c:\users\$env:USERNAME\desktop\autoruns.ps1 44 | } 45 | 46 | 47 | Function call 48 | { 49 | foreach($cpu in $computers) 50 | { 51 | if(test-path \\$cpu\c$\autorunsc64.exe) 52 | { 53 | remove-item \\$cpu\c$\autorunsc64.exe -ErrorAction SilentlyContinue 54 | } 55 | if(test-path \\$cpu\c$\autoruns.ps1) 56 | { 57 | remove-item \\$cpu\c$\autoruns.ps1 -ErrorAction SilentlyContinue 58 | } 59 | if(test-path \\$cpu\c$\auto.csv) 60 | { 61 | remove-item \\$cpu\c$\auto.csv -ErrorAction SilentlyContinue 62 | } 63 | Copy-Item $path \\$cpu\c$\. 64 | copy-item autoruns.ps1 \\$cpu\c$\. 65 | 66 | $proc = Invoke-WmiMethod -ComputerName $cpu -Class Win32_Process -Name Create -ArgumentList "powershell /c c:\autoruns.ps1" 67 | $my_var = Register-WmiEvent -ComputerName $cpu -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $cpu -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 68 | if($proc.processid -ne $null) 69 | { 70 | # Does nothing 71 | } 72 | elseif($proc.processid -eq $null) 73 | { 74 | "$cpu : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\autoruns\_Log.txt 75 | } 76 | 77 | write-host 'Process call initiated on' $cpu'...' -ForegroundColor cyan 78 | } 79 | } 80 | 81 | 82 | Function retrieve 83 | { 84 | foreach($cpu in $computers) 85 | { 86 | copy-Item \\$cpu\c$\auto.csv c:\users\$env:USERNAME\Desktop\autoruns 87 | 88 | rename-item c:\users\$env:USERNAME\Desktop\autoruns\auto.csv auto.txt 89 | remove-item c:\users\$env:USERNAME\Desktop\autoruns\auto.csv -ErrorAction SilentlyContinue 90 | $conn = Get-Content c:\users\$env:USERNAME\Desktop\autoruns\auto.txt 91 | $conn2 = $conn | foreach {$cpu + ',' + $_} 92 | $conn2 | select -skip 1 | out-file c:\users\$env:USERNAME\Desktop\autoruns\$cpu'_'.txt 93 | 94 | remove-item \\$cpu\c$\autoruns.ps1 95 | remove-item \\$cpu\c$\autorunsc64.exe 96 | remove-item \\$cpu\C$\auto.csv 97 | remove-item c:\users\$env:USERNAME\Desktop\autoruns.ps1 98 | remove-item c:\users\$env:USERNAME\Desktop\autoruns\auto.txt 99 | 100 | write-host 'Pulling data back from' $cpu'...' -ForegroundColor green 101 | } 102 | } 103 | 104 | 105 | Function combine 106 | { 107 | Get-Content c:\users\$env:USERNAME\Desktop\autoruns\*_.txt | out-file c:\users\$env:USERNAME\Desktop\autoruns\a.csv 108 | import-csv "c:\users\$env:USERNAME\Desktop\autoruns\a.csv" -Delimiter ',' -Header 'System','Time', 'Entry Location','Entry','Enabled','Category','Profile','Description','Company','Image Path','Version','Launch String' | export-csv c:\users\$env:USERNAME\Desktop\autoruns\autoruns.csv 109 | Remove-Item c:\users\$env:USERNAME\Desktop\autoruns\a.csv -ErrorAction SilentlyContinue 110 | Remove-Item c:\users\$env:USERNAME\Desktop\autoruns\*_.txt 111 | } 112 | 113 | 114 | # making script 115 | "c:\autorunsc64.exe /accepteula" >> .\autoruns.ps1 116 | "c:\autorunsc64.exe -a * -m -nobanner -c > c:\auto.csv" >> .\autoruns.ps1 117 | 118 | 119 | if($ComputerName -like '*.txt') 120 | { 121 | $exe = $path.split('\') | select -last 1 122 | $computers = Get-content $computername 123 | call 124 | # Allow time for the command to run 125 | sleep 45 126 | retrieve 127 | combine 128 | } 129 | elseif($ComputerName -notcontains '.txt') 130 | { 131 | $exe = $path.split('\') | select -last 1 132 | $computers = $ComputerName 133 | call 134 | # Allow time for the command to run 135 | sleep 45 136 | retrieve 137 | combine 138 | } 139 | else{Echo 'No IP or a file containing IPs were specified'} 140 | 141 | -------------------------------------------------------------------------------- /System_Information/Get-SigCheck/Get-SigCheck.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Deploys SysInternals' SigCheck against remote systems and returns the data back to the local machine. The data is then merged together as a csv for easy parsing. 4 | 5 | .PARAMETER ComputerName 6 | Specify a single IP or a text file containing multiple IPs. 7 | 8 | .PARAMETER Path 9 | Specify path to the executable. 10 | 11 | .EXAMPLE 12 | PS C:\> .\Get-SigCheck.ps1 -ComputerName 172.16.155.201 -Path C:\users\blue\Desktop\sigcheck64.exe 13 | 14 | Runs sigcheck against 172.16.155.201. 15 | 16 | .EXAMPLE 17 | PS C:\> .\Get-SigCheck.ps1 -ComputerName .\computers.txt -Path C:\users\blue\Desktop\sigcheck64.exe 18 | 19 | Runs sigcheck against systems in the computers.txt file. 20 | 21 | .LINK 22 | https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx 23 | #> 24 | 25 | 26 | param( 27 | [Parameter(Mandatory=$true)][string]$ComputerName, 28 | [Parameter(Mandatory=$true)][string]$Path 29 | ) 30 | 31 | $newline = "`r`n" 32 | $current_user = [Environment]::UserName 33 | 34 | 35 | 36 | if(!(test-path c:\users\$env:USERNAME\desktop\SigCheck)) 37 | { 38 | new-item c:\users\$env:USERNAME\desktop\SigCheck -ItemType directory | out-null 39 | } 40 | 41 | if(test-path c:\users\$env:USERNAME\desktop\SigCheck.ps1) 42 | { 43 | Remove-Item c:\users\$env:USERNAME\desktop\SigCheck.ps1 44 | } 45 | 46 | 47 | Function call 48 | { 49 | foreach($cpu in $computers) 50 | { 51 | if(test-path \\$cpu\c$\SigCheck64.exe) 52 | { 53 | remove-item \\$cpu\c$\autorunsc64.exe -ErrorAction SilentlyContinue 54 | } 55 | if(test-path \\$cpu\c$\SigCheck.ps1) 56 | { 57 | remove-item \\$cpu\c$\SigCheck.ps1 -ErrorAction SilentlyContinue 58 | } 59 | if(test-path \\$cpu\c$\sig.csv) 60 | { 61 | remove-item \\$cpu\c$\sig.csv -ErrorAction SilentlyContinue 62 | } 63 | Copy-Item $path \\$cpu\c$\. 64 | copy-item SigCheck.ps1 \\$cpu\c$\. 65 | 66 | $proc = Invoke-WmiMethod -ComputerName $cpu -Class Win32_Process -Name Create -ArgumentList "powershell /c c:\SigCheck.ps1" 67 | $my_var = Register-WmiEvent -ComputerName $cpu -Query "Select * from Win32_ProcessStopTrace Where ProcessID=$($proc.ProcessId)" -MessageData $cpu -Action { Write-Host "$($Event.MessageData) Process ExitCode: $($event.SourceEventArgs.NewEvent.ExitStatus)"} 68 | if($proc.processid -ne $null) 69 | { 70 | # Does nothing 71 | } 72 | elseif($proc.processid -eq $null) 73 | { 74 | "$cpu : Not accessible via WMI" >> c:\users\$env:USERNAME\desktop\SigCheck\_Log.txt 75 | } 76 | 77 | write-host 'Process call initiated on' $cpu'...' -ForegroundColor cyan 78 | } 79 | } 80 | 81 | 82 | Function retrieve 83 | { 84 | foreach($cpu in $computers) 85 | { 86 | copy-Item \\$cpu\c$\sig.csv c:\users\$env:USERNAME\Desktop\SigCheck 87 | 88 | rename-item c:\users\$env:USERNAME\Desktop\SigCheck\sig.csv sig.txt 89 | remove-item c:\users\$env:USERNAME\Desktop\SigCheck\sig.csv -ErrorAction SilentlyContinue 90 | $conn = Get-Content c:\users\$env:USERNAME\Desktop\SigCheck\sig.txt 91 | $conn2 = $conn | foreach {$cpu + ',' + $_} 92 | $conn2 | select -skip 1 | out-file c:\users\$env:USERNAME\Desktop\SigCheck\$cpu'_'.txt 93 | 94 | remove-item \\$cpu\c$\SigCheck.ps1 95 | remove-item \\$cpu\c$\SigCheck64.exe 96 | remove-item \\$cpu\C$\sig.csv 97 | remove-item c:\users\$env:USERNAME\Desktop\SigCheck.ps1 98 | remove-item c:\users\$env:USERNAME\Desktop\SigCheck\sig.txt 99 | 100 | write-host 'Pulling data back from' $cpu'...' -ForegroundColor green 101 | } 102 | } 103 | 104 | 105 | Function combine 106 | { 107 | Get-Content c:\users\$env:USERNAME\Desktop\SigCheck\*_.txt | out-file c:\users\$env:USERNAME\Desktop\SigCheck\a.csv 108 | import-csv "c:\users\$env:USERNAME\Desktop\SigCheck\a.csv" -Delimiter ',' -Header 'System','Path', 'Verified','Date','Publisher','Company','Description','Product','Product Version','File Version','Machine Type','Binary Version','Original Name','Internal Name','Copyright','Comments','Entropy','MD5','SHA1','PESHA1','PESHA256','SHA256','IMP' | export-csv c:\users\$env:USERNAME\Desktop\SigCheck\SigCheck.csv 109 | Remove-Item c:\users\$env:USERNAME\Desktop\SigCheck\a.csv -ErrorAction SilentlyContinue 110 | Remove-Item c:\users\$env:USERNAME\Desktop\SigCheck\*_.txt 111 | } 112 | 113 | 114 | # making script 115 | "c:\sigcheck64.exe /accepteula" >> .\SigCheck.ps1 116 | "c:\sigcheck64.exe -a -h -nobanner -c > c:\sig.csv" >> .\SigCheck.ps1 117 | 118 | 119 | if($ComputerName -like '*.txt') 120 | { 121 | $exe = $path.split('\') | select -last 1 122 | $computers = Get-content $computername 123 | call 124 | # Allow time for the command to run 125 | sleep 45 126 | retrieve 127 | combine 128 | } 129 | elseif($ComputerName -notcontains '.txt') 130 | { 131 | $exe = $path.split('\') | select -last 1 132 | $computers = $ComputerName 133 | call 134 | # Allow time for the command to run 135 | sleep 45 136 | retrieve 137 | combine 138 | } 139 | else{Echo 'No IP or a file containing IPs were specified'} 140 | 141 | -------------------------------------------------------------------------------- /System_Information/Get-SoftwareInstallData.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Generates a list of installed programs on a computer 4 | 5 | .DESCRIPTION 6 | This function generates a list by querying the registry and returning the installed programs of a local or remote computer. 7 | 8 | .PARAMETER ComputerName 9 | The computer to which connectivity will be checked 10 | 11 | .PARAMETER Property 12 | Additional values to be loaded from the registry. Can contain a string or an array of string that will be attempted to retrieve from the registry for each program entry 13 | 14 | .PARAMETER ExcludeSimilar 15 | This will filter out similar programnames, the default value is to filter on the first 3 words in a program name. If a program only consists of less words it is 16 | excluded and it will not be filtered. For example if you Visual Studio 2015 installed it will list all the components individually, using -ExcludeSimilar will only 17 | display the first entry. 18 | 19 | .PARAMETER SimilarWord 20 | This parameter only works when ExcludeSimilar is specified, it changes the default of first 3 words to any desired value. 21 | 22 | .EXAMPLE 23 | Get-SoftwareInstallData 24 | 25 | Description: 26 | Will generate a list of installed programs on local machine 27 | 28 | .EXAMPLE 29 | Get-SoftwareInstallData -ComputerName server01,server02 30 | 31 | Description: 32 | Will generate a list of installed programs on server01 and server02 33 | 34 | .EXAMPLE 35 | Get-SoftwareInstallData -ComputerName Server01 -Property DisplayVersion,VersionMajor 36 | 37 | Description: 38 | Will gather the list of programs from Server01 and attempts to retrieve the displayversion and versionmajor subkeys from the registry for each installed program 39 | 40 | .EXAMPLE 41 | 'server01','server02' | Get-SoftwareInstallData -Property Uninstallstring 42 | 43 | Description 44 | Will retrieve the installed programs on server01/02 that are passed on to the function through the pipeline and also retrieves the uninstall string for each program 45 | 46 | .EXAMPLE 47 | 'server01','server02' | Get-SoftwareInstallData -Property Uninstallstring -ExcludeSimilar -SimilarWord 4 48 | 49 | Description 50 | Will retrieve the installed programs on server01/02 that are passed on to the function through the pipeline and also retrieves the uninstall string for each program. Will 51 | only display a single entry of a program of which the first four words are identical. 52 | 53 | .EXAMPLE 54 | 'server01','server02' | Get-SoftwareInstallData -Property installdate 55 | 56 | Description 57 | Will retrieve the installed programs on server01/02 that are passed on to the function through the pipeline and also retrieves the install date string for each program 58 | 59 | .LINK 60 | http://www.jaapbrasser.com 61 | #> 62 | 63 | 64 | [CmdletBinding(SupportsShouldProcess=$true)] 65 | param( 66 | [Parameter(ValueFromPipeline =$true, 67 | ValueFromPipelineByPropertyName=$true, 68 | Position=0, 69 | Mandatory=$true 70 | )] 71 | [string[]] 72 | $ComputerName = $env:COMPUTERNAME, 73 | [Parameter(Position=0)] 74 | [string[]] 75 | $Property, 76 | [switch] 77 | $ExcludeSimilar, 78 | [int] 79 | $SimilarWord 80 | ) 81 | 82 | begin { 83 | $RegistryLocation = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\', 84 | 'SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\' 85 | $HashProperty = @{} 86 | $SelectProperty = @('ProgramName','ComputerName') 87 | if ($Property) { 88 | $SelectProperty += $Property 89 | } 90 | } 91 | 92 | process { 93 | foreach ($Computer in $ComputerName) { 94 | $RegBase = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$Computer) 95 | $RegistryLocation | ForEach-Object { 96 | $CurrentReg = $_ 97 | if ($RegBase) { 98 | $CurrentRegKey = $RegBase.OpenSubKey($CurrentReg) 99 | if ($CurrentRegKey) { 100 | $CurrentRegKey.GetSubKeyNames() | ForEach-Object { 101 | if ($Property) { 102 | foreach ($CurrentProperty in $Property) { 103 | $HashProperty.$CurrentProperty = ($RegBase.OpenSubKey("$CurrentReg$_")).GetValue($CurrentProperty) 104 | } 105 | } 106 | $HashProperty.ComputerName = $Computer 107 | $HashProperty.ProgramName = ($DisplayName = ($RegBase.OpenSubKey("$CurrentReg$_")).GetValue('DisplayName')) 108 | if ($DisplayName) { 109 | New-Object -TypeName PSCustomObject -Property $HashProperty | 110 | Select-Object -Property $SelectProperty 111 | } 112 | } 113 | } 114 | } 115 | } | ForEach-Object -Begin { 116 | if ($SimilarWord) { 117 | $Regex = [regex]"(^(.+?\s){$SimilarWord}).*$|(.*)" 118 | } else { 119 | $Regex = [regex]"(^(.+?\s){3}).*$|(.*)" 120 | } 121 | [System.Collections.ArrayList]$Array = @() 122 | } -Process { 123 | if ($ExcludeSimilar) { 124 | $null = $Array.Add($_) 125 | } else { 126 | $_ 127 | } 128 | } -End { 129 | if ($ExcludeSimilar) { 130 | $Array | Select-Object -Property *,@{ 131 | name = 'GroupedName' 132 | expression = { 133 | ($_.ProgramName -split $Regex)[1] 134 | } 135 | } | 136 | Group-Object -Property 'GroupedName' | ForEach-Object { 137 | $_.Group[0] | Select-Object -Property * -ExcludeProperty GroupedName 138 | } 139 | } 140 | } 141 | } 142 | } 143 | -------------------------------------------------------------------------------- /Eventlogs/Event_Queries.ps1: -------------------------------------------------------------------------------- 1 | ## Login/ logout 2 | ## new services 3 | # RDP parser 4 | <# 5 | Enable necessary audit entries 6 | #> 7 | 8 | AUDITPOL /SET /SUBCATEGORY:"Process Creation" /SUCCESS:enable /FAILURE:enable 9 | AUDITPOL /SET /SUBCATEGORY:"Logon" /SUCCESS:enable /FAILURE:enable 10 | AUDITPOL /SET /SUBCATEGORY:"Logoff" /SUCCESS:enable /FAILURE:enable 11 | AUDITPOL /SET /SUBCATEGORY:"Other Logon/Logoff Events" /SUCCESS:enable /FAILURE:enable 12 | AUDITPOL /SET /SUBCATEGORY:"Other Object Access Events" /SUCCESS:enable /FAILURE:enable 13 | AUDITPOL /SET /SUBCATEGORY:"User Account Management" /SUCCESS:enable /FAILURE:enable 14 | AUDITPOL /SET /SUBCATEGORY:"Security Group Management" /SUCCESS:enable /FAILURE:enable 15 | AUDITPOL /SET /SUBCATEGORY:"Security System Extension" /SUCCESS:enable /FAILURE:enable 16 | 17 | 18 | <# 19 | Login duration 20 | #> 21 | write-host -ForegroundColor yellow "[+] " -nonewline; write-host -ForegroundColor cyan "Getting necessary logs...this may take a minute..." 22 | $logon = Get-WinEvent -FilterHashtable @{logname='security';id='4624'} | Sort-Object timecreated 23 | $logoff = Get-WinEvent -FilterHashtable @{logname='security';id='4634', '4647'} 24 | write-host -ForegroundColor yellow "[+] " -nonewline; write-host -ForegroundColor cyan "Parsing events...this may take a minute..." 25 | $obj = @{} 26 | $obj = foreach($evtOff in $logoff){ 27 | foreach($evtOn in $logon){ 28 | if($evtOn.properties.value[7] -eq $evtOff.properties.value[3]){ 29 | [pscustomobject]@{ 30 | Account = $evtOn.properties.value[5] 31 | Logon = $evtOn.timecreated 32 | Logoff = $evtOff.timecreated 33 | } 34 | } 35 | } 36 | } 37 | 38 | 39 | <# 40 | Logins 41 | #> 42 | Get-WinEvent -FilterHashtable @{logname='security';id='4624'} | 43 | select timecreated, 44 | @{Label="Account Name";Expression={$_.properties.value[5]}}, 45 | @{Label="LogonType";Expression={$_.properties.value[8]}}, 46 | @{Label="Process Name";Expression={$_.properties.value[17]}}, 47 | @{Label="Process ID";Expression={$_.properties.value[16]}}, 48 | @{Label="Elevated";Expression={if($_.properties.value[26] -eq '%%1842'){Write-Output "Yes"}elseif($_.properties.value[26] -eq '%%1843'){Write-Output "No"}}} | ogv 49 | 50 | 51 | <# 52 | Logoff 53 | #> 54 | Get-WinEvent -FilterHashtable @{logname='security';id='4634'} | 55 | select timecreated, 56 | @{Label="Account Name";Expression={$_.properties.value[1]}} 57 | 58 | 59 | <# 60 | User sign out 61 | #> 62 | Get-WinEvent -FilterHashtable @{logname='security';id='4647'} | 63 | select timecreated, 64 | @{Label="Account Name";Expression={$_.properties.value[1]}} 65 | 66 | <# 67 | New services 68 | #> 69 | Get-WinEvent -FilterHashtable @{logname='security';id='4697'} | 70 | select timecreated, 71 | @{Label="Account Name";Expression={$_.properties.value[1]}}, 72 | @{Label="Service Name";Expression={$_.properties.value[4]}}, 73 | @{Label="Binary";Expression={$_.properties.value[5]}} 74 | 75 | <# 76 | User deleted 77 | #> 78 | Get-WinEvent -FilterHashtable @{logname='security';id='4726'} | 79 | select timecreated, 80 | @{Label="Account Deleted";Expression={$_.properties.value[0]}}, 81 | @{Label="Actioned By";Expression={$_.properties.value[4]}} 82 | 83 | <# 84 | User created 85 | #> 86 | Get-WinEvent -FilterHashtable @{logname='security';id='4720'} | 87 | select timecreated, 88 | @{Label="Account Created";Expression={$_.properties.value[0]}}, 89 | @{Label="Actioned By";Expression={$_.properties.value[4]}} 90 | 91 | 92 | <# 93 | User enabled 94 | #> 95 | Get-WinEvent -FilterHashtable @{logname='security';id='4722'} | 96 | select timecreated, 97 | @{Label="Enabled Account";Expression={$_.properties.value[0]}}, 98 | @{Label="Actioned By";Expression={$_.properties.value[4]}} 99 | 100 | 101 | <# 102 | User disabled 103 | #> 104 | Get-WinEvent -FilterHashtable @{logname='security';id='4725'} | 105 | select timecreated, 106 | @{Label="Disabled Account";Expression={$_.properties.value[0]}}, 107 | @{Label="Actioned By";Expression={$_.properties.value[4]}} 108 | 109 | 110 | <# 111 | User password reset attempt 112 | #> 113 | Get-WinEvent -FilterHashtable @{logname='security';id='4724'} | 114 | select timecreated, 115 | @{Label="Enabled Account";Expression={$_.properties.value[0]}}, 116 | @{Label="Actioned By";Expression={$_.properties.value[4]}} 117 | 118 | 119 | <# 120 | User account changed 121 | #> 122 | Get-WinEvent -FilterHashtable @{logname='security';id='4738'} | 123 | select timecreated, 124 | @{Label="Actioned By";Expression={$_.properties.value[5]}}, 125 | @{Label="Target Account";Expression={$_.properties.value[1]}}, 126 | @{Label="Username";Expression={$_.properties.value[9]}}, 127 | @{Label="Display Name";Expression={$_.properties.value[10]}} 128 | 129 | 130 | <# 131 | User account disabled 132 | #> 133 | Get-WinEvent -FilterHashtable @{logname='security';id='4725'} | 134 | select timecreated, 135 | @{Label="Disabled Account";Expression={$_.properties.value[0]}}, 136 | @{Label="Actioned By";Expression={$_.properties.value[4]}} 137 | 138 | 139 | <# 140 | User group membership removed 141 | #> 142 | Get-WinEvent -FilterHashtable @{logname='security';id='4733'} | 143 | select timecreated, 144 | @{Label="Group";Expression={$_.properties.value[2]}}, 145 | @{Label="Account Removed";Expression={Get-CimInstance -ClassName win32_useraccount -filter "SID = "$_.properties.value[1]""}}, 146 | @{Label="Actioned By";Expression={$_.properties.value[6]}} 147 | 148 | 149 | <# 150 | User group membership added 151 | #> 152 | Get-WinEvent -FilterHashtable @{logname='security';id='4732'} 153 | 154 | 155 | <# 156 | Process creations 157 | #> 158 | Get-WinEvent -FilterHashtable @{logname='security';id='4688'} | 159 | Select-Object timecreated, 160 | @{Label="Account";Expression={$_.properties.value[1]}}, 161 | @{Label="Commandline";Expression={$_.properties.value[8]}}, 162 | @{Label="ParentProcess";Expression={$_.properties.value[13]}} 163 | 164 | 165 | <# 166 | System locked and unlocked 167 | #> 168 | Get-WinEvent -FilterHashtable @{logname='security';id='4800', 4801} | 169 | Select-Object timecreated, 170 | @{Label="Account";Expression={$_.properties.value[1]}}, 171 | @{Label="Action";Expression={if($_.id -eq "4800"){Write-Output "Locked"}else{Write-Output "Unlocked"}}} 172 | 173 | --------------------------------------------------------------------------------