├── .github └── workflows │ └── main.yml ├── Invoke-Demo.ps1 ├── LICENSE ├── README.md ├── Soap.psd1 ├── Soap.psm1 ├── Soap ├── Block-Traffic.ps1 ├── Clear-AuditPolicy.ps1 ├── Disable-Firewall.ps1 ├── Disable-IPv6.ps1 ├── Edit-Firewall.ps1 ├── Edit-Module.ps1 ├── Enable-IPv6.ps1 ├── Enable-WinRm.ps1 ├── Find-IpAddressInWindowsEventLog.ps1 ├── Get-AuditPolicy.ps1 ├── Get-AutoRuns.ps1 ├── Get-DiskSpace.ps1 ├── Get-DomainAdministrator.ps1 ├── Get-LocalAdministrator.ps1 ├── Get-ProcessByNetworkConnection.ps1 ├── Get-WinEventDns.ps1 ├── Get-WinEventFirewall.ps1 ├── Get-WinEventLogon.ps1 ├── Get-WinEventPowerShell.ps1 ├── Get-WinEventProcessCreation.ps1 ├── Get-WinEventService.ps1 ├── Get-WinEventUsb.ps1 ├── Get-WinEventWindowsDefender.ps1 ├── Get-WinRmClient.ps1 ├── Get-WordWheelQuery.ps1 ├── Read-WinEvent.ps1 ├── Set-AuditPolicy.ps1 ├── Start-AdAccountAudit.ps1 ├── Start-Eradication.ps1 └── Start-Heartbeat.ps1 └── Work-in-Progress ├── Get-DscResourcesRequired.ps1 ├── Get-EnterpriseVisbility.ps1 ├── Get-EventForwarder.ps1 ├── Get-EventViewer.ps1 ├── Get-Stig.ps1 ├── Get-WirelessNetAdapter.ps1 ├── Import-AdUsersFromCsv.ps1 ├── Install-Sysmon.ps1 ├── Invoke-SecurityBaseline.ps1 ├── New-Alert.ps1 ├── New-CustomViewsForSysmon.ps1 ├── Send-Alert.ps1 ├── Set-FirewallPolicy.ps1 ├── Start-AdBackup.ps1 ├── Start-Panic.ps1 └── Work-in-Progress.psm1 /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: Publish 2 | on: 3 | release: 4 | types: [published] 5 | jobs: 6 | Publish: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v3 10 | - name: Publish 11 | env: 12 | SECRET: ${{ secrets.POWERSHELLGALLERY }} 13 | shell: pwsh 14 | run: Publish-Module -Path "." -NuGetApiKey $env:SECRET -Verbose 15 | -------------------------------------------------------------------------------- /Invoke-Demo.ps1: -------------------------------------------------------------------------------- 1 | Import-Module .\Soap.psm1 2 | 3 | Get-WinEvent -FilterHashtable @{ Id = 4625; Logname = "Security" } | 4 | Read-WinEvent | 5 | Where-Object { $_.LogonType -eq 2 } | 6 | Select-Object -First 10 -Property TimeCreated, EventRecordId, TargetUserName, IpAddress -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Victor Fernandez III 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Soap 2 | ![GitHub](https://img.shields.io/github/license/cyberphor/Soap?color=Green) ![PowerShell Gallery](https://img.shields.io/powershellgallery/dt/Soap?color=Green&label=PowerShell%20Gallery%20Downloads) 3 | Soap is a PowerShell module with incident response and threat hunting functions. To install it, open PowerShell as an administrator and execute the command below. 4 | ```pwsh 5 | Install-Module -Name Soap 6 | ``` 7 | 8 | My favorite and most-used function provided by Soap is [Read-WinEvent](/Soap/Read-WinEvent.ps1). 9 | ```pwsh 10 | Get-WinEvent -FilterHashtable @{ Id = 4625; Logname = "Security" } | 11 | Read-WinEvent | 12 | Where-Object { $_.LogonType -eq 3 } | 13 | Select-Object -First 10 -Property TimeCreated, EventRecordId, TargetUserName, IpAddress 14 | 15 | TimeCreated EventRecordID TargetUserName IpAddress 16 | ----------- ------------- -------------- --------- 17 | 2023-01-26 10:28:51 6281781 Victor 192.168.1.23 18 | 2023-01-24 10:39:13 6263793 Dolores 156.74.251.21 19 | 2023-01-24 10:39:10 6263792 Dolores 156.74.251.21 20 | 2023-01-24 10:39:08 6263790 Dolores 156.74.251.21 21 | 2023-01-24 10:39:06 6263787 Dolores 156.74.251.21 22 | 2023-01-21 06:46:36 6255349 Dolores 156.74.251.21 23 | 2023-01-17 06:13:32 6223553 Hunter 156.74.251.21 24 | 2023-01-16 11:12:25 6218380 Hunter 156.74.251.21 25 | 2023-01-16 11:11:46 6218374 Hunter 156.74.251.21 26 | 2023-01-16 11:11:04 6218372 Hunter 156.74.251.21 27 | ``` 28 | 29 | ### Copyright 30 | This project is licensed under the terms of the [MIT license](/LICENSE). 31 | -------------------------------------------------------------------------------- /Soap.psd1: -------------------------------------------------------------------------------- 1 | # 2 | # Module manifest for module 'Soap' 3 | # 4 | # Generated by: Victor Fernandez III 5 | # 6 | # Generated on: 8/19/2021 7 | # 8 | 9 | @{ 10 | 11 | # Script module or binary module file associated with this manifest. 12 | RootModule = 'Soap.psm1' 13 | 14 | # Version number of this module. 15 | ModuleVersion = '6.1.0' 16 | 17 | # Supported PSEditions 18 | # CompatiblePSEditions = @() 19 | 20 | # ID used to uniquely identify this module 21 | GUID = '1616eee9-d20f-4489-81dc-6db8c85db253' 22 | 23 | # Author of this module 24 | Author = 'Victor Fernandez III' 25 | 26 | # Company or vendor of this module 27 | CompanyName = 'cyberphor' 28 | 29 | # Copyright statement for this module 30 | Copyright = '(c) 2023 Victor Fernandez III. All rights reserved.' 31 | 32 | # Description of the functionality provided by this module 33 | Description = 'Soap is a PowerShell module for incident response and threat hunting.' 34 | 35 | # Minimum version of the Windows PowerShell engine required by this module 36 | # PowerShellVersion = '' 37 | 38 | # Name of the Windows PowerShell host required by this module 39 | # PowerShellHostName = '' 40 | 41 | # Minimum version of the Windows PowerShell host required by this module 42 | # PowerShellHostVersion = '' 43 | 44 | # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. 45 | # DotNetFrameworkVersion = '' 46 | 47 | # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. 48 | # CLRVersion = '' 49 | 50 | # Processor architecture (None, X86, Amd64) required by this module 51 | # ProcessorArchitecture = '' 52 | 53 | # Modules that must be imported into the global environment prior to importing this module 54 | # RequiredModules = @() 55 | 56 | # Assemblies that must be loaded prior to importing this module 57 | # RequiredAssemblies = @() 58 | 59 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 60 | # ScriptsToProcess = @() 61 | 62 | # Type files (.ps1xml) to be loaded when importing this module 63 | # TypesToProcess = @() 64 | 65 | # Format files (.ps1xml) to be loaded when importing this module 66 | # FormatsToProcess = @() 67 | 68 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 69 | #NestedModules = @() 70 | 71 | # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. 72 | FunctionsToExport = '*' 73 | 74 | # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. 75 | CmdletsToExport = '*' 76 | 77 | # Variables to export from this module 78 | VariablesToExport = '*' 79 | 80 | # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. 81 | AliasesToExport = '*' 82 | 83 | # DSC resources to export from this module 84 | # DscResourcesToExport = @() 85 | 86 | # List of all modules packaged with this module 87 | # ModuleList = @() 88 | 89 | # List of all files packaged with this module 90 | # FileList = @() 91 | 92 | # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. 93 | PrivateData = @{ 94 | 95 | PSData = @{ 96 | 97 | # Tags applied to this module. These help with module discovery in online galleries. 98 | # Tags = @() 99 | 100 | # A URL to the license for this module. 101 | # LicenseUri = '' 102 | 103 | # A URL to the main website for this project. 104 | # ProjectUri = '' 105 | 106 | # A URL to an icon representing this module. 107 | # IconUri = '' 108 | 109 | # ReleaseNotes of this module 110 | # ReleaseNotes = '' 111 | 112 | } # End of PSData hashtable 113 | 114 | } # End of PrivateData hashtable 115 | 116 | # HelpInfo URI of this module 117 | # HelpInfoURI = '' 118 | 119 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 120 | # DefaultCommandPrefix = '' 121 | 122 | } 123 | -------------------------------------------------------------------------------- /Soap.psm1: -------------------------------------------------------------------------------- 1 | . $PSScriptRoot\Soap\Block-Traffic.ps1 2 | . $PSScriptRoot\Soap\Clear-AuditPolicy.ps1 3 | . $PSScriptRoot\Soap\Disable-Firewall.ps1 4 | . $PSScriptRoot\Soap\Disable-IPv6.ps1 5 | . $PSScriptRoot\Soap\Edit-Firewall.ps1 6 | . $PSScriptRoot\Soap\Edit-Module.ps1 7 | . $PSScriptRoot\Soap\Enable-IPv6.ps1 8 | . $PSScriptRoot\Soap\Enable-WinRm.ps1 9 | . $PSScriptRoot\Soap\Find-IpAddressInWindowsEventLog.ps1 10 | . $PSScriptRoot\Soap\Get-AuditPolicy.ps1 11 | . $PSScriptRoot\Soap\Get-AutoRuns.ps1 12 | . $PSScriptRoot\Soap\Get-DiskSpace.ps1 13 | . $PSScriptRoot\Soap\Get-DomainAdministrator.ps1 14 | . $PSScriptRoot\Soap\Get-LocalAdministrator.ps1 15 | . $PSScriptRoot\Soap\Get-ProcessByNetworkConnection.ps1 16 | . $PSScriptRoot\Soap\Get-WinEventDns.ps1 17 | . $PSScriptRoot\Soap\Get-WinEventFirewall.ps1 18 | . $PSScriptRoot\Soap\Get-WinEventLogon.ps1 19 | . $PSScriptRoot\Soap\Get-WinEventPowerShell.ps1 20 | . $PSScriptRoot\Soap\Get-WinEventProcessCreation.ps1 21 | . $PSScriptRoot\Soap\Get-WinEventService.ps1 22 | . $PSScriptRoot\Soap\Get-WinEventUsb.ps1 23 | . $PSScriptRoot\Soap\Get-WinEventWindowsDefender.ps1 24 | . $PSScriptRoot\Soap\Get-WinRmClient.ps1 25 | . $PSScriptRoot\Soap\Get-WordWheelQuery.ps1 26 | . $PSScriptRoot\Soap\Read-WinEvent.ps1 27 | . $PSScriptRoot\Soap\Set-AuditPolicy.ps1 28 | . $PSScriptRoot\Soap\Start-AdAccountAudit.ps1 29 | . $PSScriptRoot\Soap\Start-Eradication.ps1 30 | . $PSScriptRoot\Soap\Start-Heartbeat.ps1 -------------------------------------------------------------------------------- /Soap/Block-Traffic.ps1: -------------------------------------------------------------------------------- 1 | function Block-Traffic { 2 | <# 3 | .SYNOPSIS 4 | Blocks network traffic destined to the provided IP address and/or port. 5 | 6 | .DESCRIPTION 7 | Adds a rule to the local Windows Firewall policy so network traffic destined to the provided IP address and/or port is blocked. 8 | 9 | .PARAMETER Protocol 10 | Specifies the protocol to block. 11 | 12 | .PARAMETER IpAddress 13 | Specifies the IP address to block traffic. 14 | 15 | .PARAMETER Port 16 | Specifies the port to block traffic. 17 | 18 | .INPUTS 19 | None. You cannot pipe objects to this function. 20 | 21 | .OUTPUTS 22 | None. 23 | 24 | .EXAMPLE 25 | PS> Block-Traffic -Protocol UDP -IpAddress 8.8.8.8 -Port 53 26 | 27 | .LINK 28 | https://github.com/cyberphor/Soap 29 | #> 30 | Param( 31 | [ValidateSet("Any","TCP","UDP","ICMPv4","ICMPv6")][string]$Protocol = "Any", 32 | [Parameter(Mandatory)][ipaddress]$IpAddress, 33 | $Port = "Any" 34 | ) 35 | New-NetFirewallRule ` 36 | -DisplayName "Block '$Protocol' traffic to '$Port' port on $IpAddress" ` 37 | -Direction Outbound ` 38 | -Protocol $Protocol ` 39 | -RemoteAddress $IpAddress ` 40 | -RemotePort $RemotePort ` 41 | -Action Block 42 | } -------------------------------------------------------------------------------- /Soap/Clear-AuditPolicy.ps1: -------------------------------------------------------------------------------- 1 | function Clear-AuditPolicy { 2 | <# 3 | .SYNOPSIS 4 | Clears the local audit policy. 5 | 6 | .DESCRIPTION 7 | Uses "auditpol.exe" to clear the local audit (logging) policy. 8 | 9 | .INPUTS 10 | None. You cannot pipe objects to this function. 11 | 12 | .OUTPUTS 13 | None. 14 | 15 | .EXAMPLE 16 | PS> Clear-AuditPolicy 17 | 18 | .LINK 19 | https://github.com/cyberphor/Soap 20 | #> 21 | Start-Process -FilePath "auditpol.exe" -ArgumentList "/clear","/y" 22 | } -------------------------------------------------------------------------------- /Soap/Disable-Firewall.ps1: -------------------------------------------------------------------------------- 1 | function Disable-Firewall { 2 | <# 3 | .SYNOPSIS 4 | Disables the firewall. 5 | 6 | .DESCRIPTION 7 | Disables the domain, public, and private firewall profile. 8 | 9 | .INPUTS 10 | None. This function does not accept piped objects. 11 | 12 | .OUTPUTS 13 | None. 14 | 15 | .EXAMPLE 16 | PS> Disable-Firewall 17 | 18 | .LINK 19 | https://github.com/cyberphor/Soap 20 | #> 21 | Set-NetFirewallProfile -Name domain,public,private -Enabled False 22 | } -------------------------------------------------------------------------------- /Soap/Disable-IPv6.ps1: -------------------------------------------------------------------------------- 1 | function Disable-IPv6 { 2 | <# 3 | .SYNOPSIS 4 | Disables IPv6. 5 | 6 | .DESCRIPTION 7 | Disables IPv6 binding on all network adapters. 8 | 9 | .INPUTS 10 | None. This function does not accept piped objects. 11 | 12 | .OUTPUTS 13 | None. 14 | 15 | .EXAMPLE 16 | PS> Disable-Firewall 17 | 18 | .LINK 19 | https://github.com/cyberphor/Soap 20 | #> 21 | Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6 22 | } -------------------------------------------------------------------------------- /Soap/Edit-Firewall.ps1: -------------------------------------------------------------------------------- 1 | function Enable-Firewall { 2 | <# 3 | .SYNOPSIS 4 | Enables the firewall. 5 | 6 | .DESCRIPTION 7 | Enables the domain, public, and private firewall profile. 8 | 9 | .INPUTS 10 | None. This function does not accept piped objects. 11 | 12 | .OUTPUTS 13 | None. 14 | 15 | .EXAMPLE 16 | PS> Enable-Firewall 17 | 18 | .LINK 19 | https://github.com/cyberphor/Soap 20 | #> 21 | Set-NetFirewallProfile -Name domain,public,private -Enabled true 22 | } -------------------------------------------------------------------------------- /Soap/Edit-Module.ps1: -------------------------------------------------------------------------------- 1 | function Edit-Module { 2 | <# 3 | .SYNOPSIS 4 | Opens the specified PowerShell module using PowerShell ISE. 5 | 6 | .DESCRIPTION 7 | Opens the specified PowerShell script module file (.psm1) using PowerShell ISE. 8 | 9 | .INPUTS 10 | None. This function does not accept piped objects. 11 | 12 | .OUTPUTS 13 | None. 14 | 15 | .EXAMPLE 16 | PS> Edit-Module "soap" 17 | 18 | .LINK 19 | https://github.com/cyberphor/Soap 20 | #> 21 | Param([Parameter(Mandatory)][string]$Name) 22 | $Module = Get-Module | Where-Object { $_.Path -like "*$Name.psm1" } 23 | if ($Module) { 24 | ise $Module.Path 25 | } else { 26 | Write-Error "A module called '$Name' does not exist." 27 | } 28 | } -------------------------------------------------------------------------------- /Soap/Enable-IPv6.ps1: -------------------------------------------------------------------------------- 1 | function Enable-IPv6 { 2 | <# 3 | .SYNOPSIS 4 | Enables IPv6. 5 | 6 | .DESCRIPTION 7 | Enables IPv6 binding for on network adapters. 8 | 9 | .INPUTS 10 | None. This function does not accept piped objects. 11 | 12 | .OUTPUTS 13 | None. 14 | 15 | .EXAMPLE 16 | PS> Disable-Firewall 17 | 18 | .LINK 19 | https://github.com/cyberphor/Soap 20 | #> 21 | Enable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6 22 | } -------------------------------------------------------------------------------- /Soap/Enable-WinRm.ps1: -------------------------------------------------------------------------------- 1 | function Enable-WinRm { 2 | param([Parameter(Mandatory)]$ComputerName) 3 | $Expression = "wmic /node:$ComputerName process call create 'winrm quickconfig'" 4 | Invoke-Expression $Expression 5 | #Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c 'winrm qc'" 6 | } -------------------------------------------------------------------------------- /Soap/Find-IpAddressInWindowsEventLog.ps1: -------------------------------------------------------------------------------- 1 | function Find-IpAddressInWindowsEventLog { 2 | param( 3 | [string]$IpAddress 4 | ) 5 | $FilterHashTable = @{ 6 | LogName = "Security" 7 | Id = 5156 8 | } 9 | Get-WinEvent -FilterHashtable $FilterHashTable | 10 | Read-WinEvent | 11 | Where-Object { 12 | ($_.DestAddress -eq $IpAddress) -or 13 | ($_.SourceAddress -eq $IpAddress) } | 14 | Select-Object TimeCreated, EventRecordId, SourceAddress, DestAddress 15 | } -------------------------------------------------------------------------------- /Soap/Get-AuditPolicy.ps1: -------------------------------------------------------------------------------- 1 | function Get-AuditPolicy { 2 | Param( 3 | [ValidateSet("System",` 4 | "Logon/Logoff",` 5 | "Object Access",` 6 | "Privilege Use",` 7 | "Detailed Tracking",` 8 | "Policy Change",` 9 | "Account Management",` 10 | "DS Access",` 11 | "Account Logon" 12 | )]$Category 13 | ) 14 | if ($Category -eq $null) { 15 | $Category = "System",` 16 | "Logon/Logoff",` 17 | "Object Access",` 18 | "Privilege Use",` 19 | "Detailed Tracking",` 20 | "Policy Change",` 21 | "Account Management",` 22 | "DS Access",` 23 | "Account Logon" 24 | } 25 | $Category | 26 | ForEach-Object { 27 | $Category = $_ 28 | $Policy = @{} 29 | ((Invoke-Expression -Command 'auditpol.exe /get /category:"$Category"') ` 30 | -split "`r" -match "\S" | 31 | Select-Object -Skip 3).Trim() | 32 | ForEach-Object { 33 | $Setting = ($_ -replace "\s{2,}","," -split ",") 34 | $Policy.Add($Setting[0],$Setting[1]) 35 | } 36 | $Policy.GetEnumerator() | 37 | ForEach-Object { 38 | [PSCustomObject]@{ 39 | Subcategory = $_.Key 40 | Setting = $_.Value 41 | } 42 | } 43 | } 44 | } -------------------------------------------------------------------------------- /Soap/Get-AutoRuns.ps1: -------------------------------------------------------------------------------- 1 | function Get-AutoRuns { 2 | $RegistryKeys = @( 3 | "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify", 4 | "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", 5 | "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell", 6 | "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell", 7 | "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad", 8 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\", 9 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\", 10 | "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\", 11 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\", 12 | "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\", 13 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\", 14 | "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\", 15 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\", 16 | "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices", 17 | "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce", 18 | "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce" 19 | ) 20 | $AutoRunsFound = @{} 21 | $RegistryKeys | 22 | ForEach-Object { 23 | $RegistryKey = $_ 24 | if (Test-Path $RegistryKey) { 25 | $AutoRunsExist = Get-Item $RegistryKey | Select -ExpandProperty Property 26 | 27 | if ($AutoRunsExist) { 28 | $Count = (Get-Item $RegistryKey).Property.Count 29 | (Get-Item $RegistryKey).Property[0..$Count] | 30 | ForEach-Object { 31 | $App = $_ 32 | $AppPath = (Get-ItemProperty $RegistryKey).$App 33 | $AutoRunsFound.Add($App,$AppPath) 34 | } 35 | } 36 | } 37 | } 38 | return $AutoRunsFound 39 | } -------------------------------------------------------------------------------- /Soap/Get-DiskSpace.ps1: -------------------------------------------------------------------------------- 1 | function Get-DiskSpace { 2 | Get-CimInstance -Class Win32_LogicalDisk | 3 | Select-Object -Property @{ 4 | Label = 'DriveLetter' 5 | Expression = { $_.Name } 6 | },@{ 7 | Label = 'FreeSpace (GB)' 8 | Expression = { ($_.FreeSpace / 1GB).ToString('F2') } 9 | },@{ 10 | Label = 'TotalSpace (GB)' 11 | Expression = { ($_.Size / 1GB).ToString('F2') } 12 | },@{ 13 | Label = 'SerialNumber' 14 | Expression = { $_.VolumeSerialNumber } 15 | } 16 | } -------------------------------------------------------------------------------- /Soap/Get-DomainAdministrator.ps1: -------------------------------------------------------------------------------- 1 | function Get-DomainAdministrator { 2 | Get-AdGroupMember -Identity "Domain Admins" | 3 | Select-Object -Property Name,SamAccountName,Sid | 4 | Format-Table -AutoSize 5 | } -------------------------------------------------------------------------------- /Soap/Get-LocalAdministrator.ps1: -------------------------------------------------------------------------------- 1 | function Get-LocalAdministrator { 2 | <# 3 | .EXAMPLE 4 | Get-LocalAdministrators 5 | Name 6 | ---- 7 | Administrator 8 | Cristal 9 | Victor 10 | 11 | .EXAMPLE 12 | $Computers = (Get-AdComputer -Filter *).Name 13 | Invoke-Command -ComputerName $Computers -ScriptBlock ${function:Get-LocalAdministrators} | 14 | Select-Object Name, PsComputerName 15 | #> 16 | (net localgroup administrators | Out-String).Split([Environment]::NewLine, [StringSplitOptions]::RemoveEmptyEntries) | 17 | Select-Object -Skip 4 | 18 | Select-String -Pattern "The command completed successfully." -NotMatch | 19 | ForEach-Object { 20 | New-Object -TypeName PSObject -Property @{ Name = $_ } 21 | } 22 | } -------------------------------------------------------------------------------- /Soap/Get-ProcessByNetworkConnection.ps1: -------------------------------------------------------------------------------- 1 | function Get-ProcessByNetworkConnection { 2 | $NetworkConnections = Get-NetTCPConnection -State Established 3 | Get-Process -IncludeUserName | 4 | ForEach-Object { 5 | $OwningProcess = $_.Id 6 | $OwningProcessName = $_.ProcessName 7 | $OwningProcessPath = $_.Path 8 | $OwningProcessUsername = $_.UserName 9 | $NetworkConnections | 10 | Where-Object { 11 | $_.LocalAddress -ne "::1" -and 12 | $_.LocalAddress -ne "127.0.0.1" -and 13 | $_.OwningProcess -eq $OwningProcess 14 | } | Select-Object ` 15 | @{ Name = "Username"; Expression = {$OwningProcessUsername} },` 16 | @{ Name = "ProcessId"; Expression = {$_.OwningProcess} },` 17 | @{ Name = "ProcessName"; Expression = {$OwningProcessName} },` 18 | LocalAddress,LocalPort,RemoteAddress,RemotePort,` 19 | @{ Name = "Path"; Expression = {$OwningProcessPath} }` 20 | } | 21 | Sort-Object -Property ProcessId | 22 | Format-Table -AutoSize 23 | } -------------------------------------------------------------------------------- /Soap/Get-WinEventDns.ps1: -------------------------------------------------------------------------------- 1 | function Get-WinEventDns { 2 | Param( 3 | [string]$Whitelist, 4 | [switch]$Verbose 5 | ) 6 | if ($Whitelist) { 7 | $Exclusions = Get-Content $Whitelist -ErrorAction Stop 8 | } 9 | $FilterHashTable = @{ 10 | LogName = "Microsoft-Windows-DNS-Client/Operational" 11 | Id = 3006 12 | } 13 | if ($Verbose) { 14 | Get-WinEvent -FilterHashtable $FilterHashTable | 15 | Read-WinEvent | 16 | Where-Object { $_.QueryName -notin $Exclusions } 17 | } else { 18 | Get-WinEvent -FilterHashtable $FilterHashTable | 19 | Read-WinEvent | 20 | Where-Object { $_.QueryName -notin $Exclusions } | 21 | Group-Object -Property QueryName -NoElement | 22 | Sort-Object -Property Count -Descending | 23 | Format-Table -AutoSize 24 | } 25 | } -------------------------------------------------------------------------------- /Soap/Get-WinEventFirewall.ps1: -------------------------------------------------------------------------------- 1 | function Get-WinEventFirewall { 2 | Param( 3 | [ValidateSet("SourceAddress","DestAddress")]$Direction = "DestAddress", 4 | [string]$Whitelist, 5 | [switch]$Verbose 6 | ) 7 | if ($Whitelist) { 8 | $Exclusions = Get-Content $Whitelist -ErrorAction Stop 9 | } 10 | $FilterHashTable = @{ 11 | LogName = "Security" 12 | Id = 5156 13 | } 14 | if ($Verbose) { 15 | Get-WinEvent -FilterHashtable $FilterHashTable | 16 | Read-WinEvent | 17 | Where-Object { $_.$Direction -notin $Exclusions } 18 | } else { 19 | Get-WinEvent -FilterHashtable $FilterHashTable | 20 | Read-WinEvent | 21 | Where-Object { $_.$Direction -notin $Exclusions } | 22 | Group-Object -Property $Direction -NoElement | 23 | Sort-Object -Property Count -Descending | 24 | Format-Table -AutoSize 25 | } 26 | } -------------------------------------------------------------------------------- /Soap/Get-WinEventLogon.ps1: -------------------------------------------------------------------------------- 1 | function Get-WinEventLogon { 2 | Param( 3 | [ValidateSet("Failed","Successful")]$Type = "Failed", 4 | [switch]$Verbose 5 | ) 6 | if ($Type -eq "Failed") { 7 | $Id = 4625 8 | } elseif ($Type -eq "Successful") { 9 | $Id = 4624 10 | } 11 | $FilterHashTable = @{ 12 | LogName = "Security" 13 | Id = $Id 14 | } 15 | if ($Verbose) { 16 | Get-WinEvent -FilterHashtable $FilterHashTable | 17 | Read-WinEvent 18 | } else { 19 | Get-WinEvent -FilterHashtable $FilterHashTable | 20 | Read-WinEvent | 21 | Group-Object -Property TargetUserName -NoElement | 22 | Sort-Object -Property Count -Descending | 23 | Format-Table -AutoSize 24 | } 25 | } -------------------------------------------------------------------------------- /Soap/Get-WinEventPowerShell.ps1: -------------------------------------------------------------------------------- 1 | function Get-WinEventPowerShell { 2 | Param( 3 | [string]$Whitelist, 4 | [switch]$Verbose 5 | ) 6 | if ($Whitelist) { 7 | $Exclusions = Get-Content $Whitelist -ErrorAction Stop 8 | } 9 | $FilterHashTable = @{ 10 | LogName = "Microsoft-Windows-PowerShell/Operational" 11 | Id = 4104 12 | } 13 | if ($Verbose) { 14 | Get-WinEvent -FilterHashtable $FilterHashTable | 15 | Read-WinEvent | 16 | Where-Object { $_.ScriptBlockText -notin $Exclusions } 17 | } else { 18 | Get-WinEvent -FilterHashtable $FilterHashTable | 19 | Read-WinEvent | 20 | Where-Object { $_.ScriptBlockText -notin $Exclusions } | 21 | Group-Object -Property ScriptBlockText -NoElement | 22 | Sort-Object -Property Count -Descending | 23 | Format-Table -AutoSize 24 | } 25 | } -------------------------------------------------------------------------------- /Soap/Get-WinEventProcessCreation.ps1: -------------------------------------------------------------------------------- 1 | function Get-WinEventProcessCreation { 2 | Param( 3 | [string]$Whitelist, 4 | [switch]$Verbose 5 | ) 6 | if ($Whitelist) { 7 | $Exclusions = Get-Content $Whitelist -ErrorAction Stop 8 | } 9 | $FilterHashTable = @{ 10 | LogName = "Security" 11 | Id = 4688 12 | } 13 | if ($Verbose) { 14 | Get-WinEvent -FilterHashtable $FilterHashTable | 15 | Read-WinEvent | 16 | Where-Object { $_.NewProcessName -notin $Exclusions } 17 | } else { 18 | Get-WinEvent -FilterHashtable $FilterHashTable | 19 | Read-WinEvent | 20 | Where-Object { $_.NewProcessName -notin $Exclusions } | 21 | Group-Object -Property NewProcessName -NoElement | 22 | Sort-Object -Property Count -Descending | 23 | Format-Table -AutoSize 24 | } 25 | } -------------------------------------------------------------------------------- /Soap/Get-WinEventService.ps1: -------------------------------------------------------------------------------- 1 | function Get-WinEventService { 2 | Param( 3 | [string]$Whitelist, 4 | [switch]$Verbose 5 | ) 6 | if ($Whitelist) { 7 | $Exclusions = Get-Content $Whitelist -ErrorAction Stop 8 | } 9 | $FilterHashTable = @{ 10 | LogName = "System" 11 | Id = 7045 12 | } 13 | if ($Verbose) { 14 | Get-WinEvent -FilterHashtable $FilterHashTable | 15 | Read-WinEvent | 16 | Where-Object { $_.ServiceName -notin $Exclusions } 17 | } else { 18 | Get-WinEvent -FilterHashtable $FilterHashTable | 19 | Read-WinEvent | 20 | Where-Object { $_.ServiceName -notin $Exclusions } 21 | Group-Object -Property ServiceName -NoElement | 22 | Sort-Object -Property Count -Descending | 23 | Format-Table -AutoSize 24 | } 25 | } -------------------------------------------------------------------------------- /Soap/Get-WinEventUsb.ps1: -------------------------------------------------------------------------------- 1 | function Get-WinEventUsb { 2 | Param( 3 | [string]$Whitelist, 4 | [switch]$Verbose 5 | ) 6 | if ($Whitelist) { 7 | $Exclusions = Get-Content $Whitelist -ErrorAction Stop 8 | } 9 | $FilterHashTable = @{ 10 | LogName = "Security" 11 | Id = 6416 12 | } 13 | if ($Verbose) { 14 | Get-WinEvent -FilterHashtable $FilterHashTable | 15 | Read-WinEvent | 16 | Where-Object { 17 | ($_.ClassName -notin $Exclusions) -and 18 | ($_.ClassName -ne $null) 19 | } 20 | } else { 21 | Get-WinEvent -FilterHashtable $FilterHashTable | 22 | Read-WinEvent | 23 | Where-Object { 24 | ($_.ClassName -notin $Exclusions) -and 25 | ($_.ClassName -ne $null) 26 | } | 27 | Group-Object -Property ClassName -NoElement | 28 | Sort-Object -Property Count -Descending | 29 | Format-Table -AutoSize 30 | } 31 | } -------------------------------------------------------------------------------- /Soap/Get-WinEventWindowsDefender.ps1: -------------------------------------------------------------------------------- 1 | function Get-WinEventWindowsDefender { 2 | Param( 3 | [string]$Whitelist, 4 | [switch]$Verbose 5 | ) 6 | if ($Whitelist) { 7 | $Exclusions = Get-Content $Whitelist -ErrorAction Stop 8 | } 9 | $FilterHashTable = @{ 10 | LogName = "Microsoft-Windows-Windows Defender/Operational" 11 | Id = 1116,1117 12 | } 13 | if ($Verbose) { 14 | Get-WinEvent -FilterHashtable $FilterHashTable | 15 | Read-WinEvent | 16 | Where-Object { $_."Threat Name" -notin $Exclusions } 17 | } else { 18 | Get-WinEvent -FilterHashtable $FilterHashTable | 19 | Read-WinEvent | 20 | Where-Object { $_."Threat Name" -notin $Exclusions } | 21 | Group-Object -Property "Threat Name" -NoElement | 22 | Sort-Object -Property "Count" -Descending | 23 | Format-Table -AutoSize 24 | } 25 | } -------------------------------------------------------------------------------- /Soap/Get-WinRmClient.ps1: -------------------------------------------------------------------------------- 1 | function Get-WinRmClient { 2 | $ComputerNames = $(Get-AdComputer -Filter *).Name 3 | Invoke-Command -ComputerName $ComputerNames -ScriptBlock { $env:HOSTNAME } -ErrorAction Ignore 4 | } -------------------------------------------------------------------------------- /Soap/Get-WordWheelQuery.ps1: -------------------------------------------------------------------------------- 1 | function Get-WordWheelQuery { 2 | $Key = "Registry::HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery" 3 | Get-Item $Key | 4 | Select-Object -Expand Property | 5 | ForEach-Object { 6 | if ($_ -ne "MRUListEx") { 7 | $Value = (Get-ItemProperty -Path $Key -Name $_).$_ 8 | [System.Text.Encoding]::Unicode.GetString($Value) 9 | } 10 | } 11 | } -------------------------------------------------------------------------------- /Soap/Read-WinEvent.ps1: -------------------------------------------------------------------------------- 1 | filter Read-WinEvent { 2 | <# 3 | .EXAMPLE 4 | Get-WinEvent -FilterHashTable @{LogName="Security";Id=4625} | Read-WinEvent | Select-Object -Property TimeCreated,Hostname,TargetUserName,LogonType | Format-Table -AutoSize 5 | TimeCreated TargetUserName LogonType 6 | ----------- -------------- --------- 7 | 9/12/2021 8:23:27 AM Victor 2 8 | 9/12/2021 8:23:27 AM Victor 2 9 | 9/12/2021 7:49:37 AM Victor 2 10 | 9/12/2021 7:49:37 AM Victor 2 11 | #> 12 | $WinEvent = [ordered]@{} 13 | $XmlData = [xml]$_.ToXml() 14 | $SystemData = $XmlData.Event.System 15 | $SystemData | 16 | Get-Member -MemberType Properties | 17 | Select-Object -ExpandProperty Name | 18 | ForEach-Object { 19 | $Field = $_ 20 | if ($Field -eq 'TimeCreated') { 21 | $WinEvent.$Field = Get-Date -Format 'yyyy-MM-dd HH:mm:ss K' $SystemData[$Field].SystemTime 22 | } elseif ($SystemData[$Field].'#text') { 23 | $WinEvent.$Field = $SystemData[$Field].'#text' 24 | } else { 25 | $SystemData[$Field] | 26 | Get-Member -MemberType Properties | 27 | Select-Object -ExpandProperty Name | 28 | ForEach-Object { 29 | $WinEvent.$Field = @{} 30 | $WinEvent.$Field.$_ = $SystemData[$Field].$_ 31 | } 32 | } 33 | } 34 | $XmlData.Event.EventData.Data | 35 | ForEach-Object { 36 | $WinEvent.$($_.Name) = $_.'#text' 37 | } 38 | return New-Object -TypeName PSObject -Property $WinEvent 39 | } -------------------------------------------------------------------------------- /Soap/Set-AuditPolicy.ps1: -------------------------------------------------------------------------------- 1 | function Set-AuditPolicy { 2 | <# 3 | .SYNOPSIS 4 | Configures the local audit policy. 5 | 6 | .DESCRIPTION 7 | Configures the local audit policy using recommendations from Microsoft, DISA, or Malware Archaeology. 8 | 9 | .INPUTS 10 | None. 11 | 12 | .OUTPUTS 13 | None. 14 | 15 | .EXAMPLE 16 | Set-AuditPolicy.ps1 -Source "Malware Archaeology" 17 | 18 | .LINK 19 | https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations 20 | https://www.malwarearchaeology.com/s/Windows-Logging-Cheat-Sheet_ver_Feb_2019.pdf 21 | https://cryptome.org/2014/01/nsa-windows-event.pdf 22 | https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ 23 | #> 24 | Param( 25 | [ValidateSet('Microsoft','DISA','Malware Archaeology')]$Source, 26 | [switch]$EnableDnsLogging, 27 | [switch]$DisableDnsLogging 28 | ) 29 | 30 | function Set-AuditPolicyUsingMicrosoftRecommendations { 31 | auditpol /clear /y 32 | 33 | # Account Logon 34 | # - Event IDs: 4774, 4776 35 | auditpol /set /subcategory:"Credential Validation" /success:enable 36 | 37 | # Account Management 38 | # - Event IDs: 4741, 4742, 4743 39 | auditpol /set /subcategory:"Computer Account Management" /success:enable 40 | 41 | # - Event IDs: 4739, 4782, 4793 42 | auditpol /set /subcategory:"Other Account Management Events" /success:enable 43 | 44 | # - Event IDs: 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764, 4799 45 | auditpol /set /subcategory:"Security Group Management" /success:enable 46 | 47 | # - Event IDs: 4738, 4740, 4765, 4767, 4780, 4781, 48 | auditpol /set /subcategory:"User Account Management" /success:enable 49 | 50 | # Detailed Tracking 51 | # - Event ID: 4688 52 | auditpol /set /subcategory:"Process Creation" /success:enable 53 | 54 | # Logon/Logoff 55 | # - Event IDs: 4624, 4625 56 | auditpol /set /subcategory:"Logon" /success:enable /failure:enable 57 | 58 | # - Event IDs: 4634, 4647 59 | auditpol /set /subcategory:"Logoff" /success:enable 60 | 61 | # - Event IDs: 4672, 4964 62 | auditpol /set /subcategory:"Special Logon" /success:enable 63 | 64 | # Policy Change 65 | # - Event IDs: 4715, 4719, 4817, 4902, 4904, 4905, 4906, 4907, 4908, 4912 66 | auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable 67 | 68 | # - Event IDs: 4706, 4707, 4713, 4716, 4717, 4718, 4865, 4866, 4867 69 | auditpol /set /subcategory:"Authentication Policy Change" /success:enable 70 | 71 | # System 72 | # - Event IDs: 5478, 5479, 5480, 5483, 5484, 5485 73 | auditpol /set /subcategory:"IPSec Driver" /success:enable /failure:enable 74 | 75 | # - Event IDs: 4608, 4609, 4616, 4621 76 | auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 77 | 78 | # - Event IDs: 4610, 4611, 4614, 4622, 4697 79 | auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 80 | 81 | # - Event IDs: 4612, 4615, 4618, 5038, 5056, 5061, 5890, 6281, 6410 82 | auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 83 | } 84 | 85 | function Set-AuditPolicyUsingMalwareArchaeologyRecommendations { 86 | # DNS 87 | wevtutil sl "Microsoft-Windows-DNS-Client/Operational" /e:true 88 | 89 | # DHCP 90 | wevtutil sl "Microsoft-Windows-Dhcp-Client/Operational" /e:true 91 | 92 | auditpol /clear /y 93 | 94 | # Account Logon 95 | auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable 96 | 97 | auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable 98 | 99 | # Account Management 100 | auditpol /set /category:"Account Management" /success:enable /failure:enable 101 | 102 | # Detailed Tracking 103 | auditpol /set /subcategory:"Plug and Play Events" /success:enable 104 | 105 | auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable 106 | 107 | auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable 108 | 109 | auditpol /set /subcategory:"Token Right Adjusted Events" /success:enable 110 | 111 | # Logon/Logoff 112 | auditpol /set /subcategory:"Account Lockout" /success:enable 113 | 114 | auditpol /set /subcategory:"Group Membership" /success:enable 115 | 116 | auditpol /set /subcategory:"Logon" /success:enable 117 | 118 | auditpol /set /subcategory:"Logoff" /success:enable 119 | 120 | auditpol /set /subcategory:"Network Policy Server" /success:enable 121 | 122 | auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable 123 | 124 | auditpol /set /subcategory:"Special Logon" /success:enable 125 | 126 | # Object Access 127 | auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable 128 | 129 | auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable 130 | 131 | auditpol /set /subcategory:"Detailed File Share" /success:enable 132 | 133 | auditpol /set /subcategory:"File Share" /success:enable /failure:enable 134 | 135 | auditpol /set /subcategory:"File System" /success:enable 136 | 137 | auditpol /set /subcategory:"Filtering Platform Connection" /success:enable 138 | 139 | auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable 140 | 141 | auditpol /set /subcategory:"Registry" /success:enable 142 | 143 | auditpol /set /subcategory:"SAM" /success:enable 144 | 145 | # Policy Change 146 | auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable 147 | 148 | auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable 149 | 150 | auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable 151 | 152 | auditpol /set /subcategory:"Filtering Platform Policy Change" /success:enable 153 | 154 | # Privilege Use 155 | auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable 156 | 157 | # System 158 | auditpol /set /subcategory:"IPsec Driver" /success:enable 159 | 160 | auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 161 | 162 | auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 163 | 164 | auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 165 | 166 | # Process Command Line 167 | reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f 168 | } 169 | 170 | function Set-AuditPolicyUsingTheDisaStigForWindows10 { 171 | auditpol /clear /y 172 | 173 | # V-220748 174 | auditpol /set /subcategory:"Credential Validation" /failure:enable 175 | 176 | # V-220749 177 | auditpol /set /subcategory:"Credential Validation" /success:enable 178 | 179 | # V-220750 180 | auditpol /set /subcategory:"Security Group Management" /success:enable 181 | 182 | # V-220751 183 | auditpol /set /subcategory:"User Account Management" /failure:enable 184 | 185 | # V-220752 186 | auditpol /set /subcategory:"User Account Management" /success:enable 187 | 188 | # V-220753 189 | auditpol /set /subcategory:"Plug and Play Events" /success:enable 190 | 191 | # V-220754 192 | auditpol /set /subcategory:"Process Creation" /success:enable 193 | 194 | # V-220755 195 | auditpol /set /subcategory:"Account Lockout" /failure:enable 196 | 197 | # V-220756 198 | auditpol /set /subcategory:"Group Membership" /success:enable 199 | 200 | # V-220757 201 | auditpol /set /subcategory:"Logoff" /success:enable 202 | 203 | # V-220758 204 | auditpol /set /subcategory:"Logon" /failure:enable 205 | 206 | # V-220759 207 | auditpol /set /subcategory:"Logon" /success:enable 208 | 209 | # V-220760 210 | auditpol /set /subcategory:"Special Logon" /success:enable 211 | 212 | # V-220761 213 | auditpol /set /subcategory:"File Share" /failure:enable 214 | 215 | # V-220762 216 | auditpol /set /subcategory:"File Share" /success:enable 217 | 218 | # V-220763 219 | auditpol /set /subcategory:"Other Object Access Events" /success:enable 220 | 221 | # V-220764 222 | auditpol /set /subcategory:"Other Object Access Events" /failure:enable 223 | 224 | # V-220765 225 | auditpol /set /subcategory:"Removable Storage" /failure:enable 226 | 227 | # V-220766 228 | auditpol /set /subcategory:"Removable Storage" /success:enable 229 | 230 | # V-220767 231 | auditpol /set /subcategory:"Audit Policy Change" /success:enable 232 | 233 | # V-220768 234 | auditpol /set /subcategory:"Authentication Policy Change" /success:enable 235 | 236 | # V-220769 237 | auditpol /set /subcategory:"Authorization Policy Change" /success:enable 238 | 239 | # V-220770 240 | auditpol /set /subcategory:"Sensitive Privilege Use" /failure:enable 241 | 242 | # V-220771 243 | auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable 244 | 245 | # V-220772 246 | auditpol /set /subcategory:"IPSec Driver" /failure:enable 247 | 248 | # V-220773 249 | auditpol /set /subcategory:"Other System Events" /success:enable 250 | 251 | # V-220774 252 | auditpol /set /subcategory:"Other System Events" /failure:enable 253 | 254 | # V-220775 255 | auditpol /set /subcategory:"Security State Change" /success:enable 256 | 257 | # V-220776 258 | auditpol /set /subcategory:"Security System Extension" /success:enable 259 | 260 | # V-220777 261 | auditpol /set /subcategory:"System Integrity" /failure:enable 262 | 263 | # V-220778 264 | auditpol /set /subcategory:"System Integrity" /success:enable 265 | 266 | # V-220779: the Application event log size must be configured to 32768 KB or greater 267 | wevtutil sl "Application" /ms:32768000 268 | 269 | # V-220780: the Security event log size must be configured to 1024000 KB or greater 270 | wevtutil sl "Security" /ms:1024000000 271 | 272 | # V-220781: the System event log size must be configured to 32768 KB or greater 273 | wevtutil sl "System" /ms:32768000 274 | 275 | # V-220782: the Application event log must be restricted to the following accounts/groups: Eventlog, SYSTEM, Administrators 276 | 277 | 278 | # V-220783: the Security event log must be restricted to the following accounts/groups: Eventlog, SYSTEM, Administrators 279 | 280 | 281 | # V-220784: the System event log must be restricted to the following accounts/groups: Eventlog, SYSTEM, Administrators 282 | 283 | 284 | # V-220785 285 | auditpol /set /subcategory:"Other Policy Change Events" /success:enable 286 | 287 | # V-220786 288 | auditpol /set /subcategory:"Other Policy Change Events" /failure:enable 289 | 290 | # V-220787 291 | auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable 292 | 293 | # V-220787 294 | auditpol /set /subcategory:"Other Logon/Logoff Events" /failure:enable 295 | 296 | # V-220789 297 | auditpol /set /subcategory:"Detailed File Share" /success:enable 298 | 299 | # V-220790 300 | auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable 301 | 302 | # V-220791 303 | auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable 304 | 305 | # V-220809: Command line data must be included in process creation events. 306 | reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f 307 | 308 | # V-220860: PowerShell script block logging must be enabled on Windows 10. 309 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f 310 | 311 | # V-220913: Audit policy using subcategories must be enabled 312 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v SCENoApplyLegacyAuditPolicy /t REG_DWORD /d 1 /f 313 | 314 | # V-220978: the Manage auditing and security log user right must only be assigned to the Administrators group. 315 | $SecurityTemplate = @" 316 | [Unicode] 317 | Unicode=yes 318 | [Registry Values] 319 | [Privilege Rights] 320 | SeSecurityPrivilege = *S-1-5-32-544 321 | [Version] 322 | signature=`"`$CHICAGO`$`" 323 | Revision=1 324 | "@ 325 | 326 | $FileName = "V-220978.inf" 327 | if (Test-Path $FileName) { 328 | Remove-Item $FileName 329 | New-Item -ItemType File -Name $FileName | Out-Null 330 | } 331 | Add-Content -Value $SecurityTemplate -Path $FileName 332 | secedit /configure /db secedit.sdb /cfg $FileName 333 | Remove-Item $FileName 334 | 335 | # V-250318: PowerShell Transcription must be enabled on Windows 10. 336 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 1 /f 337 | } 338 | 339 | if ($Source) { 340 | $SourcePrompt = Read-Host -Prompt "This script will implement the baseline Windows 10 audit policy recommended by $Source.`nDo you want to continue? (y/n)" 341 | if ($SourcePrompt.ToLower() -eq "y") { 342 | switch ($Source) { 343 | "Microsoft" { Set-AuditPolicyUsingMicrosoftRecommendations } 344 | "Malware Archaeology" { Set-AuditPolicyUsingMalwareArchaeologyRecommendations } 345 | "DISA" { Set-AuditPolicyUsingTheDisaStigForWindows10 } 346 | } 347 | } 348 | } 349 | 350 | if ($EnableDnsLogging) { 351 | $EnableDnsLoggingPrompt = Read-Host -Prompt "This script will configure the local DNS client to log all DNS queries. `nDo you want to continue? (y/n)" 352 | if ($EnableDnsLoggingPrompt.ToLower() -eq "y") { 353 | wevtutil sl Microsoft-Windows-DNS-Client/Operational /e:true 354 | } 355 | } elseif ($DisableDnsLogging) { 356 | $DisableDnsLoggingPrompt = Read-Host -Prompt "This script will configure the local DNS client to NOT log all DNS queries. `nDo you want to continue? (y/n)" 357 | if ($DisableDnsLoggingPrompt.ToLower() -eq "y") { 358 | wevtutil sl Microsoft-Windows-DNS-Client/Operational /e:false 359 | } 360 | } 361 | } -------------------------------------------------------------------------------- /Soap/Start-AdAccountAudit.ps1: -------------------------------------------------------------------------------- 1 | function Start-AdAccountAudit { 2 | <# 3 | .SYNOPSIS 4 | Disables inactive domain accounts. 5 | 6 | .DESCRIPTION 7 | Disables domain accounts that have been inactive for 45 days and moves them into a container called "Disabled." This function will create a Active Directory container called "Disabled" if it does not exist. 8 | 9 | .INPUTS 10 | None. You cannot pipe objects to this function. 11 | 12 | .OUTPUTS 13 | None. 14 | 15 | .EXAMPLE 16 | PS> Start-AdAccountAudit 17 | 18 | .LINK 19 | https://github.com/cyberphor/Soap 20 | #> 21 | $Domain = (Get-ADDomain).DistinguishedName 22 | $DisabledContainer = "OU=Disabled,$Domain" 23 | $DisabledContainerDoesNotExist = [bool](Get-ADOrganizationalUnit -Identity $DisabledContainer) -eq $false 24 | if ($DisabledContainerDoesNotExist) { 25 | New-ADOrganizationalUnit -Name "Disabled" -Path $Domain 26 | } 27 | 28 | # search for accounts w/lastlogondate beyond 45 days, disable them, and then move them to a "Disabled" container 29 | Get-ADUser -Filter { LastLogonDate -le (Get-Date).AddDays(-45) } | 30 | ForEach-Object { 31 | Disable-ADAccount $_.SamAccountName 32 | Move-ADObject -Identity $_.DistinguishedName -TargetPath $DisabledContainer 33 | } 34 | } -------------------------------------------------------------------------------- /Soap/Start-Eradication.ps1: -------------------------------------------------------------------------------- 1 | function Start-Eradication { 2 | Param( 3 | [string[]]$Service, 4 | [string[]]$Process, 5 | [string[]]$File 6 | ) 7 | <# 8 | .SYNOPSIS 9 | TBD. 10 | 11 | .DESCRIPTION 12 | TBD. 13 | 14 | .INPUTS 15 | None. 16 | 17 | .OUTPUTS 18 | None. 19 | 20 | .EXAMPLE 21 | Start-Eradication -Service "rshell" -Process "mimikatz" -File "c:\trojan.exe","c:\ransomware.exe" 22 | 23 | .LINK 24 | https://github.com/cyberphor/soap 25 | https://gist.github.com/ecapuano/d18b3b914021171da42e13e5a56cce42 26 | #> 27 | if ($Service) { 28 | $Service | 29 | ForEach-Object { 30 | if (Get-Service $_ -ErrorAction SilentlyContinue) { 31 | Write-Output "Removing service: $_" 32 | Stop-Service $_ -Force 33 | Start-Process -FilePath sc.exe -ArgumentList "delete",$_ 34 | } 35 | } 36 | } 37 | if ($Process) { 38 | $Process | 39 | ForEach-Object { 40 | if (Get-Process $_ -ErrorAction SilentlyContinue) { 41 | Write-Output "Killing process: $_" 42 | Stop-Process -Name $_ -Force 43 | } 44 | } 45 | } 46 | if ($File) { 47 | $File | 48 | ForEach-Object { 49 | if (Test-Path $_ -PathType Leaf -ErrorAction SilentlyContinue) { 50 | Write-Output "Deleting file: $_" 51 | Remove-Item $_ 52 | } 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /Soap/Start-Heartbeat.ps1: -------------------------------------------------------------------------------- 1 | function Start-Heartbeat { 2 | Param([string]$Target) 3 | while (-not $TimeToStop) { 4 | if (Test-Connection -ComputerName $Target -Count 2 -Quiet) { 5 | $Timestamp = (Get-Date).ToString('yyyy-MM-dd hh:mm:ss') 6 | Write-Host "[$Timestamp] [$Target] " -NoNewline 7 | Write-Host " ONLINE " -BackgroundColor Green -ForegroundColor Black 8 | } else { 9 | $Timestamp = (Get-Date).ToString('yyyy-MM-dd hh:mm:ss') 10 | Write-Host "[$Timestamp] [$Target] " -NoNewline 11 | Write-Host " OFFLINE " -BackgroundColor Red -ForegroundColor Black 12 | } 13 | Start-Sleep -Seconds 60 14 | $TimeToStop = (Get-Date).ToString('hh:mm') -le (Get-Date '17:00').ToString('hh:mm') 15 | } 16 | 17 | $Timestamp = (Get-Date).ToString('yyyy-MM-dd hh:mm:ss') 18 | Write-Host "[$Timestamp] Time has expired." 19 | } -------------------------------------------------------------------------------- /Work-in-Progress/Get-DscResourcesRequired.ps1: -------------------------------------------------------------------------------- 1 | function Get-DscResourcesRequired { 2 | Param([string[]]$Resources = @("AuditPolicyDsc","xBitLocker","NetworkingDsc")) 3 | $DownloadStartTime = Get-Date 4 | $OutputFile = "DscResources.zip" 5 | Install-Module -Name $Resources -Scope CurrentUser -Force 6 | if (Test-Path $OutputFile) { Remove-Item $OutputFile -Force } 7 | $env:PSModulePath -split ';' | 8 | Where-Object { $_ -like "*$env:USERNAME*" } | 9 | Get-ChildItem | 10 | Where-Object { $_.LastWriteTime -gt $DownloadStartTime } | 11 | Select-Object -ExpandProperty FullName | 12 | Compress-Archive -DestinationPath "DscResources.zip" 13 | } -------------------------------------------------------------------------------- /Work-in-Progress/Get-EnterpriseVisbility.ps1: -------------------------------------------------------------------------------- 1 | function Get-EnterpriseVisbility { 2 | param( 3 | [Parameter(Mandatory)][string]$Network, 4 | [Parameter(Mandatory)][string]$EventCollector 5 | ) 6 | $ActiveIps = Get-IpAddressRange -Network $Network | Test-Connections 7 | $AdObjects = (Get-AdComputer -Filter "*").Name 8 | $EventForwarders = Get-EventForwarders -ComputerName $EventCollector 9 | $WinRmclients = Get-WinRmClients 10 | $Visbility = New-Object -TypeName psobject 11 | $Visbility | Add-Member -MemberType NoteProperty -Name ActiveIps -Value $ActiveIps.Count 12 | $Visbility | Add-Member -MemberType NoteProperty -Name AdObjects -Value $AdObjects.Count 13 | $Visbility | Add-Member -MemberType NoteProperty -Name EventForwarders -Value $EventForwarders.Count 14 | $Visbility | Add-Member -MemberType NoteProperty -Name WinRmClients -Value $WinRmclients.Count 15 | return $Visbility 16 | } -------------------------------------------------------------------------------- /Work-in-Progress/Get-EventForwarder.ps1: -------------------------------------------------------------------------------- 1 | function Get-EventForwarder { 2 | param( 3 | [string]$ComputerName, 4 | [string]$Subscription = "Forwarded Events" 5 | ) 6 | Invoke-Command -ComputerName $ComputerName -ArgumentList $Subscription -ScriptBlock { 7 | $Subscription = $args[0] 8 | $Key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions\$Subscription\EventSources" 9 | $EventForwarders = (Get-ChildItem $Key).Name | ForEach-Object { $_.Split("\")[9] } 10 | return $EventForwarders 11 | } 12 | } -------------------------------------------------------------------------------- /Work-in-Progress/Get-EventViewer.ps1: -------------------------------------------------------------------------------- 1 | function Get-EventViewer { 2 | # create a COM object for Excel 3 | $Excel = New-Object -ComObject Excel.Application 4 | 5 | # create a workbook and then add two worksheets to it 6 | $Workbook = $Excel.Workbooks.Add() 7 | $Tab2 = $Workbook.Worksheets.Add() 8 | $Tab3 = $Workbook.Worksheets.Add() 9 | 10 | function Get-SuccessfulLogonEvents { 11 | # rename the first worksheet 12 | $Workbook.Worksheets.Item(1).Name = "SuccessfulLogon" 13 | 14 | # define column headers using the first row 15 | $Workbook.Worksheets.Item("SuccessfulLogon").Cells.Item(1,1) = "TimeCreated" 16 | $Workbook.Worksheets.Item("SuccessfulLogon").Cells.Item(1,2) = "RecordId" 17 | $Workbook.Worksheets.Item("SuccessfulLogon").Cells.Item(1,3) = "UserName" 18 | $Workbook.Worksheets.Item("SuccessfulLogon").Cells.Item(1,4) = "LogonType" 19 | 20 | # define where to begin adding data (by row and column) 21 | $rTimeCreated, $cTimeCreated = 2,1 22 | $rRecordId, $cRecordId = 2,2 23 | $rUserName, $cUserName = 2,3 24 | $rLogonType, $cLogonType = 2,4 25 | 26 | # define what Windows Event criteria must match 27 | $FilterHashTable = @{ 28 | LogName = "Security" 29 | Id = 4624 30 | StartTime = (Get-Date).AddDays(-1) 31 | } 32 | 33 | # cycle through the Windows Events that match the criteria above 34 | Get-WinEvent -FilterHashtable $FilterHashTable | 35 | Read-WinEvent | 36 | Select-Object -Property TimeCreated,EventRecordId,TargetUserName,LogonType | 37 | Where-Object { 38 | $_.TargetUserName -ne "SYSTEM" 39 | } | 40 | ForEach-Object { 41 | [System.GC]::Collect() 42 | # fill-in the current row 43 | $Workbook.Worksheets.Item("SuccessfulLogon").Cells.Item($rTimeCreated, $cTimeCreated) = $_.TimeCreated 44 | $Workbook.Worksheets.Item("SuccessfulLogon").Cells.Item($rRecordId, $cRecordId) = $_.EventRecordId 45 | $Workbook.Worksheets.Item("SuccessfulLogon").Cells.Item($rUserName, $cUserName) = $_.TargetUserName 46 | $Workbook.Worksheets.Item("SuccessfulLogon").Cells.Item($rLogonType, $cLogonType) = $_.LogonType 47 | 48 | # move-on to the next row 49 | $rTimeCreated++ 50 | $rRecordId++ 51 | $rUserName++ 52 | $rLogonType++ 53 | } 54 | } 55 | 56 | function Get-ProcessCreationEvents { 57 | # rename the second worksheet 58 | $Workbook.Worksheets.Item(2).Name = "ProcessCreation" 59 | 60 | # define column headers using the first row 61 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item(1,1) = "TimeCreated" 62 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item(1,2) = "RecordId" 63 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item(1,3) = "UserName" 64 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item(1,4) = "ParentProcessName" 65 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item(1,5) = "NewProcessName" 66 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item(1,6) = "CommandLine" 67 | 68 | # define where to begin adding data (by row and column) 69 | $rTimeCreated, $cTimeCreated = 2,1 70 | $rRecordId, $cRecordId = 2,2 71 | $rUserName, $cUserName = 2,3 72 | $rParentProcessName, $cParentProcessName = 2,4 73 | $rNewProcessName, $cNewProcessName = 2,5 74 | $rCommandLine, $cCommandLine = 2,6 75 | 76 | # define what Windows Event criteria must match 77 | $FilterHashTable = @{ 78 | LogName = "Security" 79 | Id = 4688 80 | StartTime = (Get-Date).AddDays(-1) 81 | 82 | } 83 | # cycle through the Windows Events that match the criteria above 84 | Get-WinEvent -FilterHashtable $FilterHashTable | 85 | Read-WinEvent | 86 | Select-Object -Property TimeCreated,EventRecordId,TargetUserName,ParentProcessName,NewProcessName,CommandLine | 87 | Where-Object { 88 | ($_.TargetUserName -ne "-") -and ` 89 | ($_.TargetUserName -notlike "*$") -and ` 90 | ($_.TargetUserName -ne "LOCAL SERVICE") 91 | } | 92 | ForEach-Object { 93 | [System.GC]::Collect() 94 | # fill-in the current row 95 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item($rTimeCreated, $cTimeCreated) = $_.TimeCreated 96 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item($rRecordId, $cRecordId) = $_.EventRecordId 97 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item($rUserName, $cUserName) = $_.TargetUserName 98 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item($rParentProcessName, $cParentProcessName) = $_.ParentProcessName 99 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item($rNewProcessName, $cNewProcessName) = $_.NewProcessName 100 | $Workbook.Worksheets.Item("ProcessCreation").Cells.Item($rCommandLine, $cCommandLine) = $_.CommandLine 101 | 102 | # move-on to the next row 103 | $rTimeCreated++ 104 | $rRecordId++ 105 | $rUserName++ 106 | $rParentProcessName++ 107 | $rNewProcessName++ 108 | $rCommandLine++ 109 | } 110 | } 111 | 112 | function Get-PowerShellEvents { 113 | # rename the third worksheet 114 | $Workbook.Worksheets.Item(3).Name = "PowerShell" 115 | 116 | # define column headers using the first row 117 | $Workbook.Worksheets.Item("PowerShell").Cells.Item(1,1) = "TimeCreated" 118 | $Workbook.Worksheets.Item("PowerShell").Cells.Item(1,2) = "RecordId" 119 | $Workbook.Worksheets.Item("PowerShell").Cells.Item(1,3) = "Sid" 120 | $Workbook.Worksheets.Item("PowerShell").Cells.Item(1,4) = "ScriptBlockText" 121 | 122 | # define where to begin adding data (by row and column) 123 | $rTimeCreated, $cTimeCreated = 2,1 124 | $rRecordId, $cRecordId = 2,2 125 | $rSid, $cSid = 2,3 126 | $rScriptBlockText, $cScriptBlockText = 2,4 127 | 128 | # define what Windows Event criteria must match 129 | $FilterHashTable = @{ 130 | LogName = "Microsoft-Windows-PowerShell/Operational" 131 | Id = 4104 132 | StartTime = (Get-Date).AddDays(-1) 133 | } 134 | 135 | # cycle through the Windows Events that match the criteria above 136 | Get-WinEvent -FilterHashtable $FilterHashTable | 137 | Read-WinEvent | 138 | Select-Object -Property TimeCreated,EventRecordId,@{N="Sid";E={$_.Security.UserId}},ScriptBlockText | 139 | Where-Object { 140 | ($_.Sid -ne "S-1-5-18") -and 141 | ($_.ScriptBlockText -ne "prompt") 142 | } | 143 | ForEach-Object { 144 | [System.GC]::Collect() 145 | # fill-in the current row 146 | $Workbook.Worksheets.Item("PowerShell").Cells.Item($rTimeCreated, $cTimeCreated) = $_.TimeCreated 147 | $Workbook.Worksheets.Item("PowerShell").Cells.Item($rRecordId, $cRecordId) = $_.EventRecordId 148 | $Workbook.Worksheets.Item("PowerShell").Cells.Item($rSid, $cSid) = $_.Sid 149 | $Workbook.Worksheets.Item("PowerShell").Cells.Item($rScriptBlockText, $cScriptBlockText) = $_.ScriptBlockText 150 | 151 | # move-on to the next row 152 | $rTimeCreated++ 153 | $rRecordId++ 154 | $rSid++ 155 | $rScriptBlockText++ 156 | } 157 | } 158 | 159 | $Path = $env:USERPROFILE + "\Desktop\Events-" + $(Get-Date -Format yyyy-MM-dd_hhmm) +".xlsx" 160 | $Workbook.SaveAs($Path,51) 161 | 162 | Get-SuccessfulLogonEvents 163 | $Workbook.Worksheets.Item("SuccessfulLogon").UsedRange.Columns.Autofit() | Out-Null 164 | 165 | Get-ProcessCreationEvents 166 | $Workbook.Worksheets.Item("ProcessCreation").UsedRange.Columns.Autofit() | Out-Null 167 | $Workbook.Save() 168 | 169 | Get-PowerShellEvents 170 | $Workbook.Worksheets.Item("PowerShell").UsedRange.Columns.Autofit() | Out-Null 171 | $Workbook.Save() 172 | 173 | $Excel.Quit() 174 | Invoke-Item -Path $Path 175 | } -------------------------------------------------------------------------------- /Work-in-Progress/Get-Stig.ps1: -------------------------------------------------------------------------------- 1 | function Get-Stig { 2 | <# 3 | .SYNOPSIS 4 | Returns STIG rules as PowerShell objects. 5 | 6 | .DESCRIPTION 7 | Returns Security Technical Implementation Guide (STIG) rules as PowerShell objects after reading an Extensible Configuration Checklist Description Format (XCCDF) document. 8 | 9 | .INPUTS 10 | None. You cannot pipe objects to Get-Stig. 11 | 12 | .OUTPUTS 13 | PSCustomObject. 14 | 15 | .EXAMPLE 16 | Get-Stig -Path 'U_MS_Windows_10_STIG_V2R3_Manual-xccdf.xml' 17 | 18 | .LINK 19 | https://gist.github.com/entelechyIT 20 | #> 21 | Param([Parameter(Mandatory)]$Path) 22 | if (Test-Path $Path) { 23 | [xml]$XCCDFdocument = Get-Content -Path $Path 24 | if ($XCCDFdocument.Benchmark.xmlns -like 'http://checklists.nist.gov/xccdf/*') { 25 | $Stig = @() 26 | $XCCDFdocument.Benchmark.Group.Rule | 27 | ForEach-Object { 28 | $Rule = New-Object -TypeName PSObject -Property ([ordered]@{ 29 | RuleID = $PSItem. id 30 | RuleTitle = $PSItem.title 31 | Severity = $PSItem.severity 32 | VulnerabilityDetails = $($($($PSItem.description) -split '')[0] -replace '', '') 33 | Check = $PSItem.check.'check-content' 34 | Fix = $PSItem.fixtext.'#text' 35 | ControlIdentifier = $PSItem.ident.'#text' 36 | Control = $null 37 | }) 38 | $Stig += $Rule 39 | } 40 | return $Stig 41 | } 42 | Write-Error 'The file provided is not a XCCDF document.' 43 | } 44 | } -------------------------------------------------------------------------------- /Work-in-Progress/Get-WirelessNetAdapter.ps1: -------------------------------------------------------------------------------- 1 | function Get-WirelessNetAdapter { 2 | <# 3 | .EXAMPLE 4 | Get-WirelessNetAdapter 5 | ServiceName : RtlWlanu 6 | MACAddress : 00:13:EF:F3:6F:F5 7 | AdapterType : Ethernet 802.3 8 | DeviceID : 16 9 | Name : Realtek 8812BU Wireless LAN 802.11ac USB NIC 10 | NetworkAddresses : 11 | Speed : 144400000 12 | 13 | ServiceName : vwifimp 14 | MACAddress : 02:13:EF:F3:6F:F5 15 | AdapterType : Ethernet 802.3 16 | DeviceID : 17 17 | Name : Microsoft Wi-Fi Direct Virtual Adapter #2 18 | NetworkAddresses : 19 | Speed : 9223372036854775807 20 | #> 21 | Param([string]$ComputerName = $env:COMPUTERNAME) 22 | Get-WmiObject -ComputerName $ComputerName -Class Win32_NetworkAdapter | 23 | Where-Object { $_.Name -match 'wi-fi|wireless' } 24 | } -------------------------------------------------------------------------------- /Work-in-Progress/Import-AdUsersFromCsv.ps1: -------------------------------------------------------------------------------- 1 | function Import-AdUsersFromCsv { 2 | $Password = ConvertTo-SecureString -String '1qaz2wsx!QAZ@WSX' -AsPlainText -Force 3 | Import-Csv -Path .\users.csv | 4 | ForEach-Object { 5 | $Name = $_.LastName + ', ' + $_.FirstName 6 | $SamAccountName = ($_.FirstName + '.' + $_.LastName).ToLower() 7 | $UserPrincipalName = $SamAccountName + '@' + (Get-AdDomain).Forest 8 | $Description = $_.Description 9 | $ExpirationDate = Get-Date -Date 'October 31 2022' 10 | New-AdUser ` 11 | -Name $Name ` 12 | -DisplayName $Name ` 13 | -GivenName $_.FirstName ` 14 | -Surname $_.LastName ` 15 | -SamAccountName $SamAccountName ` 16 | -UserPrincipalName $UserPrincipalName ` 17 | -Description $Description ` 18 | -ChangePasswordAtLogon $true ` 19 | -AccountExpirationDate $ExpirationDate ` 20 | -Enabled $true ` 21 | -Path "OU=Users,$(Get-ADDomain).DistinguishedName" ` 22 | -AccountPassword $Password 23 | } 24 | } -------------------------------------------------------------------------------- /Work-in-Progress/Install-Sysmon.ps1: -------------------------------------------------------------------------------- 1 | function Install-Sysmon { 2 | Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "Sysmon.zip" 3 | Expand-Archive -Path "Sysmon.zip" -DestinationPath "C:\Program Files\Sysmon" 4 | Remove-Item -Path "Sysmon.zip" -Recurse 5 | Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -OutFile "C:\Program Files\Sysmon\config.xml" 6 | Invoke-Expression "C:\'Program Files'\Sysmon\Sysmon64.exe -accepteula -i C:\'Program Files'\Sysmon\config.xml" 7 | } -------------------------------------------------------------------------------- /Work-in-Progress/Invoke-SecurityBaseline.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-SecurityBaseline { 2 | # V-220726: Data Execution Prevention (DEP) must be configured to at least OptOut. 3 | bcdedit /set "{current}" nx OptOut 4 | 5 | # V-220748 6 | auditpol /set /subcategory:"Credential Validation" /failure:enable 7 | 8 | # V-220749 9 | auditpol /set /subcategory:"Credential Validation" /success:enable 10 | 11 | # V-220750 12 | auditpol /set /subcategory:"Security Group Management" /success:enable 13 | 14 | # V-220751 15 | auditpol /set /subcategory:"User Account Management" /failure:enable 16 | 17 | # V-220752 18 | auditpol /set /subcategory:"User Account Management" /success:enable 19 | 20 | # V-220753 21 | auditpol /set /subcategory:"Plug and Play Events" /success:enable 22 | 23 | # V-220754 24 | auditpol /set /subcategory:"Process Creation" /success:enable 25 | 26 | # V-220755 27 | auditpol /set /subcategory:"Account Lockout" /failure:enable 28 | 29 | # V-220756 30 | auditpol /set /subcategory:"Group Membership" /success:enable 31 | 32 | # V-220757 33 | auditpol /set /subcategory:"Logoff" /success:enable 34 | 35 | # V-220758 36 | auditpol /set /subcategory:"Logon" /failure:enable 37 | 38 | # V-220759 39 | auditpol /set /subcategory:"Logon" /success:enable 40 | 41 | # V-220760 42 | auditpol /set /subcategory:"Special Logon" /success:enable 43 | 44 | # V-220761 45 | auditpol /set /subcategory:"File Share" /failure:enable 46 | 47 | # V-220762 48 | auditpol /set /subcategory:"File Share" /success:enable 49 | 50 | # V-220763 51 | auditpol /set /subcategory:"Other Object Access Events" /success:enable 52 | 53 | # V-220764 54 | auditpol /set /subcategory:"Other Object Access Events" /failure:enable 55 | 56 | # V-220765 57 | auditpol /set /subcategory:"Removable Storage" /failure:enable 58 | 59 | # V-220766 60 | auditpol /set /subcategory:"Removable Storage" /success:enable 61 | 62 | # V-220767 63 | auditpol /set /subcategory:"Audit Policy Change" /success:enable 64 | 65 | # V-220768 66 | auditpol /set /subcategory:"Authentication Policy Change" /success:enable 67 | 68 | # V-220769 69 | auditpol /set /subcategory:"Authorization Policy Change" /success:enable 70 | 71 | # V-220770 72 | auditpol /set /subcategory:"Sensitive Privilege Use" /failure:enable 73 | 74 | # V-220771 75 | auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable 76 | 77 | # V-220772 78 | auditpol /set /subcategory:"IPSec Driver" /failure:enable 79 | 80 | # V-220773 81 | auditpol /set /subcategory:"Other System Events" /success:enable 82 | 83 | # V-220774 84 | auditpol /set /subcategory:"Other System Events" /failure:enable 85 | 86 | # V-220775 87 | auditpol /set /subcategory:"Security State Change" /success:enable 88 | 89 | # V-220776 90 | auditpol /set /subcategory:"Security System Extension" /success:enable 91 | 92 | # V-220777 93 | auditpol /set /subcategory:"System Integrity" /failure:enable 94 | 95 | # V-220778 96 | auditpol /set /subcategory:"System Integrity" /success:enable 97 | 98 | # V-220779: the Application event log size must be configured to 32768 KB or greater 99 | wevtutil sl "Application" /ms:32768000 100 | 101 | # V-220780: the Security event log size must be configured to 1024000 KB or greater 102 | wevtutil sl "Security" /ms:1024000000 103 | 104 | # V-220781: the System event log size must be configured to 32768 KB or greater 105 | wevtutil sl "System" /ms:32768000 106 | 107 | # V-220785 108 | auditpol /set /subcategory:"Other Policy Change Events" /success:enable 109 | 110 | # V-220786 111 | auditpol /set /subcategory:"Other Policy Change Events" /failure:enable 112 | 113 | # V-220787 114 | auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable 115 | 116 | # V-220787 117 | auditpol /set /subcategory:"Other Logon/Logoff Events" /failure:enable 118 | 119 | # V-220789 120 | auditpol /set /subcategory:"Detailed File Share" /success:enable 121 | 122 | # V-220790 123 | auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable 124 | 125 | # V-220791 126 | auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable 127 | 128 | # V-220809: Command line data must be included in process creation events. 129 | $Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" 130 | $Name = "ProcessCreationIncludeCmdLine_Enabled" 131 | $PropertyType = "DWORD" 132 | $Value = 1 133 | New-Item -Path $Path 134 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 135 | 136 | # V-220823: Solicited Remote Assistance must not be allowed. 137 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\" 138 | $Name = "fAllowToGetHelp" 139 | $PropertyType = "DWORD" 140 | $Value = 0 141 | New-Item -Path $Path 142 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 143 | 144 | # V-220827: Autoplay must be turned off for non-volume devices. 145 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\" 146 | $Name = "NoAutoplayfornonVolume" 147 | $PropertyType = "DWORD" 148 | $Value = 1 149 | New-Item -Path $Path 150 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 151 | 152 | # V-220828: The default autorun behavior must be configured to prevent autorun commands. 153 | $Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" 154 | $Name = "NoAutorun" 155 | $PropertyType = "DWORD" 156 | $Value = 1 157 | New-Item -Path $Path 158 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 159 | 160 | # V-220829: Autoplay must be disabled for all drives. 161 | $Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\" 162 | $Name = "NoDriveTypeAutoRun" 163 | $PropertyType = "DWORD" 164 | $Value = 255 165 | New-Item -Path $Path 166 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 167 | 168 | # V-220857: The Windows Installer Always install with elevated privileges must be disabled. 169 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\" 170 | $Name = "AlwaysInstallElevated" 171 | $PropertyType = "DWORD" 172 | $Value = 0 173 | New-Item -Path $Path 174 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 175 | 176 | # V-220860: PowerShell script block logging must be enabled on Windows 10. 177 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\" 178 | $Name = "EnableScriptBlockLogging" 179 | $PropertyType = "DWORD" 180 | $Value = 1 181 | New-Item -Path $Path -Force 182 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 183 | 184 | # V-220862: The Windows Remote Management (WinRM) client must not use Basic authentication. 185 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\" 186 | $Name = "AllowBasic" 187 | $PropertyType = "DWORD" 188 | $Value = 0 189 | New-Item -Path $Path 190 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 191 | 192 | # V-220865: The Windows Remote Management (WinRM) service must not use Basic authentication. 193 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\" 194 | $Name = "AllowBasic" 195 | $PropertyType = "DWORD" 196 | $Value = 0 197 | New-Item -Path $Path 198 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 199 | 200 | # V-220913: Audit policy using subcategories must be enabled 201 | $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" 202 | $Name = "SCENoApplyLegacyAuditPolicy" 203 | $PropertyType = "DWORD" 204 | $Value = 1 205 | New-Item -Path $Path 206 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 207 | 208 | # V-220930: Anonymous enumeration of shares must be restricted. 209 | $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" 210 | $Name = "RestrictAnonymous" 211 | $PropertyType = "DWORD" 212 | $Value = 1 213 | New-Item -Path $Path 214 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 215 | 216 | # V-220938: The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. 217 | $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" 218 | $Name = "LmCompatibilityLevel" 219 | $PropertyType = "DWORD" 220 | $Value = 5 221 | New-Item -Path $Path 222 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 223 | 224 | # V-220978: the Manage auditing and security log user right must only be assigned to the Administrators group. 225 | $SecurityTemplate = @" 226 | [Unicode] 227 | Unicode=yes 228 | [Registry Values] 229 | [Privilege Rights] 230 | SeSecurityPrivilege = *S-1-5-32-544 231 | [Version] 232 | signature=`"`$CHICAGO`$`" 233 | Revision=1 234 | "@ 235 | $FileName = "V-220978.inf" 236 | if (Test-Path $FileName) { 237 | Remove-Item $FileName 238 | New-Item -ItemType File -Name $FileName | Out-Null 239 | } 240 | Add-Content -Value $SecurityTemplate -Path $FileName 241 | secedit /configure /db secedit.sdb /cfg $FileName 242 | Remove-Item "secedit.sdb" 243 | Remove-Item $FileName 244 | 245 | # V-250318: PowerShell Transcription must be enabled on Windows 10. 246 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" 247 | $Name = "EnableTranscripting" 248 | $PropertyType = "DWORD" 249 | $Value = 1 250 | New-Item -Path $Path -Force 251 | New-ItemProperty -Path $Path -Name $Name -PropertyType $PropertyType -Value $Value -Force 252 | 253 | # Reboot 254 | shutdown /r /t 15 /c "Rebooting in 15 seconds." 255 | } -------------------------------------------------------------------------------- /Work-in-Progress/New-Alert.ps1: -------------------------------------------------------------------------------- 1 | function New-Alert { 2 | Param([Parameter(Mandatory, ValueFromPipeline)][string]$Message) 3 | New-EventLog -LogName "Alerts" -Source "Custom" -ErrorAction SilentlyContinue 4 | Write-EventLog ` 5 | -Category 0 ` 6 | -EntryType Warning ` 7 | -EventID 5000 ` 8 | -LogName "Alerts" ` 9 | -Message $Message ` 10 | -Source "Custom" 11 | } -------------------------------------------------------------------------------- /Work-in-Progress/New-CustomViewsForSysmon.ps1: -------------------------------------------------------------------------------- 1 | function New-CustomViewsForSysmon { 2 | $SysmonFolder = "C:\ProgramData\Microsoft\Event Viewer\Views\Sysmon" 3 | if (-not (Test-Path -Path $SysmonFolder)) { 4 | New-Item -ItemType Directory -Path $SysmonFolder 5 | } 6 | $Events = @{ 7 | "1" = "Process-Creation" 8 | "2" = "A-Process-Changed-A-File-Creation-Time" 9 | "3" = "Network-Connection" 10 | "4" = "Sysmon-Service-State-Changed" 11 | "5" = "Process-Terminated" 12 | "6" = "Driver-Loaded" 13 | "7" = "Image-Loaded" 14 | "8" = "Create-Remote-Thread" 15 | "9" = "Raw-Access-Read" 16 | "10" = "Process-Access" 17 | "11" = "File-Create" 18 | "12" = "Registry-Event-Object-Create-Delete" 19 | "13" = "Registry-Event-Value-Set" 20 | "14" = "Registry-Event-Key-and-Value-Rename" 21 | "15" = "File-Create-Stream-Hash" 22 | "16" = "Service-Configuration-Change" 23 | "17" = "Pipe-Event-Pipe-Created" 24 | "18" = "Pipe-Event-Pipe-Connected" 25 | "19" = "Wmi-Event-WmiEventFilter-Activity-Detected" 26 | "20" = "Wmi-Event-WmiEventConsumer-Activity-Detected" 27 | "21" = "Wmi-Event-WmiEventConsumerToFilter-Activity-Detected" 28 | "22" = "DNS-Event" 29 | "23" = "File-Delete-Archived" 30 | "24" = "Clipboard-Change" 31 | "25" = "Process-Tampering" 32 | "26" = "File-Delete-Logged" 33 | "255" = "Error" 34 | } 35 | $Events.GetEnumerator() | 36 | ForEach-Object { 37 | $CustomViewFilePath = "$SysmonFolder\Sysmon-EventId-" + $_.Name + ".xml" 38 | if (-not (Test-Path -Path $CustomViewFilePath)) { 39 | $CustomViewConfig = 'Microsoft-Windows-Sysmon/Operational' + $_.Key + '0False' + $_.Value + '21770267177177181501108017070709070807010085140140' 40 | Add-Content -Path $CustomViewFilePath -Value $CustomViewConfig 41 | } 42 | } 43 | } -------------------------------------------------------------------------------- /Work-in-Progress/Send-Alert.ps1: -------------------------------------------------------------------------------- 1 | function Send-Alert { 2 | <# 3 | .SYNOPSIS 4 | Sends an alert. 5 | 6 | .DESCRIPTION 7 | When called, this function will either write to the Windows Event log, send an email, or generate a Windows balloon tip notification. 8 | 9 | .LINK 10 | https://mcpmag.com/articles/2017/09/07/creating-a-balloon-tip-notification-using-powershell.aspx 11 | #> 12 | [CmdletBinding(DefaultParameterSetName = 'Log')] 13 | Param( 14 | [Parameter(Mandatory, Position = 0)][ValidateSet("Balloon","Log","Email")][string]$AlertMethod, 15 | [Parameter(Mandatory, Position = 1)]$Subject, 16 | [Parameter(Mandatory, Position = 2)]$Body, 17 | [Parameter(ParameterSetName = "Log")][string]$LogName, 18 | [Parameter(ParameterSetName = "Log")][string]$LogSource, 19 | [Parameter(ParameterSetName = "Log")][ValidateSet("Information","Warning")]$LogEntryType = "Warning", 20 | [Parameter(ParameterSetName = "Log")][int]$LogEventId = 1, 21 | [Parameter(ParameterSetName = "Email")][string]$EmailServer, 22 | [Parameter(ParameterSetName = "Email")][string]$EmailServerPort, 23 | [Parameter(ParameterSetName = "Email")][string]$EmailAddressSource, 24 | [Parameter(ParameterSetName = "Email")][string]$EmailPassword, 25 | [Parameter(ParameterSetName = "Email")][string]$EmailAddressDestination 26 | ) 27 | if ($AlertMethod -eq "Balloon") { 28 | Add-Type -AssemblyName System.Windows.Forms 29 | Unregister-Event -SourceIdentifier IconClicked -ErrorAction Ignore 30 | Remove-Job -Name IconClicked -ErrorAction Ignore 31 | Remove-Variable -Name Balloon -ErrorAction Ignore 32 | $Balloon = New-Object System.Windows.Forms.NotifyIcon 33 | [void](Register-ObjectEvent ` 34 | -InputObject $Balloon ` 35 | -EventName MouseDoubleClick ` 36 | -SourceIdentifier IconClicked ` 37 | -Action { $Balloon.Dispose() } 38 | ) 39 | $IconPath = (Get-Process -Id $pid).Path 40 | $Balloon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($IconPath) 41 | $Balloon.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning 42 | $Balloon.BalloonTipTitle = $Subject 43 | $Balloon.BalloonTipText = $Body 44 | $Balloon.Visible = $true 45 | $Balloon.ShowBalloonTip(10000) 46 | } elseif ($AlertMethod -eq "Log") { 47 | $LogExists = Get-EventLog -LogName $LogName -Source $LogSource -ErrorAction Ignore -Newest 1 48 | if (-not $LogExists) { 49 | New-EventLog -LogName $LogName -Source $LogSource -ErrorAction Ignore 50 | } 51 | Write-EventLog ` 52 | -LogName $LogName ` 53 | -Source $LogSource ` 54 | -EntryType $LogEntryType ` 55 | -EventId $LogEventId ` 56 | -Message $Body 57 | } elseif ($AlertMethod -eq "Email") { 58 | $EmailClient = New-Object Net.Mail.SmtpClient($EmailServer, $EmailServerPort) 59 | $EmailClient.EnableSsl = $true 60 | $EmailClient.Credentials = New-Object System.Net.NetworkCredential($EmailAddressSource, $EmailPassword) 61 | $EmailClient.Send($EmailAddressSource, $EmailAddressDestination, $Subject, $Body) 62 | } 63 | } -------------------------------------------------------------------------------- /Work-in-Progress/Set-FirewallPolicy.ps1: -------------------------------------------------------------------------------- 1 | function Set-FirewallPolicy { 2 | Param( 3 | [string[]]$AuthorizedProtocol = "ICMP", 4 | [int[]]$AuthorizedPorts = @(53,80,443,5985), 5 | [int[]]$RemoteManagementPorts = @(5985), 6 | [ipaddress]$ManagementIpAddress 7 | ) 8 | 9 | Write-Output "Configuring DoD Windows 10 STIG Requirement V-220725 (Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts)." 10 | 11 | # enable Windows Remote Management 12 | Enable-PSRemoting -Force 13 | if ($ManagementIpAddress) { 14 | Set-Item -Path WSMan:\localhost\Service\ -Name IPv4Filter -Value $ManagementIpAddress 15 | } 16 | 17 | # disable all rules allowing inbound connections (except for Windows Remote Management) 18 | Get-NetFirewallRule -Direction Inbound -Action Allow | 19 | ForEach-Object { 20 | $NotAuthorizedPort = $RemoteManagementPorts -notcontains $($_ | Get-NetFirewallPortFilter).RemotePort 21 | if ($NotAuthorizedPort) { 22 | $_ | Set-NetFirewallRule -Enabled False 23 | } 24 | } 25 | 26 | # disable all rules allowing outbound connections except for those authorized 27 | Get-NetFirewallRule -Direction Outbound -Action Allow | 28 | ForEach-Object { 29 | $NotAuthorizedProtocol = $AuthorizedProtocols -notcontains $($_ | Get-NetFirewallPortFilter).Protocol 30 | $NotAuthorizedPort = $AuthorizedPorts -notcontains $($_ | Get-NetFirewallPortFilter).RemotePort 31 | if ($NotAuthorizedProtocol -or $NotAuthorizedPort) { 32 | $_ | Set-NetFirewallRule -Enabled False 33 | } 34 | } 35 | } -------------------------------------------------------------------------------- /Work-in-Progress/Start-AdBackup.ps1: -------------------------------------------------------------------------------- 1 | function Start-AdBackup { 2 | Param( 3 | [Parameter(Mandatory)][string]$ComputerName, 4 | [string]$Share = "Backups", 5 | [string]$Prefix = "AdBackup" 6 | ) 7 | $BackupFeature = (Install-WindowsFeature -Name Windows-Server-Backup).InstallState 8 | $BackupServerIsOnline = Test-Connection -ComputerName $ComputerName -Count 2 -Quiet 9 | if ($BackupFeature -eq "Installed") { 10 | if ($BackupServerIsOnline) { 11 | $Date = Get-Date -Format "yyyy-MM-dd" 12 | $Target = "\\$ComputerName\$Share\$Prefix-$Date" 13 | $LogDirectory = "C:\BackupLogs" 14 | $LogFile = "$LogDirectory\$Prefix-$Date" 15 | if (Test-Path $Target) { Remove-Item -Path $Target -Recurse -Force } 16 | New-Item -ItemType Directory -Path $Target -Force | Out-Null 17 | if (Test-Path $LogDirectory) { New-Item -ItemType Directory -Path $LogDirectory -Force | Out-Null } 18 | $Expression = "wbadmin START BACKUP -systemState -vssFull -backupTarget:$Target -noVerify -quiet" 19 | Invoke-Expression $Expression | Out-File -FilePath $LogFile 20 | } else { 21 | Write-Output "[x] The computer specified is not online." 22 | } 23 | } else { 24 | Write-Output "[x] The Windows-Server-Backup feature is not installed. Use the command below to install it." 25 | Write-Output " Install-WindowsFeature -Name Windows-Server-Backup" 26 | } 27 | } -------------------------------------------------------------------------------- /Work-in-Progress/Start-Panic.ps1: -------------------------------------------------------------------------------- 1 | function Start-Panic { 2 | $DomainController = (Get-AdDomainController).Name 3 | $ComputerName = (Get-AdComputer -Filter *).Name | Where-Object { $_ -ne $env:COMPUTERNAME -and $_ -ne $DomainController } 4 | Invoke-Command -ComputerName $ComputerName -ScriptBlock { 5 | shutdown.exe /s /t 0 6 | } 7 | } -------------------------------------------------------------------------------- /Work-in-Progress/Work-in-Progress.psm1: -------------------------------------------------------------------------------- 1 | . $PSScriptRoot\Get-DscResourcesRequired.ps1 2 | . $PSScriptRoot\Get-EnterpriseVisbility.ps1 3 | . $PSScriptRoot\Get-EventForwarder.ps1 4 | . $PSScriptRoot\Get-EventViewer.ps1 5 | . $PSScriptRoot\Get-Stig.ps1 6 | . $PSScriptRoot\Get-WirelessNetAdapter.ps1 7 | . $PSScriptRoot\Import-AdUsersFromCsv.ps1 8 | . $PSScriptRoot\Install-Sysmon.ps1 9 | . $PSScriptRoot\Invoke-SecurityBaseline.ps1 10 | . $PSScriptRoot\New-CustomViewsForSysmon.ps1 11 | . $PSScriptRoot\New-Alert.ps1 12 | . $PSScriptRoot\Send-Alert.ps1 13 | . $PSScriptRoot\Set-FirewallPolicy.ps1 14 | . $PSScriptRoot\Start-AdBackup.ps1 15 | . $PSScriptRoot\Start-Panic.ps1 --------------------------------------------------------------------------------