├── _config.yml ├── README.md ├── Powershell_GreyNoise_Parser.ps1 ├── find-steams.ps1 ├── Package_Repo_Cloner.ps1 ├── thin-netapp-storage.ps1 ├── vcenter-sessions.ps1 ├── get-vmwareevent.ps1 ├── TCP_Port_Pinger.ps1 ├── vmware-overprovisioning-report.ps1 ├── .github └── workflows │ └── codacy-analysis.yml ├── webroot-installer.ps1 ├── Snapshot_Restore_v2.ps1 ├── captureWindows-Endpoint.ps1 ├── Snapshot_Collect_V2.ps1 ├── IP-API-Batch-Collector.ps1 ├── captureLinux-Endpoint.ps1 ├── Share_Source_Collection.ps1 ├── 3par_thin_conversion.ps1 ├── MISP-Powershell-Parser.ps1 ├── Get-SnortRules.ps1 ├── Invoke-ItsAlwaysDNS.ps1 ├── emcopy_share_migration.ps1 ├── GetOTX-Data.ps1 └── vmware-netapp-HP-environment-monitoring.ps1 /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-hacker -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Wylie's Powershell Repository 2 | 3 | This is a collection of useful scripts I've written overtime. At some point the concepts in theses scripts have been valuable to me and anything worth saving is basically filed away here. Anything that evolves continually I try to keep updated here as well. 4 | 5 | ### Support or Contact 6 | 7 | Twitter - @wyliebsd 8 | 9 | 10 | . 11 | -------------------------------------------------------------------------------- /Powershell_GreyNoise_Parser.ps1: -------------------------------------------------------------------------------- 1 | # 2 | # 3 | # Greynoise Powershell Parser 4 | # Writen by Wylie Bayes 5 | # 09/05/2019 6 | # 7 | # 8 | $apikey = "YOUR API KEY GOES HERE" 9 | $actors = Invoke-RestMethod -uri "https://api.greynoise.io/v2/research/actors" -Headers @{"key"="$apikey"} 10 | # 11 | foreach ($ip in $actors.ips){ 12 | $actor = Invoke-RestMethod -uri "https://api.greynoise.io/v2/noise/context/$ip" -Headers @{"key"="$apikey"} 13 | if ($actor.classification -ne "benign"){ 14 | write-host "$($actor.actor) with an IP of: $($actor.ip) has a classification of: $($actor.classification)" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /find-steams.ps1: -------------------------------------------------------------------------------- 1 | # 2 | # Usage: Find-Streams "C:\" 3 | # 4 | function Find-Streams($location) { 5 | $files = get-childitem -Recurse -Path $location -erroraction SilentlyContinue 6 | foreach ($file in $files){ 7 | $streams = get-item -path $file.Fullname -stream * | where {$_.Stream -ne ':$DATA' -and $_.Stream -ne 'Zone.Identifier'} 8 | if ($streams -ne $false){ 9 | foreach ($stream in $streams){ 10 | #Do other stuff.. Write to a sperate file.. Create a custom psobject and export to CSV at the end.. etc. 11 | write-host "$($file.Fullname) contains non-standard streams" 12 | get-content -path $file.fullname -stream $stream.Stream 13 | ;"" 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /Package_Repo_Cloner.ps1: -------------------------------------------------------------------------------- 1 | # Quick and dirty script to clone a package repo. Only tested against OpenBSD. 2 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 3 | $share = "\\172.16.10.99\wmfbshare\obsd_repo\" 4 | $url = "https://ftp3.usa.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/" 5 | cd $share 6 | $packages = Invoke-WebRequest -Uri -UseBasicParsing $url 7 | $dlfolder = "\\172.16.10.99\wmfbshare\obsd_repo\" 8 | foreach ($package in $packages.links.href){ 9 | if ((get-item $package -ErrorAction SilentlyContinue)){ 10 | write-host "$package already downloaded" 11 | } else { 12 | write-host "Downlading $package" 13 | wget "$url/$package" -outfile "$dlfolder\$package" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /thin-netapp-storage.ps1: -------------------------------------------------------------------------------- 1 | function getthin-storage { 2 | $controllers = "controller1", "controller2", "controller3", "controller4" 3 | $nacred = Import-clixml C:\users\forgotten\Documents\NACred.xml 4 | foreach ($controller in $controllers){ 5 | connect-nacontroller -name $controller -credential $nacred | out-null 6 | $vols = get-navol 7 | $luns = get-nalun 8 | write-host "$($controller)" -foregroundcolor "Green" -backgroundcolor "black" 9 | write-host "Volumes:" -foregroundcolor "Magenta" -backgroundcolor "black" 10 | foreach ($vol in $vols){ 11 | $options = get-navoloption -Name $vol.Name 12 | if ($options.value -eq "none"){ 13 | Write-host "!!! $($vol.name) Is Thin Provisioned!!!" 14 | } 15 | } 16 | write-host "LUNS:" -foregroundcolor "Magenta" -backgroundcolor "black" 17 | foreach ($lun in $luns){ 18 | if ($lun.Thin -eq $true){ 19 | write-host "!!! $($Lun.Path) Is Thin Provisioned !!!" 20 | } 21 | } 22 | ; "" 23 | ; "" 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /vcenter-sessions.ps1: -------------------------------------------------------------------------------- 1 | 2 | function vcenter-sessions { 3 | try { 4 | connect-viserver 52tdkp-vm-010vvvv -ErrorAction Stop 5 | } catch { 6 | Write-host "Unable to connect to specified vCenter - Not continuing." 7 | Break 8 | } 9 | $Now = Get-Date 10 | $Report = @() 11 | $svcRef = new-object VMware.Vim.ManagedObjectReference 12 | $svcRef.Type = "ServiceInstance" 13 | $svcRef.Value = "ServiceInstance" 14 | $serviceInstance = get-view $svcRef 15 | $sessMgr = get-view $serviceInstance.Content.sessionManager 16 | foreach ($sess in $sessMgr.SessionList){ 17 | $time = $Now - $sess.LastActiveTime 18 | # Our time calculation returns a TimeSpan object instead of DateTime, therefore formatting needs to be done as follows: 19 | $SessionIdleTime = '{0:00}:{1:00}:{2:00}' -f $time.Hours, $time.Minutes, $time.Seconds 20 | $row = New-Object -Type PSObject -Property @{ 21 | Name = $sess.UserName 22 | LoginTime = $sess.LoginTime 23 | IdleTime = $SessionIdleTime 24 | } 25 | ## end New-Object 26 | $Report += $row 27 | } 28 | $Report 29 | } 30 | -------------------------------------------------------------------------------- /get-vmwareevent.ps1: -------------------------------------------------------------------------------- 1 | 2 | function getvmware-event { 3 | Add-PSSnapin Vmware.VIMAutomation.Core | Out-Null 4 | set-PowerCLIConfiguration -invalidCertificateAction "ignore" -confirm:$false 5 | connect-viserver $(read-host "Enter VIServer Name.") 6 | $vm = $(read-host "Enter Virtual Machine Name") 7 | $vmObj = Get-VM -Name $vm 8 | $daysbackinput = $(read-host "Enter Number of Days you want to go back") 9 | $daysBack = $daysbackinput 10 | $dateCurrent = Get-Date 11 | $si = get-view ServiceInstance 12 | $em = get-view $si.Content.EventManager 13 | $EventFilterSpec = New-Object VMware.Vim.EventFilterSpec 14 | $EventFilterSpec.Type = "VmReconfiguredEvent" 15 | $EventFilterSpec.Entity = New-Object VMware.Vim.EventFilterSpecByEntity 16 | $EventFilterSpec.Entity.Entity = ($vmObj | get-view).MoRef 17 | $EventFilterSpec.Time = New-Object VMware.Vim.EventFilterSpecByTime 18 | $EventFilterSpec.Time.BeginTime = $dateCurrent.adddays(-$daysBack) 19 | $EventFilterSpec.Time.EndTime = $dateCurrent 20 | $evts = $em.QueryEvents($EventFilterSpec) 21 | $deviceChangeEvts = $evts | ?{$_.ConfigSpec.DeviceChange} 22 | $deviceChangeEvts.Length 23 | $deviceChangeEvts | %{$_.ConfigSpec.DeviceChange} | select Operation,FileOperation,Device | ft -AutoSize 24 | } 25 | -------------------------------------------------------------------------------- /TCP_Port_Pinger.ps1: -------------------------------------------------------------------------------- 1 | ## Test-port, and Test-port-Ping functions for testing TCP connections/Responses (Success or Fail) 2 | function test-port { 3 | Param([string]$srv,$port,$timeout=2000,[switch]$verbose) 4 | $ErrorActionPreference = "SilentlyContinue" 5 | $tcpclient = new-Object system.Net.Sockets.TcpClient 6 | $iar = $tcpclient.BeginConnect($srv,$port,$null,$null) 7 | $wait = $iar.AsyncWaitHandle.WaitOne($timeout,$false) 8 | if(!$wait){ 9 | $tcpclient.Close() 10 | if($verbose){Write-Host "Connection Timeout"} 11 | Return $false 12 | } else { 13 | $error.Clear() 14 | $tcpclient.EndConnect($iar) | out-Null 15 | if(!$?){if($verbose){write-host $error[0]};$failed = $true} 16 | $tcpclient.Close() 17 | } 18 | if($failed){ 19 | return $false 20 | }else{ 21 | return $true 22 | } 23 | } 24 | 25 | function test-port-ping($ip, $port) { 26 | ## Usage: test-port-ping ip.ip.ip.ip 443 27 | $count = read-host "Enter Ping Count You wish to test:" 28 | $negative = $null 29 | do { 30 | $test = test-port $ip $port 31 | $count = $count - 1 32 | if ($test -eq $false){ 33 | $negative += 1 34 | } 35 | write-host "TCP response came back: $test" 36 | } 37 | while ($count -gt 0) 38 | if ($negative -gt 0){ 39 | write-host "A total of $negative reponses came back False" 40 | } else { 41 | write-host "All responses came back successful!" 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /vmware-overprovisioning-report.ps1: -------------------------------------------------------------------------------- 1 | 2 | ### This updated version will total all VM disks on a datastore where the disk file name matches the datastore name. I had to 3 | ### update this from the previous version because datastore clustering and DRS would spread out VM disks between datastores which 4 | ### ended up skewing my report data. :). 5 | 6 | function vmware-provisioning { 7 | $cred = get-credential 8 | $viservers = "vcenter1", "vcenter2" 9 | $date = (Get-Date).tostring("yyyyMMdd") 10 | Add-PSSnapin Vmware.VIMAutomation.Core | Out-Null 11 | set-PowerCLIConfiguration -invalidCertificateAction "ignore" -confirm:$false | out-null 12 | foreach ($server in $viservers) { 13 | $datastores = $null 14 | $vms = $null 15 | $size = $null 16 | $output = $null 17 | $vm = $null 18 | $store = $null 19 | connect-viserver $server -credential $cred | out-null 20 | $datastores = get-datastore 21 | foreach ($store in $datastores) { 22 | $size = $null 23 | $output = $null 24 | $vms = $null 25 | $vms = get-vm -Datastore $store 26 | foreach ($vm in $vms){ 27 | $vmsize = $null 28 | $vmsize = $vm | get-harddisk | where {$_.Persistence -eq "Persistent"} | Measure-Object CapacityGB -Sum | Select -expand Sum 29 | $size += $vmsize 30 | } 31 | $output = New-Object PSobject -Property @{ 32 | "Name" = $store.name 33 | "Provisioned" = $size 34 | "Total Size" = $store.CapacityGB 35 | "Difference in GB" = $store.CapacityGB - $size 36 | } | Select Name, Provisioned, 'Total Size', 'Difference in GB' | export-csv C:\VMware_Provisioning.csv -Append 37 | } 38 | disconnect-viserver $server -confirm:$false -force | out-null 39 | start-sleep -Seconds 3 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /.github/workflows/codacy-analysis.yml: -------------------------------------------------------------------------------- 1 | # This workflow checks out code, performs a Codacy security scan 2 | # and integrates the results with the 3 | # GitHub Advanced Security code scanning feature. For more information on 4 | # the Codacy security scan action usage and parameters, see 5 | # https://github.com/codacy/codacy-analysis-cli-action. 6 | # For more information on Codacy Analysis CLI in general, see 7 | # https://github.com/codacy/codacy-analysis-cli. 8 | 9 | name: Codacy Security Scan 10 | 11 | on: 12 | push: 13 | branches: [ "master", "main" ] 14 | pull_request: 15 | branches: [ "master", "main" ] 16 | 17 | jobs: 18 | codacy-security-scan: 19 | name: Codacy Security Scan 20 | runs-on: ubuntu-latest 21 | steps: 22 | # Checkout the repository to the GitHub Actions runner 23 | - name: Checkout code 24 | uses: actions/checkout@v2 25 | 26 | # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis 27 | - name: Run Codacy Analysis CLI 28 | uses: codacy/codacy-analysis-cli-action@1.0.0 29 | with: 30 | # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository 31 | # You can also omit the token and run the tools that support default configurations 32 | project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} 33 | verbose: true 34 | output: results.sarif 35 | format: sarif 36 | # Force 0 exit code to allow SARIF file generation 37 | # This will handover control about PR rejection to the GitHub side 38 | max-allowed-issues: 2147483647 39 | 40 | # Upload the SARIF file generated in the previous step 41 | - name: Upload SARIF results file 42 | uses: github/codeql-action/upload-sarif@v1 43 | with: 44 | sarif_file: results.sarif 45 | -------------------------------------------------------------------------------- /webroot-installer.ps1: -------------------------------------------------------------------------------- 1 | # This script will need to be run with administrator credentials in order for the start-process cmdlet to initiate the installer with proper privledges 2 | # Check for existing paths. Create if not existant. Kill script if write access to C: isn't available. 3 | function install-webroot { 4 | try { 5 | $test = gci "C:\vxit\webroot" -ErrorAction SilentlyContinue 6 | if ($test -eq $true){ 7 | write-host "Exe path exists continuing" 8 | } else { 9 | write-host "Exe path does not exist, creating" 10 | New-item -ItemType Directory -Path "C:\path1" -ErrorAction SilentlyContinue | out-null 11 | New-item -ItemType Directory -Path "C:\path1\webroot" -ErrorAction SilentlyContinue | out-null 12 | } 13 | } catch { 14 | write-host "Operation unsuccessfull, check write access permissions to C:\" 15 | Break 16 | } 17 | # 18 | # Set TLS 1.2. Without this setting invoke-webrequest frequently returns an error saying the "The underlying connection was closed: An unexpected error occurred on a send" 19 | # 20 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 21 | # 22 | # Initiate file download, overwrite if existing 23 | # 24 | Invoke-WebRequest -Uri "Your Full Download Url" -UseBasicParsing -OutFile "C:\vxit\webroot\wsasme.exe" 25 | Sleep 1 26 | # 27 | # Start installation process 28 | # 29 | Start-Process -FilePath "C:\vxit\webroot\wsasme.exe" -ArgumentList "/key=Your_product_key /group=-#yourgroup# /silent" 30 | # 31 | # Monitor the process for completion 32 | # 33 | do { 34 | write-progress -Activity "Installing Webroot AV..." 35 | $install = get-process | where {$_.Name -eq "wsasme"} 36 | Sleep 5 37 | } while ($install -ne $null) 38 | # 39 | # Finally write or do something indicating the install is complete 40 | # 41 | write-host "Installation Complete." 42 | } 43 | install-webroot 44 | -------------------------------------------------------------------------------- /Snapshot_Restore_v2.ps1: -------------------------------------------------------------------------------- 1 | ###### Restore script. 2 | # 3 | # User inputs controllers IP or hostname. 4 | $controllers = @() 5 | do { 6 | $input = (Read-Host "Please enter controller IPs, one at a time, on a new line. Leave blank when finished and press enter.") 7 | if ($input -ne '') {$controllers += $input} 8 | } 9 | until ($input -eq '') 10 | # 11 | # Prompt for credentials to connect to Netapp Filers. 12 | write-host "Please enter credentials to connect to Netapp Controllers" 13 | $cred = get-credential 14 | # User enters the desired snapshot date they wish to restore to. 15 | $dateinput = $(read-host "Please Enter the Snapshot date, IE: 7/2/2017") 16 | $snapdate = get-date $dateinput 17 | # User enters the directory containing the controller Exports from the collection script. 18 | $folder = $(read-host "Please specify location for CSV input IE: C:\reports\") 19 | # 20 | # Begin the restore process starting with the first controller, and looping through all controllers. 21 | foreach ($controller in $controllers) { 22 | $pull = Import-CSV "$folder$controller.csv" | Select Path 23 | write-progress "Restoring all snapshots from $snapdate" 24 | try { 25 | connect-nacontroller -name $controller -credential $cred | out-null 26 | write-host "!! Connected to $controller !!" -foregroundcolor "Green" 27 | } catch { 28 | write-host "!! Unable to connect to $controller !!" -foregroundcolor "Red" 29 | Continue 30 | } 31 | ### Each individual file is restored using the Path property from the CSV that was imported. 32 | foreach ($item in $pull){ 33 | if ($item.Path){ 34 | $vol = $item.Path.Split("/")[2] 35 | $snap = get-navol | where {$_.Name -eq $vol} | Get-NaSnapshot | where {$_.Created.Date -eq $snapdate} 36 | if ($snap){ 37 | write-host $Item.Path "has a snapshot on $snapdate , restoring!!" 38 | Restore-NaSnapshotFile -Path $item.Path -SnapName $snap.Name -confirm:$false -ErrorAction SilentlyContinue 39 | write-host $item.Path.Split("/")[4] " has been Restored to $snapdate !!!" -Foregroundcolor "Green" 40 | } 41 | } 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /captureWindows-Endpoint.ps1: -------------------------------------------------------------------------------- 1 | # This function requires WinRM on remote machine to function properly and must be Windows 7sp1 or higher. 2 | # 3 | function captureWindows-endpoint { 4 | $endpoint = $(read-host "Enter endpoint short name or FQDN") 5 | $duration = $(read-host "Enter desired capture duration in seconds") 6 | $date = get-date 7 | $file = "$($endpoint)_$($date.Month)_$($date.Day)_$($date.year)_$($date.Hour)_$($date.Minute).etl" 8 | # Remove any stale sessions remote and local 9 | invoke-command -computername $endpoint -scriptblock {Remove-NeteventSession} 10 | Remove-NetEventSession 11 | # Start new capture 12 | try { 13 | New-NetEventSession -CaptureMode SaveToFile -LocalFilePath "C:\$file" -CimSession $endpoint -Name $endpoint -erroraction Stop 14 | } catch { 15 | write-host "Unable to start Event Session via CimSession on $($endpoint), not continuing." -foregroundcolor "Red" -BackgroundColor "Black" 16 | Break 17 | } 18 | Add-NetEventPacketCaptureProvider -SessionName $endpoint -Level 4 -CaptureType Physical -CimSession $endpoint 19 | Start-NetEventSession -Name $endpoint -CimSession $endpoint 20 | Sleep $duration 21 | Stop-NetEventSession -Name $endpoint -CimSession $endpoint 22 | try { 23 | New-Item -type Directory "C:\captures\" -ErrorAction SilentlyContinue 24 | $captures = "C:\captures\" 25 | } catch { 26 | write-host "Captures directory already exists, continuing." -backgroundcolor "black" -foregroundcolor "green" 27 | $captures = "C:\captures\" 28 | } 29 | write-host "Copying endpoint capture file to local workstation!" -backgroundcolor "black" -foregroundcolor "green" 30 | Copy-item "\\$endpoint\c$\$file" $captures 31 | Remove-Item "\\$endpoint\c$\$file" 32 | # Remove local and remote sessions. 33 | invoke-command -computername $endpoint -scriptblock {Remove-NeteventSession} 34 | Remove-NetEventSession 35 | write-host "Opening capture directory" -backgroundcolor "black" -foregroundcolor "green" 36 | ii $captures 37 | } 38 | -------------------------------------------------------------------------------- /Snapshot_Collect_V2.ps1: -------------------------------------------------------------------------------- 1 | ## Collection script. 2 | # 3 | # User input controller information IP addresses or hostnames. 4 | $controllers = @() 5 | do { 6 | $input = (Read-Host "Please enter controller IPs, one at a time, on a new line. Leave blank when finished and press enter.") 7 | if ($input -ne '') {$controllers += $input} 8 | } 9 | until ($input -eq '') 10 | # 11 | # Folder for CSV export 12 | $folder = $(read-host "Please Specify Path for CSV exports, E: C:\reports\") 13 | # Prompt for credentials to connecto to netapp controllers. 14 | write-host "Please enter credentials to connect to Netapp Controllers" 15 | $cred = get-credential 16 | # 17 | $vms = $null 18 | $vms = @() 19 | # Begin collection, starting with first controller, and then looping through all controllers. 20 | foreach ($controller in $controllers) { 21 | write-progress "Collecting all folder structure data except Vol0" 22 | try { 23 | connect-nacontroller -Name $controller -Credential $cred -Https | out-null 24 | write-host "!! Connected to $controller !!" -ForeGroundColor "Green" 25 | } catch { 26 | Write-host "Unable to connect to $($controller)" -Foregroundcolor "Red" 27 | Continue 28 | } 29 | $vols = get-navol | where {$_.Name -notlike "vol0"} 30 | ######## Building volume information and adding new objects to $vms 31 | foreach ($vol in $vols) { 32 | $vms += New-Object PSOBject -Property @{ 33 | "Volume" = $vol.Name 34 | } 35 | $vmdirs = Read-NaDirectory -Path "/vol/$vol" | where {$_.Name -notlike "." -and $_.Name -notlike ".." -and $_.Type -eq "directory"} 36 | #### Building VM directory information where only directories on the root of each volume will be added, then adding new VMName objects to $vms 37 | foreach ($vm in $vmdirs) { 38 | $vms += New-Object PSObject -Property @{ 39 | "VMName" = $vm.Name 40 | } 41 | #### Building file information for each VM directory and adding new Path objects to $vms. 42 | $files = Read-NaDirectory -Path "/vol/$vol/$vm" | where {$_.Name -notlike "." -and $_.Name -notlike ".." -and $_.Name -notlike "*iorm.sf*" -and $_.Name -notlike "*iormstats.sf*" -and $_.Name -notlike "*.lck-686b000000000000"} 43 | foreach ($file in $files) { 44 | $location = get-NaFile -Path "/vol/$vol/$vm/$file" 45 | $vms += New-Object PSOBject -Property @{ 46 | "Path" = $location.Name 47 | } 48 | } 49 | } 50 | } 51 | #### Finally exporting all Volume, VMName, and Path objects out to CSV named with $folder which is defined at the top, and $controller that is in the loop. 52 | } $vms | Select Volume,VMName,Path | Export-CSV $folder$controller.csv 53 | -------------------------------------------------------------------------------- /IP-API-Batch-Collector.ps1: -------------------------------------------------------------------------------- 1 | # ip-api.com Batch Collector 2 | 3 | #$api = "http://ip-api.com/batch?fields=21229119" 4 | # 5 | $logo = @" 6 | _____ _____ _____ _____ ____ _ _ 7 | |_ _| __ \ /\ | __ \_ _| | _ \ | | | | 8 | | | | |__) |_____ / \ | |__) || | | |_) | __ _| |_ ___| |__ 9 | | | | ___/______/ /\ \ | ___/ | | | _ < / _` | __/ __| '_ \ 10 | _| |_| | / ____ \| | _| |_ | |_) | (_| | || (__| | | | 11 | |_____|_| _ _ /_/ \_\_| |_____| |____/ \__,_|\__\___|_| |_| 12 | / ____| | | | | | 13 | | | ___ | | | ___ ___| |_ ___ _ __ 14 | | | / _ \| | |/ _ \/ __| __/ _ \| '__| 15 | | |___| (_) | | | __/ (__| || (_) | | 16 | \_____\___/|_|_|\___|\___|\__\___/|_| 17 | "@ 18 | # 19 | # 20 | # 21 | # 22 | # 23 | function invoke-api { 24 | write-host $logo 25 | $sw = new-object system.diagnostics.stopwatch 26 | $sw.Start() 27 | $ips = $null 28 | $ips = @() 29 | $ips = get-content "C:\Users\forgo\Desktop\Jon API Whois Collector\sample_ips.csv" 30 | $api = "http://ip-api.com/batch?fields=21229119" 31 | $bulkdata = $null 32 | $bulkdata = @() 33 | # 34 | for ($i = 0; $i -lt $ips.length; $i+=99) { 35 | $batch = $ips[$i..($i + 99)] 36 | $Body = $null 37 | $ip_list = $batch 38 | $temp = $null 39 | $temp += '"' 40 | $temp += $ip_list -join '", "' 41 | $temp += '"' 42 | $body = "[$temp]" 43 | $Results = $null 44 | $Results = invoke-restmethod -Method 'Post' -uri $api -Body $body 45 | foreach ($result in $results){ 46 | $bulkdata += New-Object PSObject -Property @{ 47 | "IPAddress"=$Result.query 48 | "ISP"=$Result.isp 49 | "Organization"=$Result.org 50 | "AutonomousSystem"=$Result.as 51 | "City"=$Result.city 52 | "Country"=$Result.country 53 | "CountryCode"=$Result.countryCode 54 | "Region"=$Result.region 55 | "RegionName"=$Result.regionName 56 | "Status"=$Result.status 57 | "ZipCode"=$Result.zip 58 | "Mobile"=$Result.mobile 59 | "Proxy"=$Result.proxy 60 | "Hosting"=$Result.hosting 61 | } | Select IPAddress,ISP,Organization,AutonomousSystem,City,CountryCode,Region,RegionName,Status,ZipCode,Mobile,Proxy,Hosting 62 | } 63 | sleep 4 64 | } 65 | $date = get-date 66 | $bulkdata | Export-CSV -NoTypeInformation -path ".\Bulk_Results_$($date.month)_$($date.day)_$($date.year).csv" 67 | $sw.stop() 68 | write-host "You processed $($ips.count) IP Addresses in:" -foregroundcolor "green" -backgroundcolor "black" 69 | write-host ;"" 70 | $sw.Elapsed 71 | write-host ;"" 72 | write-host ;"" 73 | write-host "Results have been successfully exported!" -ForegroundColor Green 74 | } 75 | -------------------------------------------------------------------------------- /captureLinux-Endpoint.ps1: -------------------------------------------------------------------------------- 1 | # 2 | # This script uses Posh-SSH module and requires tcpdump be installed on the endpoint to function correctly. 3 | # Subsitute "dzdo" commands with sudo if you do not use Centrify in your organization 4 | # 5 | function captureLinux-endpoint { 6 | $date = get-date 7 | $stamp = "$($date.Month)_$($date.day)_$($date.year)_$($date.hour)_$($date.minute)" 8 | $whoami = whoami 9 | $account = $whoami.Split("\")[1] 10 | $endpoint = $(read-host "Enter Linux endpoint short name or FQDN") 11 | $duration = $(read-host "Enter desired capture duration in seconds") 12 | #Open SSH Session to endpoint. 13 | try { 14 | $session = New-SSHSession -computername $endpoint -Credential $zzmcred -AcceptKey -ErrorAction Stop 15 | $stream = New-SSHShellStream -SessionId $session.SessionId -ErrorAction Stop 16 | } catch { 17 | write-host "Unable to connect session to $($endpoint). Not continuing." -foregroundcolor "Red" -BackgroundColor "Black" 18 | Break 19 | } 20 | # Checking for Tcpdump on endpoint 21 | $tcpdump = invoke-sshcommand -sessionid $session.SessionID -command "whereis tcpdump" 22 | if ($tcpdump.output -notlike "*/usr/sbin*"){ 23 | write-host "Tcpdump not installed on $($endpoint), not continuing." -foregroundcolor "Red" -BackgroundColor "Black" 24 | Remove-SSHSession -SessionID $session.SessionId | out-null 25 | Break 26 | } 27 | #Perform capture via tcpdump on endpoint 28 | write-host "Initating packet capture via SSH commands to file on local endpoint: $($endpoint)." -foregroundcolor "Cyan" 29 | $device = Invoke-SSHCommand -SessionId $session.SessionID -command "dzdo /sbin/ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d'" 30 | $command = Invoke-SSHCommandStream -SessionId $session.SessionID -Command "dzdo /usr/bin/timeout -s 15 $($duration) /usr/sbin/tcpdump -i $($device.output[0]) -n -tttt -S -s 65535 -w /home/$($account)/$($endpoint)_$($stamp).pcap" 31 | invoke-sshcommand -sessionid $session.SessionID -command "dzdo chown -R $($account):$($account) /home/$($account)" 32 | Remove-sshsession -sessionid $session.sessionid | out-null 33 | #Pull pcap file from endpoint back to local workstation. 34 | write-host "Capture complete, extracting pcap file to C:\Captures\" -foregroundcolor "Green" -BackgroundColor "black" 35 | $session = New-SFTPSession -Computername $endpoint -Credential $zzmcred -AcceptKey 36 | Get-SFTPFile -SFTPSession $session -RemoteFile "/home/$account/$($endpoint)_$($stamp).pcap" -LocalPath "C:\captures\" 37 | Remove-SFTPSession -sessionId $session.SessionID | out-null 38 | Get-SSHSession | Remove-SSHSession 39 | #Remove Local Pcap files on endpoint. 40 | $session = New-SSHSession -computername $endpoint -Credential $zzmcred -AcceptKey 41 | invoke-sshcommand -sessionid $session.SessionID -command "rm *.pcap" 42 | Remove-sshsession -sessionid $session.sessionid | out-null 43 | #Open capture folder folder containing newly capture pcap. 44 | write-host "Extraction complete, opening capture folder." -foregroundcolor "Green" -BackgroundColor "Black" 45 | ii "C:\captures\" 46 | } 47 | -------------------------------------------------------------------------------- /Share_Source_Collection.ps1: -------------------------------------------------------------------------------- 1 | $menu =@" 2 | 1 - CIFS Source Collection. 3 | 2 - Split a Master CSV into Multiple CSVs. 4 | Q - Quit. 5 | "@ 6 | Write-Host "Select an option below:" -ForegroundColor Cyan 7 | $r = Read-Host $menu 8 | Switch ($r) { 9 | "1" { 10 | # 11 | # Source Collection Script. 12 | # 13 | # Interactive mode: 14 | $sources = $null 15 | $date = (Get-Date).tostring("yyyyMMdd") 16 | $sources = @() 17 | $data = @() 18 | do { 19 | $input = (Read-Host "Please enter each share location: IE:\\server\share and press enter. When finished leave blank and press enter") 20 | if ($input -ne '') {$sources += $input} 21 | } 22 | until ($input -eq '') 23 | # Interactive mode 24 | # 25 | # DEFINE ME!!! Hardcoded Sources 26 | # $sources = "\\serverexample\share", "\\serverexample2\share2", "\\serverexample3\share3" 27 | # DEFINE ME!!! Hardcoded Sources 28 | # 29 | # DEFINE ME (CSV Output File Location)!!!! 30 | $location = "C:\output\$date'_'test.csv" 31 | # DEFINE ME (CSV Output File Location)!!!! 32 | 33 | foreach ($source in $sources) { 34 | try { 35 | Test-Path $source | out-null 36 | } catch { 37 | write-host "Unable to connect to $($source) , please check share access and path" 38 | Return 39 | } 40 | $data += New-Object PSobject -Property @{ 41 | "FullName" = $source 42 | } | Select "FullName" 43 | } 44 | $data | select "FullName" | Export-CSV -Path $location 45 | ;"" 46 | ;"" 47 | write-host "--- Executing Split Master CSV ---" 48 | } 49 | 50 | "2" { 51 | #### Master PDF Splitter v1 52 | # 53 | # 54 | # 55 | ############################################# 56 | # Split Master CSV into multiple CSVs # 57 | ############################################# 58 | # 59 | # 60 | # 61 | # 62 | # 63 | $linecount = 0 64 | $filenumber = 1 65 | $source = Read-Host "What is the full path to master CSV? IE: C:\csvs\master.csv" 66 | try { 67 | Test-path $source 68 | } catch { 69 | Write-host "Unable to locate $source, check your input path." -foregroundcolor "red" -backgroundcolor "black" 70 | Return 71 | } 72 | ;"" 73 | $destination = Read-Host "Enter Path destination path for split CSVs: IE: C:\csvs\splits\" 74 | try { 75 | Test-path $destination 76 | } catch { 77 | Write-host "Unable to locate $destination, check your input path" -foregroundcolor "red" -backgroundcolor "black" 78 | Return 79 | } 80 | # 81 | Write-Host "Please wait while the line count is calculated." -foregroundcolor "green" -backgroundcolor "black" 82 | # 83 | $content = Get-Content $source 84 | $count = $content.count 85 | Write-Host "Your current file size is $count lines long" -foregroundcolor "yellow" -backgroundcolor "black" 86 | ;"" 87 | $split = Read-Host "Enter number of files you wish to split the master into. IE: 5 " 88 | $divided = $count/$split 89 | $rounded = [math]::ceiling($divided) 90 | $maxsize = [int]$rounded 91 | # 92 | $content = get-content $source | % { 93 | Add-Content $destination\splitlog$filenumber.csv "$_" 94 | $linecount ++ 95 | If ($linecount -eq $maxsize) { 96 | $filenumber++ 97 | $linecount = 0 98 | } 99 | } 100 | [gc]::collect() 101 | [gc]::WaitForPendingFinalizers() 102 | write-host "!!! Don't forget to append header information into each split CSV prior to running migration script. !!!" -foregroundcolor "magenta" 103 | Return 104 | } 105 | "Q" { 106 | Write-Host "Quitting" -ForegroundColor Green 107 | } 108 | } 109 | -------------------------------------------------------------------------------- /3par_thin_conversion.ps1: -------------------------------------------------------------------------------- 1 | 2 | 3 | <# Convert to Dedup 4 | Requires -Version 3.0 5 | Requires -RunAsAdministrator 6 | Requires -Modules HPE3PARPSToolkit 7 | Requires -Modules Posh-SSH #> 8 | 9 | ## Import Modules 10 | import-module HPE3PARPSToolkit 11 | import-module Posh-SSH 12 | 13 | ## Global variables 14 | $date = (Get-Date).tostring("yyyyMMdd") 15 | $folderName = "C:\3Par\logs" 16 | 17 | ## 3Par variables 18 | $3pars = "72.76.185.13" 19 | $cred = import-clixml "C:\3Par_cred.xml" 20 | 21 | ## Email variables 22 | $smtpUsername = ""; 23 | $smtpPassword = ""; 24 | $smtpServer = "" 25 | $smtpPort = "587" 26 | $emailFrom = "" 27 | $emailTo = "" 28 | $emailSubject = "3Par Deduplication Conversation Status" 29 | $emailBody = "Please see attached log files..." 30 | $attachmentPath = "C:\3Par\logs\" 31 | 32 | 33 | get-sshsession | remove-sshsession 34 | 35 | function Send-ToEmail([string]$email, [string]$attachmentpath){ 36 | $message = new-object Net.Mail.MailMessage; 37 | $message.From = $emailFrom ; 38 | $message.To.Add($email); 39 | $message.Subject = $emailSubject ; 40 | $message.Body = $emailBody ; 41 | $attachment = New-Object Net.Mail.Attachment($attachmentPath); 42 | $message.Attachments.Add($attachment1); 43 | $message.Attachments.Add($attachment2); 44 | $smtp = new-object Net.Mail.SmtpClient($smtpServer, $smtpPort); 45 | $smtp.Credentials = New-Object System.Net.NetworkCredential($smtpUsername, $smtpPassword); 46 | $smtp.send($message); 47 | write-host "Mail Sent" ; 48 | # $attachment.Dispose(); 49 | } 50 | 51 | function Validate-Folder { 52 | 53 | [CmdletBinding(ConfirmImpact='Low')] 54 | Param( 55 | [Parameter(Mandatory=$true, 56 | ValueFromPipeLine=$true, 57 | ValueFromPipeLineByPropertyName=$true, 58 | Position=0)] 59 | [String]$FolderName, 60 | [Parameter(Mandatory=$false, 61 | Position=1)] 62 | [Switch]$NoCreate = $false 63 | ) 64 | 65 | if ($FolderName.Length -gt 254) { 66 | Write-Error "Folder name '$FolderName' is too long - ($($FolderName.Length)) characters" 67 | break 68 | } 69 | if (Test-Path $FolderName) { 70 | Write-Verbose "Confirmed folder '$FolderName' exists" 71 | $true 72 | } else { 73 | Write-Verbose "Folder '$FolderName' does not exist" 74 | if ($NoCreate) { 75 | $false 76 | break 77 | } else { 78 | Write-Verbose "Creating folder '$FolderName'" 79 | try { 80 | New-Item -Path $FolderName -ItemType directory -Force -ErrorAction Stop | Out-Null 81 | Write-Verbose "Successfully created folder '$FolderName'" 82 | $true 83 | } catch { 84 | Write-Error "Failed to create folder '$FolderName'" 85 | $false 86 | } 87 | } 88 | } 89 | } 90 | 91 | foreach ($3par in $3pars){ 92 | $attachment1 = "C:\3Par\logs\$3par_3par_Task_Failure_$date.csv" 93 | $attachment2 = "C:\3Par\logs\$3par_3par_Task_Success_$date.csv" 94 | $session = New-3ParPoshSshConnection -SANIPAddress $3par -SANUserName $cred.username -SANPassword $cred.GetNetworkCredential().password 95 | $cpgs = get-3parcpg | where {$_.Volumes -ne "Name" -and $_.Volumes -ne "total"} 96 | foreach ($cpg in $cpgs){ 97 | $vvs = Get-3parvv | where {$_.CPG -eq "$($cpg.Volumes)"} 98 | foreach ($vv in $vvs){ 99 | $vvlist = get-3parvvList -vvName $vv.Name 100 | if ($vvlist.Name -notlike "*pswp*" -and $vvlist.Name -notlike "*vswp*"){ 101 | $cmds = "tunevv usr_cpg $($cpg.volumes) -f -tdvv $($vvList.Name)" 102 | invoke-3parclicmd -connection $session -cmds $cmds 103 | # Sleep 60 104 | } 105 | } 106 | } 107 | Validate-Folder -FolderName $folderName 108 | Get-3parTask -Task_type convert_vv -option done -Hours 1 | Export-CSV "$folderName\$($3par)_3par_Task_Success_$date.csv" 109 | Get-3parTask -Task_type convert_vv -option failed -Hours 1 | Export-CSV "$folderName\$($3par)_3par_Task_Failure_$date.csv" 110 | Remove-sshsession -sessionId $session.SessionID 111 | Send-ToEmail -email $EmailTo -attachmentpath $path ; 112 | } 113 | ## 114 | -------------------------------------------------------------------------------- /MISP-Powershell-Parser.ps1: -------------------------------------------------------------------------------- 1 | function Get-MISPData{ 2 | # MISP (Malware Information Sharing Platform) Powershell IOC Parser. 3 | $links = $null 4 | $ipdsts = $null 5 | $linkss = $null 6 | $regkeys = $null 7 | $filenames = $null 8 | $sha256s = $null 9 | $sha1s = $null 10 | $md5s = $null 11 | $urls = $null 12 | # 13 | $ipdsts = @() 14 | $linkss = @() 15 | $regkeys = @() 16 | $filenames = @() 17 | $sha256s = @() 18 | $sha1s = @() 19 | $md5s = @() 20 | $urls = @() 21 | # 22 | clear 23 | ;"" 24 | ;"" 25 | ;"" 26 | ;"" 27 | ;"" 28 | ;"" 29 | ;"" 30 | $logo = @' 31 | ___ ________ ___________ ______ _ _ _ 32 | | \/ |_ _/ ___| ___ \ | ___ \ | | | | | 33 | | . . | | | \ `--.| |_/ / | |_/ /____ _____ _ __ ___| |__ ___| | | 34 | | |\/| | | | `--. \ __/ | __/ _ \ \ /\ / / _ \ '__/ __| '_ \ / _ \ | | 35 | | | | |_| |_/\__/ / | | | | (_) \ V V / __/ | \__ \ | | | __/ | | 36 | \_| |_/\___/\____/\_| \_| \___/ \_/\_/ \___|_| |___/_| |_|\___|_|_| 37 | _____ 38 | | ___ \ 39 | | |_/ /_ _ _ __ ___ ___ _ __ 40 | | __/ _` | '__/ __|/ _ \ '__| 41 | | | | (_| | | \__ \ __/ | 42 | \_| \__,_|_| |___/\___|_| 43 | '@ 44 | write-host $logo 45 | $exports = "C:\users\forgo\Desktop\MISP\Exports\" 46 | $date = get-date 47 | # 48 | $links = Invoke-WebRequest -Uri "https://www.circl.lu/doc/misp/feed-osint/" -UseBasicParsing 49 | foreach ($link in $links.links.href | where {$_ -notlike "*Parent*" -and $_ -ne "manifest.json" -and $_ -ne "hashes.csv" -and $_ -notlike "*?C*" -and $_ -ne "/doc/misp/"}){ 50 | $IOCs = Invoke-RestMethod -uri "https://www.circl.lu/doc/misp/feed-osint/$($link)" -UseBasicParsing 51 | foreach ($event in $IOCs.Event.Attribute | where {$_.Comment -ne ""}){ 52 | write-progress -Activity "Processing Event $($event.Comment)" 53 | if ($event.type -eq "ip-dst"){ 54 | $ipdsts += New-Object PSObject -Property @{"ip-dst"="$($event.value)"; "Comment"="$($event.Comment)"} | Select ip-dst,Comment 55 | } 56 | if ($event.type -eq "link"){ 57 | $linkss += New-Object PSObject -Property @{"link"="$($event.value)"; "Comment"="$($event.Comment)"} | Select link,Comment 58 | } 59 | if ($event.type -eq "regkey"){ 60 | $regkeys += New-Object PSObject -Property @{"regkey"="$($event.value)"; "Comment"="$($event.Comment)"} | Select regkey,Comment 61 | } 62 | if ($event.type -eq "filename"){ 63 | $filenames += New-Object PSObject -Property @{"filename"="$($event.value)"; "Comment"="$($event.Comment)"} | Select filename,Comment 64 | } 65 | if ($event.type -eq "sha256"){ 66 | $sha256s += New-Object PSObject -Property @{"sha256"="$($event.value)"; "Comment"="$($event.Comment)"} | Select sha256,Comment 67 | } 68 | if ($event.type -eq "sha1"){ 69 | $sha1s += New-Object PSObject -Property @{"sha1"="$($event.value)"; "Comment"="$($event.Comment)"} | Select sha1,Comment 70 | } 71 | if ($event.type -eq "md5"){ 72 | $md5s += New-Object PSObject -Property @{"md5"="$($event.value)"; "Comment"="$($event.Comment)"} | Select md5,Comment 73 | } 74 | if ($event.type -eq "url"){ 75 | $urls += New-Object PSObject -Property @{"url"="$($event.value)"; "Comment"="$($event.Comment)"} | Select url,Comment 76 | } 77 | } 78 | } 79 | if ($ipdsts){ 80 | $ipdsts | Export-CSV -Path "$($exports)MISP_Export_IPs_$($date.month)_$($date.day)_$($date.year).csv" 81 | } 82 | if ($linkss){ 83 | $linkss | Export-CSV -Path "$($exports)MISP_Export_Links_$($date.month)_$($date.day)_$($date.year).csv" 84 | } 85 | if ($regkeys){ 86 | $regkeys | Export-CSV -Path "$($exports)MISP_Export_Regkeys_$($date.month)_$($date.day)_$($date.year).csv" 87 | } 88 | if ($filenames){ 89 | $filenames | Export-CSV -Path "$($exports)MISP_Export_Filenames_$($date.month)_$($date.day)_$($date.year).csv" 90 | } 91 | if ($sha256s){ 92 | $sha256s | Export-CSV -Path "$($exports)MISP_Export_sha256s_$($date.month)_$($date.day)_$($date.year).csv" 93 | } 94 | if ($sha1s){ 95 | $sha1s | Export-CSV -Path "$($exports)MISP_Export_sha1s_$($date.month)_$($date.day)_$($date.year).csv" 96 | } 97 | if ($md5s){ 98 | $md5s | Export-CSV -Path "$($exports)MISP_Export_md5s_$($date.month)_$($date.day)_$($date.year).csv" 99 | } 100 | if ($urls){ 101 | $urls | Export-CSV -Path "$($exports)MISP_Export_urls_$($date.month)_$($date.day)_$($date.year).csv" 102 | } 103 | ;"" 104 | write-host "Parsing complete, exports located at: $exports" 105 | } 106 | -------------------------------------------------------------------------------- /Get-SnortRules.ps1: -------------------------------------------------------------------------------- 1 | <# Snort Downloader / Parser. 2 | Witten by Wylie Bayes 3/5/2018 3 | Requires Winrar to be installed on local machine. 4 | 5 | Downloads latest snort tarball, extracts, and parses out only uncommented rules and creates new file for loading into snort. 6 | <# 7 | function Get-SnortRules { 8 | write-progress "Gathering and Parsing Snort Rules...." 9 | # Define our awesome ASCII Pig 10 | $pig = @" 11 | ____ 12 | \%%%%%%;. 13 | \%%%%%%%%;.. 14 | .\. (%%%%%%%%%%%%;. 15 | .;%%%;. %%%%%%%%%%%%%%%%%;. 16 | %%%%%%%%; %%%%%%%%%%%%%%%%%%%%%;. 17 | %%%%%%%%%)__(%%%%%%%%%%%%%%%%%%%%%%%%;. 18 | ;%%%%%% /%%%%%\ %%%%%%%%%%%%%%%%%%%%%%%; 19 | \%% /%/'''\%%%\ %%%%%%%%%%%%%%%%%%%%%%%; 20 | '%%%%%%%\. \%%|/%%%%%%%%%%%%%%%%%%%%%%; %% 21 | .;%%%%%%%%%%\|%%%%%%%%%%%%%%%%%%%%%%%%%% %%% 22 | (%CCC%%%%CCC%\%%%%%%%%%%%%%%%%%%%%%%%%%/ %%%% 23 | %% !/ \%%%%%%%%%%%%%%%%%%%%%%/ %%%%%% 24 | .% %%% \%%%%%%%%%%%%%/'%%%%%%%%% 25 | .__\\/__. .%%% o o %%%% %%%%%%%%%%%/'%%%%%%%%%%% 26 | \.;%%%%%%%%%;.'%% %%%% ,%%%%%%%%%%%%%%%%%%%%%%% 27 | %%%%%%%%%%%%%%%/ %___.!. /%%%% ,%%%%%%%% \%%%%%%%%%%%%% 28 | \%% %%% %%/ %%%%%%\ /%%%% ,%%%%%%%%% |%%%%%%%%%%%%% 29 | /%% %%% %% %%%%%%%)?**&%%%% ,%%%%%%%%%%; |%%%%%%%%%%%%% 30 | %% %%% %% %%%%%%%%%%%%%/ ,%%%%%%%%%%%/ /%%%%%%%%%%%%%% 31 | /%%% %%%%% %%% %%%%%%%;/',;/%%%%%%%%%;;../%%%%%%%%%%%%%%%%% 32 | %%%%%%/'''\%%%%%% ='''\\ \%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33 | //'' ''\\ 34 | "@ 35 | # 36 | clear 37 | ;"" ;"" ;"" ;"" ;"" ;"" ;"" ;"" 38 | write-host "Gathering and Parsing Snort Rules..." -Foregroundcolor "Green" 39 | # 40 | write-host "$pig" 41 | ;"" ;"" 42 | # Create a date variable to use when naming output files. 43 | $date = get-date 44 | # Null our rules variable to ensure we start fresh. 45 | $rules = $null 46 | # Get current user account name 47 | $whoami = whoami 48 | $account = $whoami.split("\")[1] 49 | # Define our users Desktop path 50 | $desktop = "C:\users\$account\Desktop" 51 | # Remove temp folder on desktop and re-create fresh. 52 | Remove-Item "$desktop\Temp" -Recurse -Force -erroraction SilentlyContinue | out-null 53 | New-Item -ItemType Directory "$desktop\Temp" | out-null 54 | New-Item -ItemType Directory "$desktop\Temp\Extracted\" | out-null 55 | # Define Download URL 56 | $download = "https://www.snort.org/downloads/community/community-rules.tar.gz" 57 | # Define exports location 58 | $exports = "C:\Exports\" 59 | # Archive Previously parsed rules 60 | $archive = get-childitem "$exports\parsed\*.txt" 61 | if ($archive -ne $null){ 62 | Move-Item $archive "$exports\parsed\archive\" -Force 63 | write-host "Archived previously parsed rules into archive folder" -foregroundcolor "Green" 64 | } else { 65 | write-host "No previous rules to archive. Continuing" -foregroundcolor "Yellow" 66 | } 67 | # Download new snort rules tarball 68 | Invoke-Webrequest -uri $download -Outfile "C:\users\$account\Desktop\Temp\community-rules.tar.gz" -UseBasicParsing -UseDefaultCredentials 69 | if ( (Get-FileHash -Algorithm SHA256 "$exports\community-rules.tar.gz").Hash -eq (Get-FileHash -Algorithm SHA256 "C:\users\$account\Desktop\Temp\community-rules.tar.gz").Hash){ 70 | ;"" 71 | write-host "Downloaded ruleset hash matches previously downloaded ruleset. Rules are already current. Not continuing" -Foregroundcolor "Yellow" 72 | Remove-Item "$desktop\Temp" -Recurse -Force -erroraction silentlycontinue 73 | Break 74 | } else { 75 | ;"" 76 | write-host "Downloaded ruleset is newer than previously downloaded ruleset. Continuing" -Foregroundcolor "Green" 77 | } 78 | Copy-Item "C:\users\$account\Desktop\Temp\community-rules.tar.gz" $exports 79 | # Use WinRAR on local system to extract snort rules to temp desktop location 80 | start-process -FilePath "C:\Program Files\WinRAR\winrar.exe" -ArgumentList "x -ibck C:\users\$account\Desktop\Temp\community-rules.tar.gz *.* C:\users\$account\Desktop\Temp\Extracted\" 81 | Sleep 5 82 | $items = Get-Childitem "C:\users\$account\Desktop\Temp\Extracted\community-rules\" 83 | # Copy the extracted files from our temp location to our network share location. 84 | foreach ($item in $items){ 85 | copy-item $item.FullName "$exports\Extracted\" 86 | } 87 | # Remove temp desktop folder after copying to share. 88 | Remove-Item "$desktop\Temp" -Recurse -Force -erroraction silentlycontinue 89 | # Import rules into a variable that don't start with comment hash # 90 | $rules = get-content "$exports\Extracted\community.rules" | Where { $_ -notmatch "^#" -and $_ -ne "" } 91 | $rules | out-file "$exports\parsed\Snort_$($date.month)_$($date.day)_$($date.year)_parsed_rules.txt" 92 | # Write out rule count and open parsed folder. 93 | ;"" 94 | write-host "Parsed $($rules.count) Rules... Opening share location..." -Foregroundcolor "Green" 95 | ii "$exports\Parsed\" 96 | } 97 | Get-SnortRules.txt 98 | Displaying getotx-data.txt. 99 | -------------------------------------------------------------------------------- /Invoke-ItsAlwaysDNS.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-ItsAlwaysDNS([array]$inputfile){ 2 | 3 | $art = @" 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | ______ _ ___ __ 14 | / _/ /( )_____ / | / / ______ ___ _______ 15 | / // __/// ___/ / /| | / / | /| / / __ `/ / / / ___/ 16 | _/ // /_ (__ ) / ___ |/ /| |/ |/ / /_/ / /_/ (__ ) 17 | /___/\__/ /____/__/_/ |_/_/ |__/|__/\__,_/\__, /____/ 18 | / __ \/ | / / ___/ /____/ 19 | / / / / |/ /\__ \ 20 | / /_/ / /| /___/ / 21 | /_____/_/ |_//____/ 22 | "@ 23 | write-host "$art" -ForegroundColor Yellow 24 | 25 | # WOuld love to convert this into / learn ArrayLists for performance. 26 | #$datalist = @() 27 | #$datalist = [System.Collections.ArrayList]@() 28 | $dataset = @() 29 | $subdomains = get-content $inputfile | where {$_ -notlike "*com*"} 30 | $count1 = 0 31 | foreach ($subdomain in $subdomains){ 32 | $count1++ 33 | Write-Progress -Id 0 -Activity 'Running DNS Queries on all known sub-domains:' -Status "Processing $($count1) of $($subdomains.count)" -CurrentOperation $subdomain -PercentComplete (($count1/$subdomains.Count) * 100) 34 | $lookup = $null 35 | $ptr = $null 36 | $ptr6 = $null 37 | try { 38 | #$lookup = Resolve-DnsName -name $subdomain".$domain" -DnsOnly -ErrorAction SilentlyContinue 39 | $lookup = Resolve-DnsName -name $subdomain -DnsOnly -ErrorAction SilentlyContinue 40 | $ptr = Resolve-DnsName -Type PTR $lookup.ip4address -DnsOnly -ErrorAction SilentlyContinue 41 | $ptr6 = Resolve-DnsName -Type PTR "$($lookup.ip6address)" -DnsOnly -ErrorAction SilentlyContinue 42 | } catch { 43 | # write-host "No record exists for $subdomain" 44 | } 45 | if ($lookup -ne "") { 46 | foreach ($ip in $lookup){ 47 | if ($ip.type -eq "A"){ 48 | $dataset += New-Object PSObject -Property @{"Hostname"="$($subdomain)"; "IPAddress"="$($ip.IP4Address)"; "Type"="A"; "Reverse Record"="$($ptr.NameHost)"} | Where-Object { $_.PSObject.Properties.Value -ne '' } | Select Hostname,IPAddress,Type,"Reverse Record" 49 | # Attempt at an ArrayList here. 50 | # $datalist.Add( @{Hostname=("$($subdomain)"); IP4Address=("$($lookup.IP4Address)"); PTR=("$($ptr.Namehost)")}) 51 | } elseif ($ip.type -eq "AAA"){ 52 | $dataset += New-Object PSObject -Property @{"Hostname"="$($subdomain)"; "IPAddress"="$($ip.IP6Address)"; "Type"="AAA"; "Reverse Record"="$($ptr6.NameHost)"} | Where-Object { $_.PSObject.Properties.Value -ne '' } | Select Hostname,IPAddress,Type,"Reverse Record" | Sort-Object -Property City 53 | } 54 | } 55 | } 56 | 57 | 58 | } 59 | # Get whois/location info on each IPv4 IP and build new dataset 60 | $whoisdataset = @() 61 | $ipv4 = $dataset | where {$_.Type -eq "A"} 62 | foreach ($item in $ipv4){ 63 | write-progress "Getting whois and city data" 64 | $whois = get-whois -IPAddress "$($item.IPAddress)" -ErrorAction SilentlyContinue 65 | $whoisdataset += New-Object PSObject -Property @{"Hostname"="$($item.hostname)"; "IPAddress"="$($item.IPAddress)"; "Organization"="$($whois.RegisteredOrganization)"; "City"="$($whois.city)"} | Select Hostname,IPAddress,Organization,City 66 | 67 | } 68 | $date = get-date 69 | $dataset | Export-CSV -NoTypeInformation "LookupData_$($domain)_$($date.month)_$($date.day)_$($date.year).csv" 70 | $whoisdataset | Export-CSV -NoTypeInformation "WhoisMap_$($domain)_$($date.month)_$($date.day)_$($date.year).csv" 71 | #$datalist | Export-CSV -NoTypeInformation .\Export_Test_List.csv 72 | } 73 | 74 | function Get-Netstat { 75 | $properties = "Protocol","LocalAddress","LocalPort" 76 | $properties += "RemoteAddress","RemotePort","State","ProcessName","PID" 77 | 78 | netstat -ano | Select-String -Pattern "\s+(TCP|UDP)" | ForEach-Object { 79 | 80 | $item = $_.line.split(" ",[System.StringSplitOptions]::RemoveEmptyEntries) 81 | 82 | if($item[1] -notmatch "^\[::") 83 | { 84 | if (($la = $item[1] -as [ipaddress]).AddressFamily -eq "InterNetworkV6") 85 | { 86 | $localAddress = $la.IPAddressToString 87 | $localPort = $item[1].split("\]:")[-1] 88 | } 89 | else 90 | { 91 | $localAddress = $item[1].split(":")[0] 92 | $localPort = $item[1].split(":")[-1] 93 | } 94 | 95 | if (($ra = $item[2] -as [ipaddress]).AddressFamily -eq "InterNetworkV6") 96 | { 97 | $remoteAddress = $ra.IPAddressToString 98 | $remotePort = $item[2].split("\]:")[-1] 99 | } 100 | else 101 | { 102 | $remoteAddress = $item[2].split(":")[0] 103 | $remotePort = $item[2].split(":")[-1] 104 | } 105 | 106 | New-Object PSObject -Property @{ 107 | PID = $item[-1] 108 | ProcessName = (Get-Process -Id $item[-1] -ErrorAction SilentlyContinue).Name 109 | Protocol = $item[0] 110 | LocalAddress = $localAddress 111 | LocalPort = $localPort 112 | RemoteAddress =$remoteAddress 113 | RemotePort = $remotePort 114 | State = if($item[0] -eq "tcp") {$item[3]} else {$null} 115 | } | Select-Object -Property $properties 116 | } 117 | } 118 | } 119 | -------------------------------------------------------------------------------- /emcopy_share_migration.ps1: -------------------------------------------------------------------------------- 1 | # 2 | # Share Migration Script. 3 | # 4 | # This script requires you have "emcopy64.exe" in your C:\windows\system32\ folder. 5 | # 6 | # 7 | # 8 | try { 9 | # DEFINE ME for CSVs location !!! 10 | $csvlocation = "C:\Output\" 11 | # DEFINE ME for CSVs location !!! 12 | } catch { 13 | write-host "Unable to locate CSV, check source path. Exiting" 14 | Return 15 | } 16 | # 17 | $date = (Get-Date).tostring("yyyyMMdd") 18 | $sourcecsv = $null 19 | $sourcecsv = @() 20 | $ans = $null 21 | $menu =@" 22 | 1 - Import all CSVs and start single copy job of all CSVs. 23 | 2 - Import all CSVs and start multi-threaded copy job for each CSV. 24 | 3 - Select a single, or multiple CSVs from list and start single copy job of selected CSVs. 25 | 4 - Select a single, or multple CSVs from list and start a multi-threaded copy job of selected CSVs. 26 | 5 - Manually input source CSV Path and start single copy job, IE: C:\file.csv. 27 | Q - Quit. 28 | "@ 29 | # 30 | Write-Host "Select an option below for CSV input" -ForegroundColor Cyan 31 | $r = Read-Host $menu 32 | Switch ($r) { 33 | "1" { 34 | Write-Host "Importing all CSVs from $($csvlocation)" -ForegroundColor Green 35 | $csvs = gci -Path $csvlocation *.csv 36 | foreach ($csv in $csvs){ 37 | $sourcecsv = Import-Csv $csv.FullName 38 | foreach ($item in $sourcecsv){ 39 | try { 40 | Test-Path $item.Destination 41 | } catch { 42 | write-host "$($item.Destination) not accessiable, moving on to next item." 43 | Continue 44 | } 45 | $date = (Get-Date).tostring("yyyyMMdd") 46 | $name = $item.FullName.Split("\\")[2] 47 | emcopy64 $item.FullName $item.Destination /s /o /c /r:3 /w:5 /q /log+:C:\evt\log\$name'_'$date.log 48 | } 49 | } 50 | Return 51 | } 52 | # 53 | "2" { 54 | write-host "Import all CSVs from $($csvlocation) and start multi-job copy for each CSV." 55 | $csvs = gci -Path $csvlocation *.csv 56 | foreach ($csv in $csvs) { 57 | $sourcecsv = import-csv $csv.FullName 58 | Start-Job -ArgumentList $csv -scriptblock { 59 | param($csv) 60 | $sourcecsv = import-csv $csv.FullName 61 | foreach ($item in $sourcecsv){ 62 | try { 63 | Test-Path $item.Destination 64 | } catch { 65 | write-host "$($item.Destination) not accessiable, moving on to next item." 66 | Continue 67 | } 68 | $date = (Get-Date).tostring("yyyyMMdd") 69 | $name = $item.FullName.Split("\\")[2] 70 | emcopy64 $item.FullName $item.Destination /s /o /c /r:3 /w:5 /q /log+:C:\evt\log\$name'_'$date.log 71 | } 72 | } 73 | } 74 | $jobs = get-job | ? { $_.state -eq "running" } 75 | $total = $jobs.count 76 | $runningjobs = $jobs.count 77 | while($runningjobs -gt 0) { 78 | write-progress -activity "Migrating" -status "Progress:" -percentcomplete (($total-$runningjobs)/$total*100) 79 | $runningjobs = (get-job | ? { $_.state -eq "running" }).Count 80 | } 81 | Return 82 | } 83 | # 84 | "3" { 85 | Write-Host "Choose which CSV files you wish to import:" -ForegroundColor Green 86 | $csvs = gci -Path $csvlocation *.csv 87 | $menu3 = @{} 88 | for ($i=1;$i -le $csvs.count; $i++) { 89 | Write-Host "$i. $($csvs[$i-1].name)" 90 | $menu3.Add($i,($csvs[$i-1].FullName)) 91 | } 92 | do { 93 | $input = Read-Host ("Enter each selection on a single line and press enter. Leave blank and press enter when finished.") 94 | if ($input -ne '') {[int[]]$ans += $input} 95 | } 96 | until ($input -eq '') 97 | $selection = @() 98 | foreach ($an in $ans){ 99 | $selection += $menu3.Item($an) 100 | $sourcecsv += $selection 101 | } 102 | $sourcecsv = import-csv $selection 103 | foreach ($item in $sourcecsv){ 104 | try { 105 | Test-Path $item.Destination 106 | } catch { 107 | write-host "$($item.Destination) not accessiable, moving on to next item." 108 | Continue 109 | } 110 | $date = (Get-Date).tostring("yyyyMMdd") 111 | $name = $item.FullName.Split("\\")[2] 112 | emcopy64 $item.FullName $item.Destination /s /o /c /r:3 /w:5 /q /log+:C:\evt\log\$name'_'$date.log 113 | } 114 | Return 115 | } 116 | # 117 | "4" { 118 | Write-Host "Choose which CSV files you wish to import:" -ForegroundColor Green 119 | $csvs = gci -Path $csvlocation *.csv 120 | $menu3 = @{} 121 | for ($i=1;$i -le $csvs.count; $i++) { 122 | Write-Host "$i. $($csvs[$i-1].name)" 123 | $menu3.Add($i,($csvs[$i-1].FullName)) 124 | } 125 | do { 126 | $input = Read-Host ("Enter each selection on a single line and press enter. Leave blank and press enter when finished.") 127 | if ($input -ne '') {[int[]]$ans += $input} 128 | } 129 | until ($input -eq '') 130 | $selection = @() 131 | foreach ($an in $ans){ 132 | $selection += $menu3.Item($an) 133 | $sourcecsv += $selection 134 | } 135 | foreach ($csv in $selection) { 136 | Start-Job -ArgumentList $csv -scriptblock { 137 | param($csv) 138 | $sourcecsv = import-csv $csv 139 | foreach ($item in $sourcecsv){ 140 | try { 141 | Test-Path $item.Destination 142 | } catch { 143 | write-host "$($item.Destination) not accessiable, moving on to next item." 144 | Continue 145 | } 146 | } 147 | $date = (Get-Date).tostring("yyyyMMdd") 148 | $name = $item.FullName.Split("\\")[2] 149 | emcopy64 $item.FullName $item.Destination /s /o /c /r:3 /w:5 /q /log+:C:\evt\log\$name'_'$date.log 150 | } 151 | } 152 | $jobs = get-job | ? { $_.state -eq "running" } 153 | $total = $jobs.count 154 | $runningjobs = $jobs.count 155 | while($runningjobs -gt 0) { 156 | write-progress -activity "Migrating" -status "Progress:" -percentcomplete (($total-$runningjobs)/$total*100) 157 | $runningjobs = (get-job | ? { $_.state -eq "running" }).Count 158 | } 159 | Return 160 | } 161 | # 162 | "5" { 163 | $sourcecsv = import-csv -Path $(read-host "Enter path to CSV Input, IE: C:\sharesource.csv") -ErrorAction Stop 164 | foreach ($item in $sourcecsv){ 165 | try { 166 | Test-Path $item.Destination 167 | } catch { 168 | write-host "$($item.Destination) not accessiable, moving on to next item." 169 | Continue 170 | } 171 | $date = (Get-Date).tostring("yyyyMMdd") 172 | $name = $item.FullName.Split("\\")[2] 173 | emcopy64 $item.FullName $item.Destination /s /o /c /r:3 /w:5 /q /log+:C:\evt\log\$name'_'$date.log 174 | } 175 | Return 176 | } 177 | 178 | "Q" { 179 | Write-Host "Quitting" -ForegroundColor Green 180 | } 181 | # 182 | default { 183 | Write-Host "I don't understand what you want to do." -ForegroundColor Yellow 184 | } 185 | } #end switch 186 | -------------------------------------------------------------------------------- /GetOTX-Data.ps1: -------------------------------------------------------------------------------- 1 | # 2 | # Powershell script to pull indicators from Alien Vault Opensource Threat Exchange(OTX) and export to CSVs for importing into Arcsight or other SIEM. 3 | # Written by Wylie Bayes 02/23/2018 4 | # 5 | # Define Main Function, set variables to Null, and then define as arrays. 6 | function GetOTX-Data { 7 | clear 8 | $otxkey = "YOUR API KEY GOES HERE!!" 9 | # Define export location. 10 | $exports = "C:\Exports\" 11 | $whitelists = "C:\Whitelists" 12 | # How old are indicators allowed to be in days 13 | $daysold = "30" 14 | # 15 | $FileHashesEPO = $null 16 | $FileHashesPalo = $null 17 | $hostnames = $null 18 | $IPV4s = $null 19 | $IPV6s = $null 20 | $Emails = $null 21 | $URLs = $null 22 | $CVEs = $null 23 | $counts = $null 24 | $total = $null 25 | $hostnames = @() 26 | $IPV4s = @() 27 | $IPV6s = @() 28 | $URLs = @() 29 | $FileHashesEPO = @() 30 | $FileHashesPalo = @() 31 | $Emails = @() 32 | $CVEs = @() 33 | $counts = @() 34 | ;"" 35 | ;"" 36 | ;"" 37 | #Populate our awesome ascii art into an array 38 | $alien = @" 39 | Alien Vault 40 | 41 | . . . . . . . . . + . 42 | . . : . .. :. .___---------___. 43 | . . . . :.:. _".^ .^ ^. '.. :"-_. . 44 | . : . . .:../: . .^ :.:\. 45 | . . :: +. :.:/: . . . . . .:\ 46 | . : . . _ :::/: . ^ . . .:\ 47 | .. . . . - : :.:./. . .:\ 48 | . . . :..|: . . ^. .:| 49 | . . : : ..|| . . . !:| 50 | . . . . ::. ::\( . :)/ 51 | . . : . : .:.|. ###### .#######::| 52 | :.. . :- : .: ::|.####### ..########:| 53 | . . . .. . .. :\ ######## :######## :/ 54 | . .+ :: : -.:\ ######## . ########.:/ 55 | . .+ . . . . :.:\. ####### #######..:/ 56 | :: . . . . ::.:..:.\ . . ..:/ 57 | . . . .. : -::::.\. | | . .:/ 58 | . : . . .-:.":.::.\ ..:/ 59 | . -. . . . .: .:::.:.\. .:/ 60 | . . . : : ....::_:..:\ ___. :/ 61 | . . . .:. .. . .: :.:.:\ :/ 62 | + . . : . ::. :.:. .:.|\ .:/| 63 | . + . . ...:: ..| --.:| 64 | . . . . . . . ... :..:.."( ..)" 65 | . . . : . .: ::/ . .::\ 66 | 67 | "@ 68 | # Write out pretty ascii art to the screen. 69 | write-host "$alien" 70 | # Define our Error preference. 71 | $ErrorActionPreference = "SilentlyContinue" 72 | # Archive previous days export into the archive folder. 73 | $archive = get-childitem "$exports\*.csv" 74 | if ($archive -ne $null){ 75 | Move-Item $archive "$exports\archive\" -Force 76 | write-host "Archived previous CSVs into the archive folder" -foregroundcolor "Green" 77 | } else { 78 | write-host "No previous CSV's to archive. Continuing" -foregroundcolor "Yellow" 79 | } 80 | # Pull in White Lists for Exclusions 81 | $IPv4WL = Import-CSV "$whitelists\IPv4s.csv" | where {(get-date $_."WhiteListed Date") -gt (get-date).AddDays(-30)} 82 | $CVEWL = Import-CSV "$whitelists\CVEs.csv" | where {(get-date $_."WhiteListed Date") -gt (get-date).AddDays(-30)} 83 | $DomainOrHostnameWL = Import-CSV "$whitelists\DomainOrHostnames.csv" | where {(get-date $_."WhiteListed Date") -gt (get-date).AddDays(-30)} 84 | $EmailWL = Import-CSV "$whitelists\Emails.csv" | where {(get-date $_."WhiteListed Date") -gt (get-date).AddDays(-30)} 85 | $FileHashWL = Import-CSV "$whitelists\FileHashes.csv" | where {(get-date $_."WhiteListed Date") -gt (get-date).AddDays(-30)} 86 | $URLWL = Import-CSV "$whitelists\URLs.csv" | where {(get-date $_."WhiteListed Date") -gt (get-date).AddDays(-30)} 87 | # Get the date for naming CSV exports at the end. 88 | $date = get-date 89 | # Define a bit of regex for later 90 | $regex = "[^a-zA-Z]" 91 | # Define first page to begin. 92 | $next = "https://otx.alienvault.com/api/v1/pulses/subscribed/?limit=10&page=1" 93 | do { 94 | write-progress "Pulling all AlienVault indicators and exporting to CSVs. Processing page: $page" 95 | $indicators = invoke-webrequest -URI $next -UseBasicParsing -Headers @{"X-OTX-API-KEY"="$otxkey"} -UseDefaultCredentials 96 | # Convert JSON data received into powershell object. 97 | $data = $indicators.Content | ConvertFrom-Json 98 | # Populate the next page into $next variable. 99 | $next = $data.next 100 | $page = $next.split("&")[1].split("=")[1] 101 | # 102 | $filtered = $data.Results | where {$_.References -ne $null} 103 | if ($filtered){ 104 | foreach ($item in $filtered){ 105 | $name = $null 106 | $name = $item.Name -replace $regex 107 | $LastModified = get-date $item.Modified 108 | if ($LastModified -gt (get-date).AddDays("-$daysold")){ 109 | foreach ($indicator in $Item.Indicators) { 110 | # Gather Domain and Subdomain Names Indicators 111 | if ($indicator.Type -eq "hostname" -or $indicator.type -eq "domain" -and $indicator.indicator -notin $DomainOrHostnameWL.DomainOrHostName){ 112 | if ($item.References -like "*http*") { 113 | $hostnames += new-object PSObject -Property @{"Hostname"="$($indicator.Indicator)"; "Name"="$($name)"; "Reference"="$($item.References)"} | Select Hostname,Name,Reference 114 | } 115 | } 116 | # Gather All IPV4 Indicators 117 | if ($indicator.Type -eq "IPv4" -and $indicator.indicator -notin $IPv4WL."IPv4 Address"){ 118 | if ($item.References -like "*http*"){ 119 | $IPV4s += new-object PSObject -Property @{"IPv4 Address"="$($indicator.Indicator)"; "Name"="$($name)"; "Reference"="$($item.References)"} | Select "IPv4 Address",Name,Reference 120 | } 121 | } 122 | # Gather All IPV6 Indicators 123 | if ($indicator.Type -eq "IPv6"){ 124 | if ($item.References -like "*http*"){ 125 | $IPV6s += new-object PSObject -Property @{"IPv6 Address"="$($indicator.Indicator)"; "Name"="$($name)"; "Reference"="$($item.References)"} | Select "IPv6 Address",Name,Reference 126 | } 127 | } 128 | # Gather All URL Indicators 129 | if ($indicator.Type -eq "URL" -and $indicator.indicator -notin $URLWL.URL){ 130 | if ($item.References -like "*http*"){ 131 | $URLs += new-object PSObject -Property @{"URL"="$($indicator.indicator)"; "Name"="$($name)"; "Reference"="$($item.References)"} | Select URL,Name,Reference 132 | } 133 | } 134 | # Gather all File Hash Indicators 135 | if ($indicator.Type -eq "FileHash-MD5" -or $indicator.Type -eq "FileHash-SHA1" -or $indicator.Type -eq "Filehash-SHA256" -and $indicator.indicator -notin $FileHashWL.FileHash){ 136 | if ($item.References -like "*http*"){ 137 | if ($item.References -ne $null -and $item.References -like "*http*"){ 138 | $FileHashesEPO += new-object PSObject -Property @{"FileHash"="AppHash: $($indicator.Indicator)"; "Name"="$($name)"; "Reference"="$($item.References)"} | Select FileHash,Name,Reference 139 | $FileHashesPalo += new-object PSObject -Property @{"FileHash"="$($indicator.Indicator)"; "Name"="$($name)"; "Reference"="$($item.References)"} | Select FileHash,Name,Reference 140 | } 141 | } 142 | } 143 | # Gather all Email Indicators 144 | if ($indicator.Type -eq "email" -and $indicator.indicator -notin $EmailWL."Email Address"){ 145 | if ($item.References -like "*http*"){ 146 | $Emails += new-object PSObject -Property @{"Email"="$($indicator.Indicator)"; "Name"="$($name)"; "Reference"="$($item.References)"} | Select Email,Name,Reference 147 | } 148 | } 149 | if ($indicator.Type -eq "CVE" -and $indicator.indicator -notin $CVEWL.CVE){ 150 | if ($item.References -like "*http*"){ 151 | $CVEs += new-object PSObject -Property @{"CVE"="$($indicator.Indicator)"; "Name"="$($name)"; "Reference"="$($item.References)"} | Select CVE,Name,Reference 152 | } 153 | } 154 | } 155 | } 156 | } 157 | } 158 | } while ($next -ne $null) 159 | # Export all indicators to CSVs if data exists in each object. 160 | if ($hostnames){ 161 | $hostnames | ConvertTo-Csv -NoTypeInformation | Select -Skip 1 | Set-Content "$($exports)Hostnames_$($date.month)_$($date.day)_$($date.year).csv" 162 | } 163 | if ($IPV4s) { 164 | $IPV4s | ConvertTo-Csv -NoTypeInformation | Select -Skip 1 | Set-Content "$($exports)IPV4s_$($date.month)_$($date.day)_$($date.year).csv" 165 | } 166 | if ($IPV6s) { 167 | $IPV6s | ConvertTo-Csv -NoTypeInformation | select -Skip 1 | Set-Content "$($exports)IPV6s_$($date.month)_$($date.day)_$($date.year).csv" 168 | } 169 | if ($URLs) { 170 | $URLs | ConvertTo-Csv -NoTypeInformation | select -Skip 1 | Set-Content "$($exports)URLs_$($date.month)_$($date.day)_$($date.year).csv" 171 | } 172 | if ($FileHashesEPO) { 173 | $FileHashesEPO | ConvertTo-Csv -NoTypeInformation | select -Skip 1 | Set-Content "$($exports)FileHashesEPO_$($date.month)_$($date.day)_$($date.year).csv" 174 | } 175 | if ($FileHashesPalo) { 176 | $FileHashesPalo | ConvertTo-Csv -NoTypeInformation | select -Skip 1 | Set-Content "$($exports)FileHashesPalo_$($date.month)_$($date.day)_$($date.year).csv" 177 | } 178 | if ($Emails){ 179 | $Emails | ConvertTo-Csv -NoTypeInformation | select -Skip 1 | Set-Content "$($exports)Emails_$($date.month)_$($date.day)_$($date.year).csv" 180 | } 181 | if ($CVEs){ 182 | $CVEs | ConvertTo-Csv -NoTypeInformation | select -Skip 1 | Set-Content "$($exports)CVEs_$($date.month)_$($date.day)_$($date.year).csv" 183 | } 184 | # Total up the indicators and create a CSV just for number tracking. 185 | $total = $hostnames.count + $IPv4s.count + $URLs.count + $FileHashesEPO.count + $Emails.count + $CVEs.count 186 | $counts = new-object PSObject -Property @{"Hostnames"="$($hostnames.count)"; "IPv4s"="$($IPv4s.count)"; "URLs"="$($URLs.Count)"; "FileHashes"="$($FileHashesEPO.count)"; "Emails"="$($Emails.Count)"; "CVEs"="$($CVEs.count)"; "Total"="$($total)"} | Select Hostnames,IPv4s,URLs,FileHashes,Emails,CVEs,Total 187 | $counts | Export-csv "$($exports)Total_Numbers_$($date.month)_$($date.day)_$($date.year).csv" -NoTypeInformation 188 | # Open exports folder and complete the operation. 189 | write-host "Opening exports folder..." -foregroundcolor "green" 190 | ii $exports 191 | } 192 | -------------------------------------------------------------------------------- /vmware-netapp-HP-environment-monitoring.ps1: -------------------------------------------------------------------------------- 1 | function check-env { 2 | [System.Reflection.Assembly]::LoadWithPartialName("System.Diagnostics") 3 | $sw = new-object system.diagnostics.stopwatch 4 | $sw.Start() 5 | ############################################################ 6 | #### Set all static variables. 7 | $oas = "oa1", "oa2", "oa3", "oa4" 8 | $controllers = "filer1", "filer2", "filer3", "filer4" 9 | $viservers = "vcenter1", "vcenter2", "vcenter3", "vcenter4" 10 | $nacred = Import-clixml C:\users\forgotten\Documents\NACred.xml 11 | $oacred = import-clixml C:\users\forgotten\Documents\OACred.xml 12 | $nothing = '' 13 | $vms = $null 14 | #### Check all HP Enclosures, Fans, OAs, Interconnects, Power, and Blade health. 15 | write-host "----- Checking all HP Onboard Administrators for alarms -----" -foregroundcolor "magenta" -backgroundcolor "black" 16 | foreach ($oa in $oas){ 17 | write-progress "Checking HP OnBoard Administrators:" 18 | ; "" 19 | ; "" 20 | try { 21 | $con = Connect-HPOA -OA $oa -Credential $oacred -erroraction Stop 22 | } catch { 23 | write-host "!!!!! Unable to connect to $oa , moving onto to next OA !!!!!" -foregroundcolor "yellow" -backgroundcolor "black" 24 | Continue 25 | } 26 | $health = Get-HPOAHealth $con 27 | $bladehealth = $health.bladehealth 28 | $fanhealth = $health.FanHealth 29 | $interconnecthealth = $health.InterconnectHealth 30 | $Powerhealth = $health.PowerSupplyHealth 31 | $OAhealth = $health.OnboardAdministratorHealth 32 | $messages = "Absent", "OK" 33 | ### Check OA Blade Health 34 | foreach ($item in $bladehealth) { 35 | if ($item.Status -notin $messages) { 36 | write-host "$oa has not OK Blade status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black" 37 | $item.Status 38 | $item.CorrectiveAction ; "" ; "" 39 | $nothing = "something" 40 | } else { 41 | $nothing = '' 42 | } 43 | } 44 | if ($nothing -eq $null -or $nothing -eq '') { 45 | write-host "$oa has no active BLADE alarms or problems." -foregroundcolor "green" -backgroundcolor "black" 46 | } else { 47 | $whatever = "whatever" 48 | } 49 | ### Check OA Fan Health 50 | foreach ($item in $fanhealth) { 51 | if ($item.Status -notin $messages) { 52 | write-host "$oa has not OK FAN status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black" 53 | $item.Status 54 | $item.CorrectiveAction ; "" ; "" 55 | $nothing = "something" 56 | } else { 57 | $nothing = '' 58 | } 59 | } 60 | if ($nothing -eq $null -or $nothing -eq '') { 61 | write-host "$oa has no active FAN alarms or problems." -foregroundcolor "green" -backgroundcolor "black" 62 | } else { 63 | $whatever = "whatever" 64 | } 65 | #### Check OA Interconnect Bay Health 66 | foreach ($item in $interconnecthealth) { 67 | if ($item.Status -notin $messages) { 68 | write-host "$oa has not OK Interconnect status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black" 69 | $item.Status 70 | $item.CorrectiveAction ; "" ; "" 71 | $nothing = "something" 72 | } else { 73 | $nothing = '' 74 | } 75 | } 76 | if ($nothing -eq $null -or $nothing -eq '') { 77 | write-host "$oa has no active INTERCONNECT BAY alarms or problems." -foregroundcolor "green" -backgroundcolor "black" 78 | } else { 79 | $whatever = "whatever" 80 | } 81 | ### Check OA Power Supply Health 82 | foreach ($item in $powerhealth) { 83 | if ($item.Status -notin $messages) { 84 | write-host "$oa has not OK Power Supply status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black" 85 | $item.Status 86 | $item.CorrectiveAction ; "" ; "" 87 | $nothing = "something" 88 | } else { 89 | $nothing = '' 90 | } 91 | } 92 | if ($nothing -eq $null -or $nothing -eq '') { 93 | write-host "$oa has no active POWER SUPPLY alarms or problems." -foregroundcolor "green" -backgroundcolor "black" 94 | } else { 95 | $whatever = "whatever" 96 | } 97 | ### Check Onboard Administrator Health 98 | foreach ($item in $OAhealth) { 99 | if ($item.Status -notin $messages) { 100 | write-host "$oa has NOT OK OA status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black" 101 | $item.Status 102 | $item.CorrectiveAction ; "" ; "" 103 | $nothing = "something" 104 | } else { 105 | $nothing = '' 106 | } 107 | } 108 | if ($nothing -eq $null -or $nothing -eq '') { 109 | write-host "$oa has no active OA bay alarms or problems." -foregroundcolor "green" -backgroundcolor "black" 110 | } else { 111 | $whatever = "whatever" 112 | } 113 | } 114 | ""; 115 | ""; 116 | #### Check NETAPP Controllers for Failed Disks, disconnected fiber connections, and channel failures. 117 | write-host "----- Checking all Netapp Filers for Failed Disks, Channel Failures, failed aggregates, and offline luns or volumes -----" -foregroundcolor "magenta" -backgroundcolor "black" 118 | ; "" 119 | ; "" 120 | foreach ($controller in $controllers) { 121 | $nothing = '' 122 | write-progress "Checking NetAPP Controllers for Failed Disks, Channel Failures, failed aggregates, and offline luns or volumes: " 123 | try { 124 | Connect-NaController -Name $controller -Credential $nacred -ErrorAction Stop | out-null 125 | } catch { 126 | write-host "!!!!! Unable to connect to $controller , moving onto to next controller !!!!!" -foregroundcolor "yellow" -backgroundcolor "black" 127 | Continue 128 | } 129 | ### Check for Failed Disks 130 | $disk = Get-NaDiskOwner | ? {$_.Failed -eq "True"} | ? {$_.Owner -eq $controller -or $_.Owner -eq $null} 131 | $shelfstatus = Get-NaShelf | Get-NaShelfEnvironment | where-object {$_.IsShelfChannelFailure -eq 1} 132 | if ($disk -eq $null) { 133 | write-host $controller "Has No Failed Disks." -foregroundcolor "green" -backgroundcolor "black" 134 | } else { 135 | write-host "The following controller $($controller) has failed disks:" -foregroundcolor "red" -backgroundcolor "black" 136 | $disk | Select-Object -Property Name, SerialNumber, Owner, OwnerId, Pool, Failed | Format-Table -Wrap -Autosize 137 | $diskdata = get-nadisk $disk.Name 138 | $diskdata | Select-Object -Property Name, Shelf, Bay, Status, PhysSpace, RPM, FW, Model, Pool, Aggregate | Format-Table -Wrap -Autosize 139 | $drivesize = $diskdata.PhysSpace 140 | foreach ($drive in $drivesize){ 141 | $converted = $drive/1TB 142 | foreach ($dis in $disk){ 143 | write-host "Failed Drive:" $dis.Name "Size is:" -foregroundcolor "red" -backgroundcolor "black" 144 | $rounded = [math]::round($converted,2) 145 | write-host $rounded"TB" -foregroundcolor "red" -backgroundcolor "black" 146 | } 147 | } 148 | ; "" 149 | } 150 | ### Check for Shelf Channel Failures 151 | if ($shelfstatus -eq $null) { 152 | write-host "$controller has no Shelf Channel failures." -foregroundcolor "green" -backgroundcolor "black" 153 | } else { 154 | write-host "$controller has the following Shelf Channel failures:" -foregroundcolor "red" -backgroundcolor "black" 155 | $shelfstatus 156 | } 157 | ### Check if cluster partnering is enabled. 158 | $cfstatus = get-nacluster 159 | if ($cfstatus.State -ne 'CONNECTED' -and $cfstatus.IsEnabled -ne $true){ 160 | write-host "!!!!!!!!!!!!!!!!! Failover is not enabled on $($controller) and does not have a connected partner. !!!!!!!!!!!!!!!!!" -foregroundcolor "red" -backgroundcolor "black" 161 | } 162 | ### Check for Failed aggregates, offline Volumes and Luns. 163 | $aggs = get-naaggr 164 | $vols = get-navol 165 | $luns = get-nalun 166 | foreach ($agg in $aggs){ 167 | if ($agg.State -ne 'Online'){ 168 | write-host "$($controller) has the following aggreates offline:" 169 | write-host "!!!!!!!!!!!!!!!!! $($agg.Name) IS OFFLINE !!!!!!!!!!!!!!!!!" -foregroundcolor "red" -backgroundcolor "black" 170 | } 171 | } 172 | foreach ($vol in $vols){ 173 | if ($vol.State -ne 'Online'){ 174 | write-host "$($controller) has the following Volumes offline:" 175 | write-host "!!!!!!!!!!!!!!!!! $($vol.Name) IS OFFLINE !!!!!!!!!!!!!!!!!" -foregroundcolor "red" -backgroundcolor "black" 176 | } 177 | } 178 | foreach ($lun in $luns){ 179 | if ($lun.Online -ne $true){ 180 | write-host "$($controller) has the following LUNs offline:" 181 | write-host "!!!!!!!!!!!!!!!!! $($Lun.Path) IS OFFLINE !!!!!!!!!!!!!!!!!" -foregroundcolor "red" -backgroundcolor "black" 182 | } 183 | } 184 | ### Check for disconnected FC Adaptors. 185 | # $fcadapters = '' 186 | # $fcadapters = get-nafcadapter 187 | # foreach ($adapter in $fcadapters){ 188 | # if ($adapter.AdapterStatus -eq "offline"){ 189 | # write-host "$controller has the following offline FC adaptors:" -foregroundcolor "red" -backgroundcolor "black" 190 | # $adapter 191 | # } else { 192 | # $nothing = "something" 193 | # } 194 | # } 195 | # if ($nothing -eq ''){ 196 | # write-host "$controller has no offline FC Adaptors" -foregroundcolor "green" -backgroundcolor "black" 197 | # } 198 | ;"" 199 | } 200 | ; "" 201 | ; "" 202 | ############################################################## 203 | #### Check VMWare Clusters, Hosts, Datastores, and VM's for triggered Alarms and high value settings. 204 | Add-PSSnapin Vmware.VIMAutomation.Core | Out-Null 205 | set-PowerCLIConfiguration -invalidCertificateAction "ignore" -confirm:$false | out-null 206 | write-host "----- Checking VMWare Hosts, Datastores, and VM alarms -----" -foregroundcolor "magenta" -backgroundcolor "black" 207 | foreach ($viserver in $viservers) { 208 | $vms = '' 209 | $vmwarehosts = '' 210 | $datastores = '' 211 | write-progress "Checking VMWare Clusters, Hosts, Datastores and VMs for Triggered Alarms and States: " 212 | ; "" 213 | ; "" 214 | try { 215 | connect-viserver $viserver -ErrorAction Stop | out-null 216 | } catch { 217 | write-host "!!!!! Unable to connect to $viserver , moving onto to next vCenter !!!!!" -foregroundcolor "yellow" -backgroundcolor "black" 218 | Continue 219 | } 220 | 221 | #### Checking Cluster Settings HA/DRS. 222 | $clusters = $null 223 | $cluster = $null 224 | $clusters = get-cluster 225 | foreach ($cluster in $clusters){ 226 | if ($cluster.HAEnabled -eq $false){ 227 | write-host "!!!! $($viserver) - $($cluster.Name) does not have HA enabled !!!!" -foregroundcolor "red" -backgroundcolor "black" 228 | } else { 229 | write-host "$($viserver) - $($cluster.Name) has HA enabled" -foregroundcolor "green" -backgroundcolor "black" 230 | } 231 | if ($cluster.DRSAutomationLevel -notlike "*FullyAutomated*"){ 232 | write-host "!!!! $($viserver) - $($cluster.Name) DRS is not fully automated !!!!" -foregroundcolor "red" -backgroundcolor "black" 233 | } else { 234 | write-host "$($viserver) - $($cluster.Name) DRS is fully automated" -foregroundcolor "green" -backgroundcolor "black" 235 | } 236 | } 237 | #### Checking Host alarms. 238 | $vmwarehosts = get-vmhost | get-view 239 | $alarm = '' 240 | $definition = '' 241 | foreach ($box in $vmwarehosts) { 242 | if ($box.TriggeredAlarmState -ne $null -or $box.TriggeredAlarmState -ne '') { 243 | $alarm = $box.TriggeredAlarmState.Alarm 244 | $definition = Get-AlarmDefinition -Id $alarm 245 | Write-host "$($box.Name) Has the following Host Alarms triggered:" -foregroundcolor "red" -backgroundcolor "black" 246 | Write-host $definition.Name -backgroundcolor "black" 247 | } 248 | } 249 | $vmhosts = get-vmhost 250 | foreach ($boxen in $vmhosts){ 251 | if ($boxen.ConnectionState -ne 'Connected'){ 252 | write-host "!!!!! $($boxen.Name) has the following connection state: $($boxen.ConnectionState) !!!!!" -foregroundcolor "red" -backgroundcolor "black" 253 | $events = get-vievent -Entity $boxen.Name -MaxSamples 500 254 | foreach ($event in $events){ 255 | if ($event.FullFormattedMessage -match "Task: Enter maintenance mode"){ 256 | write-host "Host was put into maintenance mode on: $($event.CreatedTime), by user: $($event.UserName)" 257 | 258 | } 259 | } 260 | } 261 | } 262 | if ($vmwarehosts.TriggeredAlarmState -eq $null -or $vmwarehosts.TriggeredAlarmState -eq '') { 263 | write-host "There are no active HOST alarms on:" $viserver -foregroundcolor "green" -backgroundcolor "black" 264 | } 265 | #### Checking for dead HBA paths. 266 | $hosts = Get-VMHost | ? { $_.ConnectionState -eq "Connected" } | Sort-Object -Property Name 267 | foreach ($box in $hosts){ 268 | $hbas = $box | get-vmhosthba -Type "FibreChannel" 269 | foreach ($hba in $hbas){ 270 | $state = $hba | get-scsilun | get-scsilunpath 271 | if ($state.State -eq "Dead"){ 272 | write-host "!!!!!!!! $($box) has dead HBA Paths go investigate !!!!!!!!" -foregroundcolor "red" -backgroundcolor "black" 273 | } 274 | } 275 | } 276 | #### Checking Datastore alarms. 277 | $datastores = get-datastore | get-view 278 | $alarm = '' 279 | $definition = '' 280 | foreach ($store in $datastores) { 281 | if ($store.TriggeredAlarmState -ne $null -or $store.TriggeredAlarmState -ne '') { 282 | $alarm = $store.TriggeredAlarmState.Alarm 283 | $definition = Get-AlarmDefinition -Id $alarm 284 | Write-host "$($store.Name) Has the following Storage Alarms triggered:" -foregroundcolor "red" -backgroundcolor "black" 285 | Write-host $definition.Name -backgroundcolor "black" 286 | } 287 | } 288 | if ($datastores.TriggeredAlarmState -eq $null -or $datastores.TriggeredAlarmState -eq '') { 289 | write-host "There are no active DATASTORE alarms on:" $viserver -foregroundcolor "green" -backgroundcolor "black" 290 | } 291 | #### Checking VM alarms and Snapshot dates. 292 | $vms = get-vm | get-view 293 | $alarm = '' 294 | $definition = '' 295 | $snapdate = '' 296 | foreach ($vm in $vms) { 297 | if ($vm.TriggeredAlarmState -ne $null -or $vm.TriggeredAlarmState -ne '') { 298 | $alarm = $vm.TriggeredAlarmState.Alarm 299 | $definition = Get-AlarmDefinition -Id $alarm 300 | Write-host "$($vm.Name) Has the following VM alarms triggered:" -foregroundcolor "red" -backgroundcolor "black" 301 | Write-host $definition.Name -backgroundcolor "black" 302 | #### If alarm is Snapshot, show Snapshot name and Creation Date. 303 | if ($definition.Name -eq "VMSnapshot Running") { 304 | $snapdate = get-snapshot -VM $vm.Name 305 | write-host "$($snapdate.Name) was created on:" $snapdate.Created -backgroundcolor "black" 306 | write-host "Snapshot is the following size in GB:" $snapdate.SizeGB -backgroundcolor "black" 307 | ;"" 308 | } 309 | } 310 | } 311 | if ($vms.TriggeredAlarmState -eq $null -or $vmview.TriggeredAlarmState -eq '') { 312 | write-host "There are no active VM alarms on" $viserver -foregroundcolor "green" -backgroundcolor "black" 313 | 314 | } 315 | $vms = $null 316 | $vms = get-vm | where {$_.Name -like "*_old*" -or $_.Name -like "*_old*"} | out-null 317 | if ($vms -ne $null){ 318 | write-host "The following VM's have old in their names:" -foregroundcolor "red" -backgroundcolor "black" 319 | $vms.Name 320 | ;"" 321 | } 322 | $vms = $null 323 | $vms = Get-VM | Where-Object {$_.Extensiondata.Runtime.ConsolidationNeeded} 324 | $tasks = get-task | out-null 325 | if ($vms -ne $null){ 326 | ;"" 327 | write-host "Consolidating any triggered VMs" -foregroundcolor "green" -backgroundcolor "black" 328 | foreach ($vm in $vms){ 329 | if ($tasks.etensiondata.info.entityname -eq $vm -and $tasks.Name -eq "ConsolidateVMDisks_Task") { 330 | write-host "!!! Consolidation task for this VM already running !!!" 331 | } else { 332 | (Get-VM -Name $vm.Name).ExtensionData.ConsolidateVMDisks_Task() | out-null 333 | write-host "Task sent for consolidation of the following VM: $($vm.Name) sent to vCenter" 334 | } 335 | } 336 | } 337 | disconnect-viserver $viserver -confirm:$false | out-null 338 | ;"" 339 | ;"" 340 | } 341 | $sw.stop() 342 | write-host "All of your sweet checks took this much time to run:" -foregroundcolor "green" -backgroundcolor "black" 343 | $sw.Elapsed 344 | } 345 | --------------------------------------------------------------------------------