├── AD Tools
├── Get-QuickPCInfo.ps1
└── Intentional-Lockout.ps1
├── AI Tools
└── loganalyzer.html
├── API Tools
├── README.MD
├── Start-UserFind.ps1
└── gl_ss.png
├── Console Tools
└── Windows-Profile.ps1
├── Exchange Tools
├── New-SimilarDisplayAlertRule.ps1
├── README.md
└── content
│ └── spoof-alert.html
├── File Tools
└── Get-UserShareReport.ps1
├── General Tools
├── Configs
│ └── conemu.xml
├── DualBoot_SurfaceArc
│ ├── README.md
│ ├── export-bluetooth.py
│ └── surface_arc_template
├── Enable-CopyPaste.ps1
├── Get-FileShareReport.ps1
├── Get-OpenPorts.ps1
├── Get-UninstallString.ps1
├── Send-SMSAlert.ps1
├── TestDoc.doc
└── graylog_backup.sh
├── In Progress
├── Get-Firefoxdetails.ps1
├── Get-ViewAgentLogs.ps1
├── Remove-All.ps1
└── Rescue-Exchange.ps1
├── Installers
├── Sysmon
│ ├── Deploy-Application.ps1
│ └── Install.ps1
└── readme.md
├── Inventory Tools
├── Assign-Users.ps1
├── Get-AssetInfo.ps1
├── MonitorTags.csv
├── README.md
└── Set-AssetInfo.ps1
├── Nasty Stuff
├── encoder.py
└── polymorphic.py
├── Network Tools
└── Get-DNSHostRecords.ps1
├── PSADT_Tools
├── Deploy-Sysmon.ps1
└── Readme.MD
├── README.md
├── Reolink Tools
└── Invoke-ReolinkControl.ps1
├── School Tools
├── Generate-Logdata.ps1
├── day_1.csv
├── day_10.csv
├── day_11.csv
├── day_12.csv
├── day_13.csv
├── day_14.csv
├── day_15.csv
├── day_16.csv
├── day_17.csv
├── day_18.csv
├── day_19.csv
├── day_2.csv
├── day_20.csv
├── day_21.csv
├── day_22.csv
├── day_23.csv
├── day_24.csv
├── day_25.csv
├── day_26.csv
├── day_27.csv
├── day_28.csv
├── day_29.csv
├── day_3.csv
├── day_30.csv
├── day_4.csv
├── day_5.csv
├── day_6.csv
├── day_7.csv
├── day_8.csv
├── day_9.csv
└── nodes.csv
├── Troll-o-matic
├── random-selector.php
└── trollurl.csv
└── _assets
└── email_banner.png
/AD Tools/Get-QuickPCInfo.ps1:
--------------------------------------------------------------------------------
1 | # Just testing a PR
2 |
3 | $source = get-content "C:\Utilities\data\updates.txt"
4 | $results = @();
5 |
6 | foreach ($PC in $Source) {
7 | try{
8 | $test = Test-Connection $PC -Count 1 -ErrorAction Stop
9 | if($test){$connection = "Success"}
10 | }catch{
11 | $connection = "Connection Failed"
12 | }
13 |
14 | try{
15 | $User = (Get-WmiObject -Class Win32_ComputerSystem -ComputerName $PC -ErrorAction Stop).UserName
16 | if($User -eq ""){$user = "None"}
17 | }catch{
18 | $User = "#WMI Failure"
19 | }
20 |
21 | try{
22 | $Computer = Get-ADcomputer -Identity $PC -Properties IPV4Address,OperatingSystem,PasswordLastSet | Select-Object Name,IPV4Address,OPeratingSystem,PasswordLastSet,DistinguishedName -ErrorAction Stop
23 | }catch{
24 | $connection = "AD Lookup Failed"
25 | }
26 |
27 | $ou = ($Computer.distinguishedName -split ",OU=",0,"RegexMatch")[1]
28 | $lineout = New-Object PSObject -Property @{
29 | Host = $PC
30 | 'IP Address' = $Computer.IPV4Address
31 | 'Operating System' = $Computer.OperatingSystem
32 | 'Last Activity' = $Computer.PasswordLastSet
33 | 'Current User' = $User
34 | 'AD OU' = $ou
35 | }
36 |
37 | $results += $lineout
38 |
39 |
40 | }
41 |
42 | $results
43 |
--------------------------------------------------------------------------------
/AD Tools/Intentional-Lockout.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .NOTES
3 |
4 | Author: Adam "Abe" Abernethy
5 | Twitter: @ReallyBigAbe
6 | Go here: https://blueteam.ninja
7 |
8 | Don't be a mean person.
9 |
10 | .SYNOPSIS
11 |
12 | Intentionally lock out a user.
13 |
14 | .DESCRIPTION
15 |
16 | This tool will attempt to scan your GPOs for the current lockout policy, then
17 | loop through an authenticated call to the current DC. Depending on Active Directory version
18 | this can be either a call to the Logon Server or a generic DNS call to the domain name.
19 |
20 | .PARAMETER Account
21 | A string that will be passed as the default parameter to Get-Aduser
22 |
23 | .INPUTS
24 |
25 | None. You cannot pipe objects to Add-Extension.
26 |
27 | .OUTPUTS
28 |
29 | A verbose message based on results
30 |
31 | .EXAMPLE
32 |
33 | C:\PS> Intentional-Lockout -Account MrDuck
34 | MrDuck has been locked out
35 |
36 | .EXAMPLE
37 |
38 | C:\PS> Intentional-Lockout -Account Fake00001
39 | Fake00001 not found / valid
40 |
41 | .NOTES
42 | I jacked the basics from http://mikefrobbins.com/2013/11/28/lock-out-active-directory-user-accounts-with-powershell/
43 | I'm not a DEV, so I have no idea what the protocol is here
44 |
45 | Only use it on friends, suspicious co-workers, and your boss's boss. Anything else isn't funny enough.
46 | #>
47 |
48 | [CmdletBinding()]
49 | Param(
50 | [Parameter(Mandatory=$true)]
51 | [string]$Account
52 | )
53 |
54 | try {
55 | $user = Get-ADUser $Account -Properties SamAccountName, UserPrincipalName, LockedOut
56 | }
57 | catch {
58 | Write-Output "$user not found / valid"
59 | return 0;
60 | }
61 | #Set a garbage password
62 | $Password = ConvertTo-SecureString 'Not Really My Password' -AsPlainText -Force
63 |
64 | #Scrape the Lockout requirements
65 | if ((([xml](Get-GPOReport -Name "Default Domain Policy" -ReportType Xml)).GPO.Computer.ExtensionData.Extension.Account |
66 | Where-Object name -eq LockoutBadCount).SettingNumber) {
67 |
68 |
69 | if(Test-Connection $env:LOGONSERVER) {$dc = $env:LOGONSERVER}
70 | elseif(Test-Connection $env:USERDOMAIN) {$dc = $env:USERDOMAIN}
71 | else {$dc = $null; Write-Output "No DCs to mess with" return 1;}
72 |
73 | $user |
74 | Do {
75 |
76 | Invoke-Command -ComputerName $dc {Get-Process
77 | } -Credential (New-Object System.Management.Automation.PSCredential ($($_.UserPrincipalName), $Password)) -ErrorAction SilentlyContinue
78 |
79 | }
80 | Until ((Get-ADUser -Identity $_.SamAccountName -Properties LockedOut).LockedOut)
81 |
82 | Write-Output "$($_.SamAccountName) has been locked out"
83 | }else{
84 | Write-Output "There's no lockout policy under `"Default Domain Policy`". You might want to look into that, chief."
85 | }
86 |
87 |
--------------------------------------------------------------------------------
/AI Tools/loganalyzer.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Abes Ultra Smart Log Analyzer
5 |
Powered by a shitload of AI!
6 |
39 |
85 |
86 |
87 |
Abes AutoMagiculator
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
--------------------------------------------------------------------------------
/API Tools/README.MD:
--------------------------------------------------------------------------------
1 | # API Tools
2 |
3 | ### Start-UserFind.ps1
4 |
5 | This requires the polaris module. It's available from the Powershell Gallery but its an ancient version - go get it from [the source](https://github.com/PowerShell/Polaris).
6 |
7 | You can also read more about it from its [project site](https://powershell.github.io/Polaris/docs/about_GettingStarted.html).
8 |
9 | Just run this script and leave it running. Whatever you put in the hostname you should be able to access it from http://$hostName:5000/findme?user="query"
10 |
11 | If you want to run it is as service - which I strongly suggest, then I **also** strongly suggest you use [NSSM](https://nssm.cc/)
12 |
13 | #### Setting it up in Graylog
14 |
15 | Do this:
16 |
17 | 
18 |
--------------------------------------------------------------------------------
/API Tools/Start-UserFind.ps1:
--------------------------------------------------------------------------------
1 | $HostName = "ServerName"
2 |
3 | Import-Module Polaris
4 |
5 | New-PolarisRoute -Path /findme -Method GET -Scriptblock {
6 |
7 | if ($Request.Query['user']) {
8 | $q = $Request.Query['user']
9 |
10 | if($q -match '^CN=') {
11 | $r = ([adsi]("LDAP://$q")).Properties
12 | } elseif ($q -match '([a-zA-Z\-]+\s?\b){2,}'){
13 | $r = ([adsisearcher]("CN=$q")).FindOne().Properties
14 |
15 | }else {
16 | $r = ([adsisearcher]("samAccountName=$q")).FindOne().Properties
17 | }
18 |
19 | $title = $r.title
20 | $email = $r.mail
21 | $boss = $r.manager
22 | $name = $r.displayname
23 | $branch = $r.description
24 |
25 | $boss = ([adsi]("LDAP://$boss")).Properties
26 | $bossemail = $boss.mail
27 | $bossTitle = $boss.title
28 | $bossname = $boss.name
29 |
30 | $qmanager = @{
31 | "title" = "$bosstitle"
32 | "name" = "$bossname"
33 | "email" = "$bossemail"
34 | }
35 |
36 | $qresponse = @{
37 | "title" = "$title"
38 | "name" = "$name"
39 | "email" = "$email"
40 | "manager" = $qmanager
41 | "branch" = "$branch"
42 | } | ConvertTo-Json
43 |
44 | $Response.Send($qresponse)
45 | } else {
46 | $response.send("Try again, friends.")
47 | }
48 | }
49 |
50 | Start-Polaris -Port 5000 -HostName $HostName
51 |
--------------------------------------------------------------------------------
/API Tools/gl_ss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/grownuphacker/Tools/56519c498a6dd4f2d9c0e42de771ef20f4be92e6/API Tools/gl_ss.png
--------------------------------------------------------------------------------
/Console Tools/Windows-Profile.ps1:
--------------------------------------------------------------------------------
1 | Function Get-MOTD {
2 | <#
3 | .NAME
4 | Get-MOTD
5 |
6 | .AUTHOR
7 | By now, I guess I can say me: @BlueTeamNinja
8 |
9 | .SYNOPSIS
10 | Displays system information to a host.
11 |
12 | .DESCRIPTION
13 | The Get-MOTD cmdlet is a system information tool written in PowerShell.
14 |
15 | .EXAMPLE
16 | #>
17 |
18 | [CmdletBinding()]
19 | Param (
20 | [Parameter(
21 | Mandatory=$false,
22 | Position=0)]
23 | [ValidateNotNullOrEmpty()]
24 | [string[]]
25 | $ComputerName,
26 |
27 | [Parameter()]
28 | [PsCredential]
29 | [System.Management.Automation.CredentialAttribute()]
30 | $Credential
31 | )
32 |
33 | Begin {
34 |
35 | #Define ScriptBlock for data collection
36 |
37 | $ScriptBlock = {
38 | $Operating_System = Get-CimInstance -ClassName Win32_OperatingSystem
39 | $Logical_Disk = Get-CimInstance -ClassName Win32_LogicalDisk |
40 | Where-Object -Property DeviceID -eq $Operating_System.SystemDrive
41 |
42 | [pscustomobject]@{
43 | Operating_System = $Operating_System
44 | Processor = Get-CimInstance -ClassName Win32_Processor
45 | Process_Count = (Get-Process).Count
46 | Shell_Info = "{0}.{1}" -f $PSVersionTable.PSVersion.Major,$PSVersionTable.PSVersion.Minor
47 | Logical_Disk = $Logical_Disk
48 | }
49 | }
50 | }
51 |
52 | Process {
53 | if ($ComputerName) {
54 |
55 | # Build Hash to be used for passing parameters to New-PSSession commandlet
56 |
57 | $PSSessionParams = @{
58 | ComputerName = $ComputerName
59 | ErrorAction = 'Stop'
60 | }
61 |
62 | # Add optional parameters to hash
63 |
64 | if ($Credential) {
65 | $PSSessionParams.Add('Credential', $Credential)
66 | }
67 |
68 | # Create remote powershell session
69 |
70 | try {
71 | $RemoteSession = New-PSSession @PSSessionParams
72 | }
73 | catch {
74 | throw $_.Exception.Message
75 | }
76 | }
77 |
78 | # Build Hash to be used for passing parameters to Invoke-Command commandlet
79 |
80 | $CommandParams = @{
81 | ScriptBlock = $ScriptBlock
82 | ErrorAction = 'Stop'
83 | }
84 |
85 | # Add optional parameters to hash
86 |
87 | if ($RemoteSession) {
88 | $CommandParams.Add('Session', $RemoteSession)
89 | }
90 |
91 | # Run ScriptBlock
92 |
93 | try {
94 | $ReturnedValues = Invoke-Command @CommandParams
95 | }
96 | catch {
97 | if ($RemoteSession) {
98 | Remove-PSSession $RemoteSession
99 | }
100 | throw $_.Exception.Message
101 | }
102 |
103 | # Assign variables
104 |
105 | $Date = Get-Date
106 | $OS_Name = $ReturnedValues.Operating_System.Caption
107 | $Computer_Name = $ReturnedValues.Operating_System.CSName
108 | $Kernel_Info = $ReturnedValues.Operating_System.Version
109 | $Process_Count = $ReturnedValues.Process_Count
110 | $Uptime = "$(($Uptime = $Date - $($ReturnedValues.Operating_System.LastBootUpTime)).Days) days, $($Uptime.Hours) hours, $($Uptime.Minutes) minutes"
111 | $Shell_Info = $ReturnedValues.Shell_Info
112 | $CPU_Info = $ReturnedValues.Processor.Name -replace '\(C\)', '' -replace '\(R\)', '' -replace '\(TM\)', '' -replace 'CPU', '' -replace '\s+', ' '
113 | $Current_Load = $ReturnedValues.Processor.LoadPercentage
114 | $Memory_Size = "{0}mb/{1}mb Used" -f (([math]::round($ReturnedValues.Operating_System.TotalVisibleMemorySize/1KB))-
115 | ([math]::round($ReturnedValues.Operating_System.FreePhysicalMemory/1KB))),([math]::round($ReturnedValues.Operating_System.TotalVisibleMemorySize/1KB))
116 | $Disk_Size = "{0}gb/{1}gb Used" -f (([math]::round($ReturnedValues.Logical_Disk.Size/1GB)-
117 | [math]::round($ReturnedValues.Logical_Disk.FreeSpace/1GB))),([math]::round($ReturnedValues.Logical_Disk.Size/1GB))
118 | try{$Public_IP = Invoke-WebRequest 'ifconfig.me' -ErrorAction Stop | Select-Object -ExpandProperty Content}catch{$Public_IP = "Internet not detected"}
119 |
120 | # Write to the Console
121 |
122 | Write-Host -Object ("")
123 | Write-Host -Object ("")
124 | Write-Host -Object (" ,.=:^!^!t3Z3z., ") -ForegroundColor Red
125 | Write-Host -Object (" :tt:::tt333EE3 ") -ForegroundColor Red
126 | Write-Host -Object (" Et:::ztt33EEE ") -NoNewline -ForegroundColor Red
127 | Write-Host -Object (" @Ee., .., $Date") -ForegroundColor Green
128 | Write-Host -Object (" ;tt:::tt333EE7") -NoNewline -ForegroundColor Red
129 | Write-Host -Object (" ;EEEEEEttttt33# ") -ForegroundColor Green
130 | Write-Host -Object (" :Et:::zt333EEQ.") -NoNewline -ForegroundColor Red
131 | Write-Host -Object (" SEEEEEttttt33QL ") -NoNewline -ForegroundColor Green
132 | Write-Host -Object ("User: ") -NoNewline -ForegroundColor Red
133 | Write-Host -Object ("$env:UserName") -ForegroundColor Yellow
134 | Write-Host -Object (" it::::tt333EEF") -NoNewline -ForegroundColor Red
135 | Write-Host -Object (" @EEEEEEttttt33F ") -NoNewline -ForeGroundColor Green
136 | Write-Host -Object ("Hostname: ") -NoNewline -ForegroundColor Red
137 | Write-Host -Object ("$Computer_Name") -ForegroundColor Cyan
138 | Write-Host -Object (" ;3=*^``````'*4EEV") -NoNewline -ForegroundColor Red
139 | Write-Host -Object (" :EEEEEEttttt33@. ") -NoNewline -ForegroundColor Green
140 | Write-Host -Object ("OS: ") -NoNewline -ForegroundColor Red
141 | Write-Host -Object ("$OS_Name") -ForegroundColor Cyan
142 | Write-Host -Object (" ,.=::::it=., ") -NoNewline -ForegroundColor Cyan
143 | Write-Host -Object ("``") -NoNewline -ForegroundColor Red
144 | Write-Host -Object (" @EEEEEEtttz33QF ") -NoNewline -ForegroundColor Green
145 | Write-Host -Object ("Kernel: ") -NoNewline -ForegroundColor Red
146 | Write-Host -Object ("NT ") -NoNewline -ForegroundColor Cyan
147 | Write-Host -Object ("$Kernel_Info") -ForegroundColor Cyan
148 | Write-Host -Object (" ;::::::::zt33) ") -NoNewline -ForegroundColor Cyan
149 | Write-Host -Object (" '4EEEtttji3P* ") -NoNewline -ForegroundColor Green
150 | Write-Host -Object ("Uptime: ") -NoNewline -ForegroundColor Red
151 | Write-Host -Object ("$Uptime") -ForegroundColor Cyan
152 | Write-Host -Object (" :t::::::::tt33.") -NoNewline -ForegroundColor Cyan
153 | Write-Host -Object (":Z3z.. ") -NoNewline -ForegroundColor Yellow
154 | Write-Host -Object (" ````") -NoNewline -ForegroundColor Green
155 | Write-Host -Object (" ,..g. ") -NoNewline -ForegroundColor Yellow
156 | Write-Host -Object ("Shell: ") -NoNewline -ForegroundColor Red
157 | Write-Host -Object ("Powershell $Shell_Info") -ForegroundColor Cyan
158 | Write-Host -Object (" i::::::::zt33F") -NoNewline -ForegroundColor Cyan
159 | Write-Host -Object (" AEEEtttt::::ztF ") -NoNewline -ForegroundColor Yellow
160 | Write-Host -Object ("CPU: ") -NoNewline -ForegroundColor Red
161 | Write-Host -Object ("$CPU_Info") -ForegroundColor Cyan
162 | Write-Host -Object (" ;:::::::::t33V") -NoNewline -ForegroundColor Cyan
163 | Write-Host -Object (" ;EEEttttt::::t3 ") -NoNewline -ForegroundColor Yellow
164 | Write-Host -Object ("Processes: ") -NoNewline -ForegroundColor Red
165 | Write-Host -Object ("$Process_Count") -ForegroundColor Cyan
166 | Write-Host -Object (" E::::::::zt33L") -NoNewline -ForegroundColor Cyan
167 | Write-Host -Object (" @EEEtttt::::z3F ") -NoNewline -ForegroundColor Yellow
168 | Write-Host -Object ("Current Load: ") -NoNewline -ForegroundColor Red
169 | Write-Host -Object ("$Current_Load") -NoNewline -ForegroundColor Cyan
170 | Write-Host -Object ("%") -ForegroundColor Cyan
171 | Write-Host -Object (" {3=*^``````'*4E3)") -NoNewline -ForegroundColor Cyan
172 | Write-Host -Object (" ;EEEtttt:::::tZ`` ") -NoNewline -ForegroundColor Yellow
173 | Write-Host -Object ("Memory: ") -NoNewline -ForegroundColor Red
174 | Write-Host -Object ("$Memory_Size") -ForegroundColor Cyan
175 | Write-Host -Object (" ``") -NoNewline -ForegroundColor Cyan
176 | Write-Host -Object (" :EEEEtttt::::z7 ") -NoNewline -ForegroundColor Yellow
177 | Write-Host -Object ("System Volume: ") -NoNewline -ForegroundColor Red
178 | Write-Host -Object ("$Disk_Size") -ForegroundColor Cyan
179 | Write-Host -Object (" 'VEzjt:;;z>*`` ") -NoNewline -ForegroundColor Yellow
180 | Write-Host -Object ("Public IP: ") -NoNewline -ForegroundColor Red
181 | Write-Host -Object ("$Public_IP") -ForegroundColor Green
182 | Write-Host -Object (" ```` ") -ForegroundColor Yellow
183 | Write-Host -Object ("")
184 | }
185 | End {
186 | if ($RemoteSession) {
187 | Remove-PSSession $RemoteSession
188 | }
189 | }
190 | }
191 |
192 | Get-MOTD
193 |
--------------------------------------------------------------------------------
/Exchange Tools/New-SimilarDisplayAlertRule.ps1:
--------------------------------------------------------------------------------
1 | # Create HTML prepended Disclaimer text based on current organizations Display names
2 | # The original script floating around didn't account for organizations > 300 mailboxes or so.
3 | # This simply loops through all the mailboxes, breaks it down to a pre-configured segment size
4 | # and creates transport rules giving them logical labels
5 |
6 | # By Abe - chief@blueteam.ninja
7 |
8 |
9 | ## Declare Variables ##
10 |
11 |
12 | # * * * * IF YOU ONLY READ ONE THING, READ THIS * * * * #
13 | # Set this prefix DIFFERENT than any other rules
14 | # To make it recurring, it deletes the existing rules with the same Prefix without prompt
15 | # Your actions are your own
16 | $RulePrefix = "BEC Alert"
17 | # Remember - Everything under Rule Prefix gets deleted with $RULEPREFIX followed by wildcard
18 |
19 |
20 | $SubjectPrefix = "CAUTION"
21 | $CodeLocation = "${PSScriptRoot}\content\spoof-alert.html"
22 | $groupsize = 500
23 |
24 | # Testing Distribution Group
25 | # This script defaults to only sending to this distribution list
26 | # Look in comments further below to modify when ready for production
27 |
28 | $TestGroup = "InformationTechnology@Domain.com"
29 |
30 |
31 | # OK - Let's begin!!!
32 |
33 | Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
34 | $q = Get-Mailbox -ResultSize unlimited | Sort-Object -Property Name | Where-Object {$_.Name -ne ""}
35 | $code = Get-Content $CodeLocation
36 |
37 |
38 |
39 | # # #
40 | $biglist = 1..($q.count-1)
41 | $counter = [pscustomobject] @{ Value = 0 }
42 | $groups = $bigList | Group-Object -Property { [math]::Floor($counter.Value++ / $groupSize) }
43 | # # # Brilliant code on https://stackoverflow.com/a/26850233 - Thanks Dave Wyatt
44 |
45 | Write-Verbose "Remove all rules starting with prefix now..."
46 | Get-TransportRule "${RulePrefix}*" | Remove-TransportRule -confirm:$false
47 |
48 | foreach ($gitem in $groups) {
49 |
50 | # The groups object is an object of numbers
51 | # Each of those numbers are divided into smaller groups of numbers
52 | # This looks like a TOTAL goat rodeo, but it is calling the full query of $q at specific locations by how
53 | # those numbers were divided into chunks.
54 |
55 | # If you want to see it in action, run this in an ISE on Exchange and call the groups - or insert a Write-Verbose here
56 | $firstIndex = $gitem.group[0]
57 | $firstItem = ($q[$firstIndex].Name -split ' ')[0]
58 |
59 | $LastIndex = $gitem.group[($gitem.group.count-1)]
60 | $LastItem = ($q[$lastIndex].Name -split ' ')[0]
61 |
62 |
63 | $RuleName = "$RulePrefix $FirstItem to $LastItem"
64 | $RuleData = $q[$firstIndex..$LastIndex].Name
65 |
66 | ### Insert Rule Logic
67 | $RuleData
68 |
69 | $Rule = @{
70 | Name = "${RulePrefix}: $firstItem to $LastItem"
71 | PrependSubject = "${SubjectPrefix}: "
72 | HeaderMatchesMessageHeader = "From"
73 | HeaderMatchesPatterns = $RuleData
74 | FromScope = "NotInOrganization"
75 | ## To switch to PROD Uncomment this and comment the line 'Testing Distribution List'
76 | #SentToScope = "InOrganization"
77 |
78 | # Testing Distribution List
79 | SentToMemberOf = $TestGroup
80 |
81 | ApplyHtmlDisclaimerText = "$code"
82 | ApplyHtmlDisclaimerLocation = "Prepend"
83 |
84 | }
85 |
86 | New-TransportRule @Rule
87 |
88 | }
89 |
--------------------------------------------------------------------------------
/Exchange Tools/README.md:
--------------------------------------------------------------------------------
1 | # BEC Caution Script v0.1
2 |
3 | This is a pretty straightforward tool that is design to be set on a schedule (Hourly, daily, weekly, manual, up to you).
4 |
5 | Just run it each time and it'll poll your latest list of mailbox names and display a small banner indicating that it is not likely friendly.
6 |
7 | Default appearance
8 | 
9 |
10 | Comments welcome.
11 |
12 | ### Read the code before running
13 |
14 | Instructions:
15 |
16 | 1. Save this PS1 and the content folder on an Exchange Server
17 | 2. Modify the example to include a sample user base from a distribution list (IT@domain.com)
18 | 3. Set a Scheduled Task to run it again every X
19 |
--------------------------------------------------------------------------------
/Exchange Tools/content/spoof-alert.html:
--------------------------------------------------------------------------------
1 |
WARNING: This sender NOT FROM YOUR ORGANIZATION but has a similar display name. This is highly likely to be a scam email.
2 |
--------------------------------------------------------------------------------
/File Tools/Get-UserShareReport.ps1:
--------------------------------------------------------------------------------
1 | $reportpath ="E:\UserDiskReports\"
2 | $fileserver = "SRV_USERSHARE"
3 |
4 | <#
5 | $RunDate = Get-Date -format MM-dd-yyyy
6 | $FullPath = ($reportpath + "\" + "Archive\" + $RunDate)
7 | New-Item $FullPath -ItemType Directory -Force
8 | Move-Item $reportpath\* $FullPath
9 | #>
10 |
11 | ## This works as long as its all at the Root of the share eg. \\SRV_USERSHARE\BossMan$\ -- Modify the Path expression in the next line if not
12 | $shareList = Get-WmiObject -Class Win32_share -ComputerName $fileserver -filter "Type=0" | Select-Object @{Name='Path';e={"\\"+$fileserver+"\" + $_.name}},Name
13 |
14 | ## REsuming a broken instance
15 | ## Run the above two actual lines of code (not including comments) as a selection - trim the CSV from wherever you cancncelled or broke your universe
16 | ## THen run $shareList | Export-Csv E:\resume.csv -notypeinformation -noclobber
17 | #
18 | ## Then just import it below and resume your daily dose of Awesomeness.
19 | #$sharelist = Import-Csv "E:\resume.csv"
20 |
21 |
22 | #Progress Indicator
23 | $total = ($shareList).Count
24 | $counter = 0
25 | $results = @();
26 |
27 | foreach($share in $sharelist){
28 | $shareResults =@()
29 | $counter++
30 | $userdetails= $null
31 | $shareName = $share.Name.split('$')[0]
32 |
33 | Write-Progress -Activity "Indexing Files of $ShareName" -Status "Reading Files" -PercentComplete ($counter/$total *100) -ID 1
34 |
35 | try {
36 | $userdetails = ([adsisearcher]("samAccountName=$shareName")).FindOne().Properties
37 | if($userdetails)
38 | {
39 | $userbranch = [string]$userdetails.physicaldeliveryofficename
40 | $username = [string]$userdetails.displayname
41 | $userdepartment = [string]$userdetails.department
42 |
43 | }
44 | }catch {
45 | $userBranch = "Unknown"
46 | $username = "Unknown"
47 | $userdepartment = "Unknown"
48 | }
49 |
50 |
51 |
52 | $files = Get-ChildItem $share.Path -Recurse -File -ErrorAction SilentlyContinue| Select-object Basename,extension,Length,LastWriteTime,FullName
53 |
54 | $subtotal = ($files).Count
55 | $subcounter = 0
56 |
57 | foreach($file in $files){
58 |
59 | $lineout = @()
60 |
61 | $filePath = $file.FullName
62 | $subcounter ++;
63 | $currentfilename = $file.BaseName
64 | Write-Progress -Activity "Analyzing Files of $shareName owned by $userName" -Status "Processing $currentfilename" -PercentComplete ($subcounter / $subtotal * 100) -ParentId 1
65 | $Age = ((Get-Date) - $file.LastWriteTime).Days
66 | $Type = [string]($file.Extension).split(".")[1]
67 | Write-Verbose "File extension is: $Type"
68 | $Size = $file.Length
69 | Switch -regex($Type)
70 | {
71 | {$Type -match '(doc?|dot?|xlk?|xls?|xlt?|xlm?|xla?|xll?|xlw?|ppt?|pot?|ppa?|pps?|sld?|acc?|pub|pdf|txt|csv|mpp|tsv|tab)'} {$TypeCategory = "Office";break}
72 | {$Type -match '(msg|pst|ost|eml)'} {$TypeCategory = "Email";break}
73 | {$Type -match '(gif|jpg|jpeg|tif|png|bmp|jp2|ai|eps|svg|wmf)'} {$TypeCategory = "Images";break}
74 | {$Type -match '(7z|zip|rar|cab|gzip|gz|tgz)'} {$TypeCategory = "Archives";break}
75 | {$Type -match '(shp|shx|dbf|tab|kml|gml|apr|kmz)'} {$TypeCategory = "GIS";break}
76 | {$Type -match '(flac|aif?|m4a|wma|mp3|wav|mid|m3u)'} {$TypeCategory = "Audio";break}
77 | {$Type -match '(mkv|avi|divx|mov|rm|wmv|mp4|mpg|mpeg|qt)'} {$TypeCategory = "Video";break}
78 | default {$TypeCategory = "Other"}
79 |
80 | }
81 |
82 | # $sha1 = (Get-FileHash $filePath -Algorithm sha1).Hash
83 |
84 | $lineout = [PSCustomObject]@{
85 | AgeDays = $Age
86 | Extension = $Type
87 | Category = $TypeCategory
88 | Share = $shareName
89 | ShareType = "User"
90 | UserName = $username
91 | UserDepartment = $userdepartment
92 | UserBranch = $userbranch
93 | Size = $Size
94 | SizeMB = ($Size)/1MB
95 | SizeGB = ($Size)/1GB
96 | # SHA1 = $sha1
97 | Path = $filePath
98 | }
99 |
100 | $Shareresults += $lineout
101 |
102 | }
103 |
104 | $Shareresults | Export-Csv "$($reportPath)\$($shareName).csv" -NoTypeInformation -noClobber -force
105 | $results += $Shareresults
106 | }
107 |
108 | $results | Export-Csv "$($reportPath)\_TotalResults.csv" -NoTypeInformation
109 |
--------------------------------------------------------------------------------
/General Tools/Configs/conemu.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
213 |
214 |
215 |
216 |
217 |
218 |
219 |
220 |
221 |
222 |
223 |
224 |
225 |
226 |
227 |
228 |
229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 |
237 |
238 |
239 |
240 |
241 |
242 |
243 |
244 |
245 |
246 |
247 |
248 |
249 |
250 |
251 |
252 |
253 |
254 |
255 |
256 |
257 |
258 |
259 |
260 |
261 |
262 |
263 |
264 |
265 |
266 |
267 |
268 |
269 |
270 |
271 |
272 |
273 |
274 |
275 |
276 |
277 |
278 |
279 |
280 |
281 |
282 |
283 |
284 |
285 |
286 |
287 |
288 |
289 |
290 |
291 |
292 |
293 |
294 |
295 |
296 |
297 |
298 |
299 |
300 |
301 |
302 |
303 |
304 |
305 |
306 |
307 |
308 |
309 |
310 |
311 |
312 |
313 |
314 |
315 |
316 |
317 |
318 |
319 |
320 |
321 |
322 |
323 |
324 |
325 |
326 |
327 |
328 |
329 |
330 |
331 |
332 |
333 |
334 |
335 |
336 |
337 |
338 |
339 |
340 |
341 |
342 |
343 |
344 |
345 |
346 |
347 |
348 |
349 |
350 |
351 |
352 |
353 |
354 |
355 |
356 |
357 |
358 |
359 |
360 |
361 |
362 |
363 |
364 |
365 |
366 |
367 |
368 |
369 |
370 |
371 |
372 |
373 |
374 |
375 |
376 |
377 |
378 |
379 |
380 |
381 |
382 |
383 |
384 |
385 |
386 |
387 |
388 |
389 |
390 |
391 |
392 |
393 |
394 |
395 |
396 |
397 |
398 |
399 |
400 |
401 |
402 |
403 |
404 |
405 |
406 |
407 |
408 |
409 |
410 |
411 |
412 |
413 |
414 |
415 |
416 |
417 |
418 |
419 |
420 |
421 |
422 |
423 |
424 |
425 |
426 |
427 |
428 |
429 |
430 |
431 |
432 |
433 |
434 |
435 |
436 |
437 |
438 |
439 |
440 |
441 |
442 |
443 |
444 |
445 |
446 |
447 |
448 |
449 |
450 |
451 |
452 |
453 |
454 |
455 |
456 |
457 |
458 |
459 |
460 |
461 |
462 |
463 |
464 |
465 |
466 |
467 |
468 |
469 |
470 |
471 |
472 |
473 |
474 |
475 |
476 |
477 |
478 |
479 |
480 |
481 |
482 |
483 |
484 |
485 |
486 |
487 |
488 |
489 |
490 |
491 |
492 |
493 |
494 |
495 |
496 |
497 |
498 |
499 |
500 |
501 |
502 |
503 |
504 |
505 |
506 |
507 |
508 |
509 |
510 |
511 |
512 |
513 |
514 |
515 |
516 |
517 |
518 |
519 |
520 |
521 |
522 |
523 |
524 |
525 |
526 |
527 |
528 |
529 |
530 |
531 |
532 |
533 |
534 |
535 |
536 |
537 |
538 |
539 |
540 |
541 |
542 |
543 |
544 |
545 |
546 |
547 |
548 |
549 |
550 |
551 |
552 |
553 |
554 |
555 |
556 |
557 |
558 |
559 |
560 |
561 |
562 |
563 |
564 |
565 |
566 |
567 |
568 |
569 |
570 |
571 |
572 |
573 |
574 |
575 |
576 |
577 |
578 |
579 |
580 |
581 |
582 |
583 |
584 |
585 |
586 |
587 |
588 |
589 |
590 |
591 |
592 |
593 |
594 |
595 |
596 |
597 |
598 |
599 |
600 |
601 |
602 |
603 |
604 |
605 |
606 |
607 |
608 |
609 |
610 |
611 |
612 |
613 |
614 |
615 |
616 |
617 |
618 |
619 |
620 |
621 |
622 |
623 |
624 |
625 |
626 |
627 |
628 |
629 |
630 |
631 |
632 |
633 |
634 |
635 |
636 |
637 |
638 |
639 |
640 |
641 |
642 |
643 |
644 |
645 |
646 |
647 |
648 |
649 |
650 |
651 |
652 |
653 |
654 |
655 |
656 |
657 |
658 |
659 |
660 |
661 |
662 |
663 |
664 |
665 |
666 |
667 |
668 |
669 |
670 |
671 |
672 |
673 |
674 |
675 |
676 |
677 |
678 |
679 |
680 |
681 |
682 |
683 |
684 |
685 |
686 |
--------------------------------------------------------------------------------
/General Tools/DualBoot_SurfaceArc/README.md:
--------------------------------------------------------------------------------
1 | # Pair a Surface ARC in both OS's
2 |
3 | I forked this from somewhere. I'll try to remember to update this with the source.
4 |
5 | 1. Pair your mouse in Linux
6 | 2. Reboot, Pair in Windows (this will kill the windows version)p
7 | 3. Reboot, leave your mouse off
8 | 4. Mount your windows partition, may need to remove the hiberfile
9 | `mount /dev/nvme01p04 /media/primary -t ntfs-3g -o remove_hiberfile` (doublecheck this, its from memory)
10 | 5. use / install chntpw `sudo apt install chntpw`
11 | 6. `python3.7 export-ble-infos.py --system /media/primary/Windows/System32/config/SYSTEM --template surface_arc_template`
12 | 7. Backup your old pairing, just in case `mv /var/lib/bluetooth/_YOURMAC_ ~/Downloads/YOURMAC.OLD`
13 | 8. Copy your new export to blueooth dir `cp bluetooth/_YOURMAC_ /var/lib/bluetooth/`
14 | 9. `service bluetooth stop && service bluetooth force-reload && service bluetooth start`
15 |
16 | ## Something like that.
17 | Note: Dragons do be here.
18 |
--------------------------------------------------------------------------------
/General Tools/DualBoot_SurfaceArc/export-bluetooth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | """
3 | Export your Windows Bluetooth LE keys into Linux!
4 |
5 | Thanks to: http://console.systems/2014/09/how-to-pair-low-energy-le-bluetooth.html
6 |
7 | Usage:
8 |
9 | $ ./export-ble-infos.py
10 | $ sudo bash -c 'cp -r ./bluetooth /var/lib && service bluetooth force-reload'
11 | $ rm -r bluetooth
12 | """
13 |
14 | import os
15 | import shutil
16 | import subprocess
17 | import sys
18 | import tempfile
19 |
20 | from configparser import ConfigParser
21 | from optparse import OptionParser
22 |
23 | default_template = """
24 | [General]
25 | Name=Designer Mouse
26 | Appearance=0x03c2
27 | AddressType=static
28 | SupportedTechnologies=LE;
29 | Trusted=true
30 | Blocked=false
31 | Services=00001800-0000-1000-8000-00805f9b34fb;00001801-0000-1000-8000-00805f9b34fb;0000180a-0000-1000-8000-00805f9b34fb;0000180f-0000-1000-8000-00805f9b34fb;00001812-0000-1000-8000-00805f9b34fb;
32 |
33 | [IdentityResolvingKey]
34 | Key=
35 |
36 | [LocalSignatureKey]
37 | Key=
38 | Counter=0
39 | Authenticated=false
40 |
41 | [LongTermKey]
42 | Key=
43 | Authenticated=0
44 | EncSize=16
45 | EDiv=
46 | Rand=
47 |
48 | [DeviceID]
49 | Source=2
50 | Vendor=1118
51 | Product=2053
52 | Version=272
53 |
54 | [ConnectionParameters]
55 | MinInterval=6
56 | MaxInterval=6
57 | Latency=60
58 | Timeout=300
59 | """
60 |
61 |
62 | def main():
63 | parser = OptionParser()
64 | parser.add_option("-v", "--verbose", action='store_true', dest='verbose')
65 | parser.add_option("-s", "--system", dest="system", metavar="FILE",
66 | default="/media/mygod/Windows/Windows/System32/config/system",
67 | help="SYSTEM file in Windows. Usually at /Windows/System32/config/system.")
68 | parser.add_option("-k", "--key", dest="key", metavar="KEY",
69 | default=r"ControlSet001\Services\BTHPORT\Parameters\Keys",
70 | help="Registry key for BT. [default: %default]")
71 | parser.add_option("-o", "--output", dest="output", metavar="DIR", default="bluetooth",
72 | help="Output directory. [default: %default]")
73 | parser.add_option("-t", "--template", dest="template", metavar="FILE", help="Template file.")
74 | parser.add_option("-a", "--attributes", dest='attributes', help="Additional attributes file to be copied.")
75 | options, args = parser.parse_args()
76 |
77 | if options.template:
78 | with open(options.template) as file:
79 | template = file.read()
80 | else:
81 | template = default_template
82 |
83 | out = tempfile.mktemp(".reg")
84 | reged = subprocess.Popen(["reged", "-x", options.system, '\\', options.key, out], stdout=sys.stderr)
85 | reged.wait()
86 | if reged.returncode:
87 | return reged.returncode
88 | dump = ConfigParser()
89 | with open(out) as file:
90 | reged_out = file.read()
91 | if options.verbose:
92 | print(reged_out)
93 | dump.read_string(reged_out.split('\n', 1)[1])
94 | os.unlink(out)
95 |
96 | for section in dump:
97 | path = section[len(options.key) + 2:].split('\\')
98 | assert not path[0]
99 | if len(path) == 3:
100 | path[1] = ':'.join([path[1][i:i + 2] for i in range(0, len(path[1]), 2)]).upper()
101 | path[2] = ':'.join([path[2][i:i + 2] for i in range(0, len(path[2]), 2)]).upper()
102 | print("Dumping {}/{}...".format(path[1], path[2]))
103 | config = ConfigParser()
104 | config.optionxform = str
105 | config.read_string(template)
106 |
107 | def read_reg(key, expected_type):
108 | def read_reg_actual(key, expected_type):
109 | actual_type, content = dump[section]['"{}"'.format(key)].split(':', 1)
110 | if expected_type == 'hex16':
111 | assert actual_type == 'hex'
112 | content = content.split(',')
113 | assert len(content) == 16
114 | return ''.join(content).upper()
115 | if expected_type == 'qword':
116 | assert actual_type == 'hex(b)'
117 | content = content.split(',')
118 | assert len(content) == 8
119 | return str(int(''.join(content[::-1]), 16))
120 | if expected_type == 'dword':
121 | assert actual_type == expected_type
122 | return str(int(content, 16))
123 | assert False
124 | result = read_reg_actual(key, expected_type)
125 | if options.verbose:
126 | print("{} of type {}: {}".format(key, expected_type, result))
127 | return result
128 | config['LongTermKey']['Key'] = read_reg('LTK', 'hex16')
129 | # KeyLength ignored for now
130 | config['LongTermKey']['Rand'] = read_reg('ERand', 'qword')
131 | config['LongTermKey']['EDiv'] = read_reg('EDIV', 'dword')
132 | config['LocalSignatureKey']['Key'] = read_reg('CSRK', 'hex16')
133 | output_dir = os.path.join(options.output, path[1], path[2])
134 | os.makedirs(output_dir, exist_ok=True)
135 | with open(os.path.join(output_dir, 'info'), 'w') as file:
136 | config.write(file, False)
137 | if options.attributes:
138 | shutil.copyfile(options.attributes, os.path.join(output_dir, 'attributes'))
139 |
140 |
141 | if __name__ == "__main__":
142 | sys.exit(main())
143 |
--------------------------------------------------------------------------------
/General Tools/DualBoot_SurfaceArc/surface_arc_template:
--------------------------------------------------------------------------------
1 | [General]
2 | Name=Arc Touch BT Mouse
3 | Appearance=0x03c2
4 | AddressType=static
5 | SupportedTechnologies=LE;
6 | Trusted=true
7 | Blocked=false
8 | Services=00001800-0000-1000-8000-00805f9b34fb;00001801-0000-1000-8000-00805f9b34fb;0000180a-0000-1000-8000-00805f9b34fb;0000180f-0000-1000-8000-00805f9b34fb;00001812-0000-1000-8000-00805f9b34fb;
9 |
10 | [LocalSignatureKey]
11 | Key=
12 | Counter=0
13 | Authenticated=false
14 |
15 | [LongTermKey]
16 | Key=
17 | Authenticated=0
18 | EncSize=16
19 | EDiv=
20 | Rand=
21 |
22 | [DeviceID]
23 | Source=2
24 | Vendor=1118
25 | Product=2052
26 | Version=1
27 |
--------------------------------------------------------------------------------
/General Tools/Enable-CopyPaste.ps1:
--------------------------------------------------------------------------------
1 | # Some hack and Glue to enable Copy/Paste -- including GUI options for esx 6.7+
2 | # by Abe
3 | # Do not Fold or Bend
4 |
5 | Import-Module VMware.PowerCLI
6 | $server = Read-Host -Prompt "Enter VSphere Server"
7 | Write-Progress -Activity "Connecting"
8 | try{
9 | $no_visual = Connect-VIserver $server -ErrorAction Stop
10 | }catch [Client20_ConnectivityServiceImpl_Reconnect_SoapException,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer]{
11 | Write-Output "Access Denied"
12 | $cr = Get-Credential -Message "Enter VSphere Credentials"
13 | $no_visual = Connect-VIServer $Server -Credential $cr -ErrorAction
14 | }
15 | Write-Progress -Activity "Connecting"
16 |
17 | $query = Read-Host -Prompt "Server(s) to modify (wildcard OK)"
18 | Write-Progress -Activity "Connecting" -Status "Locating VMs"
19 | $VMs = Get-VM $query
20 | $results = @()
21 | $pr_count = 0
22 | $pr_total = $VMs | Measure-Object | Select-Object -ExpandProperty Count
23 | foreach ($vm in $VMs){
24 | $pr_count++;
25 | $currentVM = $vm.Name
26 | Write-Progress -Activity "Scanning VMs" -Status "Processing: $currentVM" -PercentComplete ($pr_count / $pr_total * 100)
27 | #Remove the accidental copy.enable line
28 | $copy = Get-AdvancedSetting -Entity $vm.Name -Name "isolation.tools.copy.disable"
29 | $paste = Get-AdvancedSetting -Entity $vm.Name -Name "isolation.tools.paste.disable"
30 | $gui = Get-AdvancedSetting -Entity $vm.Name -Name "isolation.tools.setGUIOptions.enable"
31 |
32 | if($copy) {$no_visual = Get-AdvancedSetting -Entity $vm.Name -Name "isolation.tools.copy.disable" | Set-AdvancedSetting -Value "FALSE" -Confirm:$false;$ActionCopy ="SET" }else{
33 | $no_visual = New-AdvancedSetting -Entity $currentVM -Name "isolation.tools.copy.disable" -Value "FALSE" -Confirm:$false;$ActionCopy ="CREATED"
34 | }
35 | if($paste) { $no_visual = Get-AdvancedSetting -Entity $vm.Name -Name "isolation.tools.paste.disable" | Set-AdvancedSetting -Value "FALSE" -Confirm:$false;$ActionPaste ="SET" }else{
36 | $no_visual = New-AdvancedSetting -Entity $currentVM -Name "isolation.tools.paste.disable" -Value "FALSE" -Confirm:$false;$ActionPaste ="CREATED"
37 | }
38 | if($gui) { $no_visual = Get-AdvancedSetting -Entity $vm.Name -Name "isolation.tools.setGUIOptions.enable" | Set-AdvancedSetting -Value "TRUE" -Confirm:$false;$ActionGUI ="SET" }else{
39 | $no_visual = New-AdvancedSetting -Entity $currentVM -Name "isolation.tools.setGUIOptions.enable" -Value "TRUE" -Confirm:$false;$ActionGUI ="CREATED"
40 | }
41 | $lineout = New-Object PSObject -Property @{
42 |
43 | VM = $currentVM
44 | Copy = $ActionCopy
45 | Paste = $ActionPaste
46 | GUI = $ActionGUI
47 | }
48 | $results += $lineout
49 | }
50 | $results
51 |
--------------------------------------------------------------------------------
/General Tools/Get-FileShareReport.ps1:
--------------------------------------------------------------------------------
1 | <#
2 |
3 | .NOTES
4 | Author: Adam "Abe" Abernethy
5 | Twitter: @ReallyBigAbe
6 | Go here: https://blueteam.ninja
7 |
8 | Don't be a mean person.
9 |
10 | .SYNOPSIS
11 |
12 | Scans all the shares on a given server and dumps out a report.
13 |
14 | .DESCRIPTION
15 |
16 | A report of the contents of a File Server, with some basic extension categorizations.
17 | Basically - import this report into PowerBI and get a really cool look at what stored on a Fileshare.
18 |
19 | If you don't send any parameters, you'll get the local system.
20 |
21 | .PARAMETER ReportPath
22 |
23 | A location to save the Reports created for each share
24 |
25 | .PARAMETER Server
26 |
27 | The File Server(s) to unleash the madness on.
28 |
29 |
30 | .INPUTS
31 |
32 | None. Not pipeable at this time.
33 |
34 | .OUTPUTS
35 |
36 | The output from the scan, grouped by extension.
37 |
38 | .EXAMPLE
39 |
40 | C:\PS> Get-FileShareReport -Server LUNARSERVE -ReportPath C:\Visualizations\LUNARSERVE
41 |
42 | Summary of Virtual Machines
43 | -----------------------
44 |
45 | Sum Category
46 | --- --------
47 | 8214.2 MB Other
48 | 1.9 MB Office
49 | 0.3 MB Images
50 | 127117 MB Virtualization
51 |
52 |
53 | #>
54 |
55 | [CmdletBinding()]
56 | param (
57 | [Parameter(Mandatory=$true)]
58 | [string]$ReportPath,
59 | [Parameter(Mandatory=$false)]
60 | [string]$fileserver
61 | )
62 |
63 | if(!$fileserver){
64 | $fileserver = $env:COMPUTERNAME
65 | }
66 |
67 | if(-not(Test-Path $reportpath\*)){
68 | Write-Verbose "Report Path didn't make it, so a delice sledgehammer will forge it for you."
69 | New-Item -ItemType Directory -Path (Join-Path $reportpath (get-date -format dd.MM.yyyy))
70 | }
71 |
72 | #Archive existing reports, or just toss everything in that folder over and OWN it. MINE
73 | Move-Item $reportpath\* "$reportpath\Archive_(get-date -format dd.MM.yyyy)" -Force -ErrorAction SilentlyContinue
74 |
75 | $results = @()
76 |
77 | $fsharedrivelist = Get-WmiObject -Class Win32_share -ComputerName $fileserver -filter "Type=0" | Select-Object @{Name='Path';e={"\\"+$fileserver+"\" + $_.name}},Name
78 |
79 | foreach($fshare in $fsharedrivelist){
80 |
81 | $fshareOwner = $fshare.Name
82 | Write-Progress -Activity "Indexing Files of $fshareOwner" -Status "Reading Files"
83 |
84 | $filename = $reportpath + "\" + $fshare.Name + ".csv"
85 |
86 | $files = @()
87 |
88 | $files = Get-ChildItem $fshare.Path -Recurse -File | Select Basename,extension,Length,LastWriteTime
89 |
90 |
91 |
92 | foreach($file in $files){
93 | $currentfilename = $file.BaseName
94 | Write-Progress -Activity "Analyzing Files of $fshareOwner" -Status "Processing $currentfilename"
95 | $Age = ((Get-Date) - $file.LastWriteTime).Days
96 | $Type = [string]($file.Extension).split(".")[1]
97 | Write-Verbose "File extension is: $Type"
98 | $Size = $file.Length
99 | Switch -regex($Type)
100 | {
101 | {$Type -match '(doc?|dot?|xlk?|xls?|xlt?|xlm?|xla?|xll?|xlw?|ppt?|pot?|ppa?|pps?|sld?|acc?|pub|pdf|txt|csv|mpp|tsv|tab)'} {$TypeCategory = "Office";break}
102 | {$Type -match '(msg|pst|ost|eml)'} {$TypeCategory = "Email";break}
103 | {$Type -match '(gif|jpg|jpeg|tif|png|bmp|jp2|ai|eps|svg|wmf)'} {$TypeCategory = "Images";break}
104 | {$Type -match '(7z|zip|rar|cab|gzip|gz|tgz)'} {$TypeCategory = "Archives";break}
105 | {$Type -match '(shp|shx|dbf|tab|kml|gml|apr|kmz)'} {$TypeCategory = "GIS";break}
106 | {$Type -match '(flac|aif?|m4a|wma|mp3|wav|mid|m3u)'} {$TypeCategory = "Audio";break}
107 | {$Type -match '(vmdk|vmx|vmxf|nvram)'} {$TypeCategory = "Virtualization";break}
108 | {$Type -match '(mkv|avi|divx|mov|rm|wmv|mp4|mpg|mpeg|qt)'} {$TypeCategory = "Video";break}
109 | default {$TypeCategory = "Other"}
110 |
111 | }
112 | Write-Verbose "Category is $TypeCategory"
113 | $LineOut = New-Object -Type PSObject -Property @{
114 | #Name = $file.BaseName
115 | 'Age (Days)' = $Age
116 | Extension = $Type
117 | Category = $TypeCategory
118 | Branch = $fshareOwner
119 | Size = $Size
120 | }
121 |
122 | Write-Verbose "Age $Age Extension $Type Category $TypeCategory Branch $fshareOwner Size $Size"
123 |
124 | $results += $LineOut
125 | }
126 |
127 | Write-Output "Summary of $fshareOwner"
128 | Write-Output "-----------------------"
129 | $results | Group-Object Category | ForEach-Object {
130 | New-Object -Type PSObject -Property @{
131 | "Category" = ($_.Group | Select-Object -Unique Category).Category
132 | "Sum" = [math]::Round((($_.Group | Measure-Object Size -sum).Sum/1MB),1).ToSTring() + " MB"
133 | }
134 | } | Format-Table -AutoSize
135 |
136 | Write-Verbose "Saving the file now"
137 | $results | Export-Csv $filename -NoTypeInformation
138 | }
139 |
140 |
141 |
--------------------------------------------------------------------------------
/General Tools/Get-OpenPorts.ps1:
--------------------------------------------------------------------------------
1 | <#
2 |
3 | .NOTES
4 | Author: Adam "Abe" Abernethy
5 | Twitter: @ReallyBigAbe
6 | Go here: https://blueteam.ninja
7 |
8 | Don't be a mean person.
9 |
10 | .SYNOPSIS
11 |
12 | Displays the listening ports and what's listening.
13 |
14 | .DESCRIPTION
15 |
16 | A cmdlet that I use quite regularly as a replacement for netstat. It's bound, so you run it once or drop it in a profile and
17 | just keep profitting. Depending on how much SVCHost you have, it can be a bit sluggish - but that's because WMI queries tend to suck.
18 |
19 | More importantly, I suck at writing them fast.
20 |
21 | .PARAMETER Nada
22 |
23 | Nothing to see here. Move along.
24 |
25 |
26 | .INPUTS
27 |
28 | None. Not pipeable at this time.
29 |
30 | .OUTPUTS
31 |
32 | The output from the Get-NetTCPConnection formatted as per my will, grouped by IP Type, then Port.
33 |
34 | .EXAMPLE
35 |
36 | C:\PS>.\Get-OpenPorts.ps1
37 | C:\PS> Get-OpenPorts
38 |
39 | [List displayed]
40 |
41 | #>
42 |
43 | Function Get-OpenPorts {
44 | [cmdletbinding()]
45 | param()
46 | $results = @()
47 |
48 | $GlobalListeners = Get-NetTCPConnection | Where-Object {$_.State -eq "Listen"}
49 |
50 | foreach($Listening in $GlobalListeners) {
51 | #Reset the variable
52 | $ListenerProcess = $null
53 | try{
54 | $ListenerProcess = (Get-Process -PID $Listening.OwningProcess).ProcessName
55 | }catch{}
56 | if($ListenerProcess -eq "svchost"){
57 | try{
58 | $ListenerProcess += ": " + (Get-WmiObject -Class Win32_Service | Where-Object {$_.ProcessID -eq $Listening.OwningProcess}).Name
59 | } catch{}
60 | }
61 |
62 | if($Listening.LocalAddress -match ":"){
63 | $IPType = "IPv6"
64 | }else{
65 | $IPType = "IPv4"
66 | }
67 | $lineout = New-Object PSobject -Property @{
68 | "Local Address" = $Listening.LocalAddress;
69 | "Listening Port" = $Listening.LocalPort;
70 | "IP Type" = $IPType
71 | "Process Name" = $ListenerProcess
72 | "PID" = $Listening.OwningProcess
73 | }
74 |
75 | $results += $lineout
76 | }
77 |
78 | $results | Sort-Object -Property "IP Type","Listening Port"
79 | }
80 |
--------------------------------------------------------------------------------
/General Tools/Get-UninstallString.ps1:
--------------------------------------------------------------------------------
1 | $app = "java"
2 | Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall |
3 | Get-ItemProperty | Where-Object {$_.DisplayName -match "$app" } | Select-Object -Property DisplayName, UninstallString | fl
4 |
--------------------------------------------------------------------------------
/General Tools/Send-SMSAlert.ps1:
--------------------------------------------------------------------------------
1 | <#
2 |
3 | .NOTES
4 | Author: Adam "Abe" Abernethy
5 | Twitter: @ReallyBigAbe
6 | Go here: https://blueteam.ninja
7 |
8 | Don't be a mean person.
9 |
10 | .SYNOPSIS
11 |
12 | Send an SMS over Plivo
13 |
14 | .DESCRIPTION
15 |
16 | This makes a simple API call using the Plivo API, passing on your number and Credentials
17 |
18 | .PARAMETER recipients
19 |
20 | All destination numbers in a string. Numbers include country code, and are separated by
21 | the less-than symbol. <
22 |
23 | .PARAMETER source
24 |
25 | Your source phone number based on your account.
26 |
27 | .PARAMETER message
28 |
29 | The Content of your SMS.
30 |
31 | .PARAMETER plivoID
32 |
33 | The 20 character ID of your Plivo account
34 |
35 | .PARAMETER AuthKey
36 |
37 | Your authentication to the API. I believe these are typically 40 characters
38 |
39 |
40 |
41 | .INPUTS
42 |
43 | None. Not pipeable at this time.
44 |
45 | .OUTPUTS
46 |
47 | The JSON results returned by the API.
48 |
49 | .EXAMPLE
50 |
51 | C:\PS> Send-SMSALert -recipients 12023034444<13134145555 -source 15550009999 `
52 | -plivoID ABCDEFGHIJKLMNOPQRST -AuthKey AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT `
53 | -message "You may turn in your hat and badge, thank-you for your service"
54 |
55 | .EXAMPLE
56 |
57 | C:\PS> $smsparms = @{
58 | 'recipients' = '12023034444<13134145555';
59 | 'source' = '15550009999';
60 | 'plivoID' = 'ABCDEFGHIJKLMNOPQRST';
61 | 'AuthKey' = 'AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTT'
62 | 'message' = "You may turn in your hat and badge, thank-you for your service"
63 | }
64 | C:\PS>Send-SMSAlert $smsparms
65 |
66 |
67 |
68 | #>
69 |
70 | param (
71 | [Parameter(Mandatory=$true)]
72 | [string]$recipients,
73 | [Parameter(Mandatory=$true)]
74 | [string]$source,
75 | [Parameter(Mandatory=$true)]
76 | [string]$message,
77 | [Parameter(Mandatory=$true)]
78 | [string]$plivoID,
79 | [Parameter(Mandatory=$true)]
80 | [string]$AuthKey
81 | )
82 |
83 | $plivoAUTH = ConvertTo-SecureString -String $AuthKey -AsPlainText -Force
84 | $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $plivoID, $plivoAUTH
85 | $baseURI = "https://api.plivo.com/v1/Account/" + $plivoID + "/Message/"
86 |
87 | $params = @"
88 | {
89 | "src": "$source",
90 | "dst": "$recipients",
91 | "text": "$message"
92 | }
93 | "@
94 |
95 | Invoke-WebRequest -Credential $credential -Uri $baseURI -Method POST -ContentType application/json -body $params
96 |
97 |
--------------------------------------------------------------------------------
/General Tools/TestDoc.doc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/grownuphacker/Tools/56519c498a6dd4f2d9c0e42de771ef20f4be92e6/General Tools/TestDoc.doc
--------------------------------------------------------------------------------
/General Tools/graylog_backup.sh:
--------------------------------------------------------------------------------
1 | #/bin/bash
2 | BACKUP_LOG="/backup/backup.log"
3 | BACKUP_DIR="/media/backup"
4 | echo `date` >> $BACKUP_LOG
5 | APP_NAME=$(hostname)
6 | TIMESTAMP=`date +%F-%H%M`
7 | BACKUP_NAME="$BACKUP_DIR/$APP_NAME-$TIMESTAMP"
8 | mkdir -p $BACKUP_NAME
9 | echo "Deleting following backup files older than 30 days:" >> $BACKUP_LOG
10 | find $BACKUP_DIR -type d -name "$APP_NAME-*" -mtime +30 >> $BACKUP_LOG
11 | find $BACKUP_DIR -type d -name "$APP_NAME-*" -mtime +30 -exec rm -rf {}
12 | echo "Starting daily backup of $APP_NAME ...." >> $BACKUP_LOG
13 | /usr/bin/mongodump --archive="$BACKUP_NAME/$APP_NAME.gz" --gzip
14 | cp /etc/graylog/server/server.conf $BACKUP_NAME
15 | echo "End of backup run" >> $BACKUP_LOG
16 | echo "----------------------------------" >> $BACKUP_LOG
17 |
--------------------------------------------------------------------------------
/In Progress/Get-Firefoxdetails.ps1:
--------------------------------------------------------------------------------
1 | if(Test-Path "${env:ProgramFiles(x86)}\Mozilla Firefox\firefox.exe"){
2 | $ver32 = (Get-ChildItem "${env:ProgramFiles(x86)}\Mozilla Firefox\firefox.exe").VersionInfo.ProductVersion
3 | Write-Output "Version: $ver32 32-bit"
4 | }elseif(Test-Path "$env:ProgramFiles\Mozilla Firefox\firefox.exe"){
5 | $ver64 = (Get-ChildItem "$env:ProgramFiles\Mozilla Firefox\firefox.exe").VersionInfo.ProductVersion
6 | Write-Output "Version: $ver64 64-bit"
7 | }else{
8 | Write-Output "Not Installed"
9 | }
10 |
--------------------------------------------------------------------------------
/In Progress/Get-ViewAgentLogs.ps1:
--------------------------------------------------------------------------------
1 | Function Get-ViewAgentLog
2 | {
3 | Param
4 | (
5 | [Parameter(Mandatory=$true)]
6 | [ValidateScript({Test-Path $_})]
7 | [string]
8 | $filePath
9 | )
10 |
11 | $filepath = "C:\Utilities\scripts\debug-2018-06-19-140439.txt"
12 | $results = @();
13 | $header = @"
14 |
15 |
16 | "@
17 | $log = Get-Content $filePath | Select-String -SimpleMatch ""
18 | $footer = @"
19 |
20 | "@
21 |
22 | try{
23 | $sessiondata = ([xml]($header + $log + $footer)).LOGS.TERMINALRESPONSE.SESSION
24 | } catch{
25 | return;
26 | }
27 | $sessiondata = $sessiondata | Where-Object {$_.SESSIONGUID -ne $null} | Select-Object SESSIONGUID,STARTTIME,STARTTICK,FIRSTCONNECTTICK,LASTCONNECTTICK,LASTDISCONNECTTICK,LOGOFFTICK
28 |
29 | foreach($session in $sessiondata) {
30 | $timestamp = (Get-Date "1970-01-01 00:00:00.000Z") + ([TimeSpan]::FromSeconds($($session.STARTTIME)))
31 | $lineout = New-Object -Type psobject -Property @{
32 | SessionID = $session.SESSIONGUID
33 | User = $session.USERNAME
34 | Domain = $session.DOMAINNAME
35 | HomePC = $session.CLIENTNAME
36 | Protocol = $session.Protocol
37 | State = $session.State
38 | TimeStamp = $timestamp
39 | ViewServer = $session.SECURITYGATEWAYID
40 | Log = $filePath
41 | }
42 | $results += $lineout
43 | }
44 |
45 | return $results
46 | }
47 |
48 | $files = Get-ChildItem -Path "C:\Utilities\scripts" -Filter debug*.txt -File
49 | $exportPath = "C:\Utilities\scripts\ViewLog.csv"
50 |
51 | $history = $files.FullName | Foreach{
52 | Write-Progress -Activity "Scanning Debug Logs" -Status "Parsing $_"
53 | Get-ViewAgentLog -filePath $_
54 | }
55 |
56 | $history | Export-Csv -Path $exportPath -NoClobber -NoTypeInformation -Force
57 | $history
--------------------------------------------------------------------------------
/In Progress/Remove-All.ps1:
--------------------------------------------------------------------------------
1 | Function Get-UninstallString
2 | {
3 | Param
4 | (
5 | [Parameter(Mandatory=$true)]
6 | [string]$Application
7 | )
8 | $uninstalls = (Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Where-Object {$_.DisplayName -match $application } | Select-Object -Property DisplayName, UninstallString).UninstallString
9 | return $uninstalls
10 | }
11 |
--------------------------------------------------------------------------------
/In Progress/Rescue-Exchange.ps1:
--------------------------------------------------------------------------------
1 |
2 | #Step 1: Determine if Exchange is actually blown up
3 |
4 | try{
5 | $status = get-service MSExchangeTransport -ErrorAction Stop
6 | }catch {
7 | Write-Output "Error: Exchange Transport Service Not found"
8 | exit 1;
9 | }
10 | if($status.Status -eq "Running") {
11 | Write-Output "Error: Exchange Transport Service is not Down. This script won't help you."
12 | exit 1;
13 | }
14 |
15 | #Step 2: Parse the Config and load up some variables
16 | try{
17 | $config = get-content "$env:ExchangeInstallPath\bin\EdgeTransport.exe.config" -ErrorAction Stop
18 | $configtable = $config |
19 | Where-Object {
20 | $_ -match "key=" -and $_ -match "value="
21 | } |
22 | ForEach-Object{
23 | @{[regex]::Matches($_,'key="(.*?)"').Groups[1].Value = [regex]::Matches($_,'value="(.*?)"').Groups[1].Value}
24 | }
25 |
26 | $DBPath = $configtable.QueueDatabasePath
27 | $DBLoggingPath = $configtable.QueueDatabaseLoggingPath
28 | }catch {
29 | Write-Output "Error: Unable to parse Exchange Transport Configuration correctly"
30 | exit 1;
31 | }
32 |
33 | #Step 3: Ensure the Paths are legit
34 | try{
35 | Test-Path $DBPath
36 | Test-Path $DBLoggingPath
37 | } catch {
38 | Write-Output "Error: Unable to access or locate Queue Paths"
39 | exit 1;
40 | }
41 |
42 | #Step 4: Rename / Backup existing DB Folders.
43 | #Note: This is the part where you might break something
44 | #Use with Caution, do not fold or bend, click I agree etc.
45 |
46 | try {
47 | Rename-Item -path $DBPath -newName ("DB" + "." + (Get-Date -Format MMddyyyy)) -Force -ErrorAction Stop
48 | Rename-Item -path $DBLoggingPath -newName ("DBLog" + "." + (Get-Date -Format MMddyyyy)) -Force -ErrorAction Stop
49 | }catch {
50 | Write-Output "Error: Unable to Rename Queue DB or Queue DB Logs"
51 | exit 1;
52 | }
53 |
54 | #Step 5: Start the service back up
55 | try {
56 | Start-Service $status -ErrorAction Stop
57 | } catch{
58 | Write-output "Error: Remediation Attempted, Service still won't start. "
59 | exit 1;
60 | }
61 |
62 | Write-Output "Script executed Successfully"
63 | exit 0;
--------------------------------------------------------------------------------
/Installers/Sysmon/Deploy-Application.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .SYNOPSIS
3 | This script performs the installation or uninstallation of an application(s).
4 | # LICENSE #
5 | PowerShell App Deployment Toolkit - Provides a set of functions to perform common application deployment tasks on Windows.
6 | Copyright (C) 2017 - Sean Lillis, Dan Cunningham, Muhammad Mashwani, Aman Motazedian.
7 | This program is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8 | You should have received a copy of the GNU Lesser General Public License along with this program. If not, see .
9 | .DESCRIPTION
10 | The script is provided as a template to perform an install or uninstall of an application(s).
11 | The script either performs an "Install" deployment type or an "Uninstall" deployment type.
12 | The install deployment type is broken down into 3 main sections/phases: Pre-Install, Install, and Post-Install.
13 | The script dot-sources the AppDeployToolkitMain.ps1 script which contains the logic and functions required to install or uninstall an application.
14 | .PARAMETER DeploymentType
15 | The type of deployment to perform. Default is: Install.
16 | .PARAMETER DeployMode
17 | Specifies whether the installation should be run in Interactive, Silent, or NonInteractive mode. Default is: Interactive. Options: Interactive = Shows dialogs, Silent = No dialogs, NonInteractive = Very silent, i.e. no blocking apps. NonInteractive mode is automatically set if it is detected that the process is not user interactive.
18 | .PARAMETER AllowRebootPassThru
19 | Allows the 3010 return code (requires restart) to be passed back to the parent process (e.g. SCCM) if detected from an installation. If 3010 is passed back to SCCM, a reboot prompt will be triggered.
20 | .PARAMETER TerminalServerMode
21 | Changes to "user install mode" and back to "user execute mode" for installing/uninstalling applications for Remote Destkop Session Hosts/Citrix servers.
22 | .PARAMETER DisableLogging
23 | Disables logging to file for the script. Default is: $false.
24 | .EXAMPLE
25 | powershell.exe -Command "& { & '.\Deploy-Application.ps1' -DeployMode 'Silent'; Exit $LastExitCode }"
26 | .EXAMPLE
27 | powershell.exe -Command "& { & '.\Deploy-Application.ps1' -AllowRebootPassThru; Exit $LastExitCode }"
28 | .EXAMPLE
29 | powershell.exe -Command "& { & '.\Deploy-Application.ps1' -DeploymentType 'Uninstall'; Exit $LastExitCode }"
30 | .EXAMPLE
31 | Deploy-Application.exe -DeploymentType "Install" -DeployMode "Silent"
32 | .NOTES
33 | Toolkit Exit Code Ranges:
34 | 60000 - 68999: Reserved for built-in exit codes in Deploy-Application.ps1, Deploy-Application.exe, and AppDeployToolkitMain.ps1
35 | 69000 - 69999: Recommended for user customized exit codes in Deploy-Application.ps1
36 | 70000 - 79999: Recommended for user customized exit codes in AppDeployToolkitExtensions.ps1
37 | .LINK
38 | http://psappdeploytoolkit.com
39 | #>
40 | [CmdletBinding()]
41 | Param (
42 | [Parameter(Mandatory=$false)]
43 | [ValidateSet('Install','Uninstall')]
44 | [string]$DeploymentType = 'Install',
45 | [Parameter(Mandatory=$false)]
46 | [ValidateSet('Interactive','Silent','NonInteractive')]
47 | [string]$DeployMode = 'Interactive',
48 | [Parameter(Mandatory=$false)]
49 | [switch]$AllowRebootPassThru = $false,
50 | [Parameter(Mandatory=$false)]
51 | [switch]$TerminalServerMode = $false,
52 | [Parameter(Mandatory=$false)]
53 | [switch]$DisableLogging = $false
54 | )
55 |
56 | Try {
57 | ## Set the script execution policy for this process
58 | Try { Set-ExecutionPolicy -ExecutionPolicy 'ByPass' -Scope 'Process' -Force -ErrorAction 'Stop' } Catch {}
59 |
60 | ##*===============================================
61 | ##* VARIABLE DECLARATION
62 | ##*===============================================
63 | ## Variables: Application
64 | [string]$appVendor = 'Sysinternals'
65 | [string]$appName = 'Sysmon'
66 | [string]$appVersion = '10.1'
67 | [string]$appArch = 'x64'
68 | [string]$appLang = 'EN'
69 | [string]$appRevision = '01'
70 | [string]$appScriptVersion = '1.0.0'
71 | [string]$appScriptDate = '02/12/2017'
72 | [string]$appScriptAuthor = 'Big Abe'
73 | ##*===============================================
74 | ## Variables: Install Titles (Only set here to override defaults set by the toolkit)
75 | [string]$installName = ''
76 | [string]$installTitle = ''
77 |
78 | ##* Do not modify section below
79 | #region DoNotModify
80 |
81 | ## Variables: Exit Code
82 | [int32]$mainExitCode = 0
83 |
84 | ## Variables: Script
85 | [string]$deployAppScriptFriendlyName = 'Deploy Application'
86 | [version]$deployAppScriptVersion = [version]'3.7.0'
87 | [string]$deployAppScriptDate = '02/13/2018'
88 | [hashtable]$deployAppScriptParameters = $psBoundParameters
89 |
90 | ## Variables: Environment
91 | If (Test-Path -LiteralPath 'variable:HostInvocation') { $InvocationInfo = $HostInvocation } Else { $InvocationInfo = $MyInvocation }
92 | [string]$scriptDirectory = Split-Path -Path $InvocationInfo.MyCommand.Definition -Parent
93 |
94 | ## Dot source the required App Deploy Toolkit Functions
95 | Try {
96 | [string]$moduleAppDeployToolkitMain = "$scriptDirectory\AppDeployToolkit\AppDeployToolkitMain.ps1"
97 | If (-not (Test-Path -LiteralPath $moduleAppDeployToolkitMain -PathType 'Leaf')) { Throw "Module does not exist at the specified location [$moduleAppDeployToolkitMain]." }
98 | If ($DisableLogging) { . $moduleAppDeployToolkitMain -DisableLogging } Else { . $moduleAppDeployToolkitMain }
99 | }
100 | Catch {
101 | If ($mainExitCode -eq 0){ [int32]$mainExitCode = 60008 }
102 | Write-Error -Message "Module [$moduleAppDeployToolkitMain] failed to load: `n$($_.Exception.Message)`n `n$($_.InvocationInfo.PositionMessage)" -ErrorAction 'Continue'
103 | ## Exit the script, returning the exit code to SCCM
104 | If (Test-Path -LiteralPath 'variable:HostInvocation') { $script:ExitCode = $mainExitCode; Exit } Else { Exit $mainExitCode }
105 | }
106 |
107 | #endregion
108 | ##* Do not modify section above
109 | ##*===============================================
110 | ##* END VARIABLE DECLARATION
111 | ##*===============================================
112 |
113 | If ($deploymentType -ine 'Uninstall') {
114 | ##*===============================================
115 | ##* PRE-INSTALLATION
116 | ##*===============================================
117 | [string]$installPhase = 'Pre-Installation'
118 |
119 | ## Show Welcome Message, close Internet Explorer if required, allow up to 3 deferrals, verify there is enough disk space to complete the install, and persist the prompt
120 | #Show-InstallationWelcome -CloseApps 'iexplore' -AllowDefer -DeferTimes 3 -CheckDiskSpace -PersistPrompt
121 |
122 | ## Show Progress Message (with the default message)
123 | Show-InstallationProgress
124 |
125 |
126 | ##
127 |
128 | #stop any Processes - save some headache
129 | get-service sysmon -ErrorAction SilentlyContinue | stop-service -ErrorAction SilentlyContinue
130 | get-service sysmon64 -ErrorAction SilentlyContinue | stop-service -ErrorAction SilentlyContinue
131 |
132 | ## Use these binaries to uninstall any troubleshooting / snowflake entries ( I found a LOT in my shop)
133 |
134 | Execute-Process -Path "sysmon.exe" -Parameters "-u force" -WindowStyle 'Hidden' -ContinueOnError:$true
135 | Execute-Process -Path "sysmon64.exe" -Parameters "-u force" -WindowStyle 'Hidden' -ContinueOnError:$true
136 |
137 | ## Go big on the failed deployment checking
138 | ## Using PSADT to run 'sc delete' kind of feels like using a corvette to pull a wagon
139 | # I used start-process originally - but forgot to add the -wait so I broke lots of things and blamed everyone but myself.
140 | Execute-Process -Path "sc.exe" -Parameters "delete sysmon" -WindowStyle 'Hidden' -ContinueOnError:$true
141 | Execute-Process -Path "sc.exe" -Parameters "delete sysmon64" -WindowStyle 'Hidden' -ContinueOnError:$true
142 |
143 |
144 | ## Remove any existing orphaned binaries
145 | Remove-File -Path "$env:windir\sysmon64.exe" -erroraction SilentlyContinue
146 | Remove-File -Path "$env:windir\sysmon.exe" -erroraction SilentlyContinue
147 | Remove-File -path "C:\windows\CCMTEMP\sysmon.exe" -erroraction SilentlyContinue
148 |
149 | ## Create the workaround folder.
150 | New-Item "C:\Temp" -itemType Directory -Force
151 |
152 |
153 | ##*===============================================
154 | ##* INSTALLATION
155 | ##*===============================================
156 | [string]$installPhase = 'Installation'
157 |
158 | ## Handle Zero-Config MSI Installations
159 | If ($useDefaultMsi) {
160 | [hashtable]$ExecuteDefaultMSISplat = @{ Action = 'Install'; Path = $defaultMsiFile }; If ($defaultMstFile) { $ExecuteDefaultMSISplat.Add('Transform', $defaultMstFile) }
161 | Execute-MSI @ExecuteDefaultMSISplat; If ($defaultMspFiles) { $defaultMspFiles | ForEach-Object { Execute-MSI -Action 'Patch' -Path $_ } }
162 | }
163 |
164 | ##
165 | #Workaround because Sysmon hates me!
166 | # (Much frustration later comment) Turns out Sysmon hates others: `
167 | # https://social.technet.microsoft.com/Forums/azure/en-US/a89efd1d-878d-4b75-ae8e-6daefbcec6cc/sysmon-5200-deployment-issues-via-sccm?forum=miscutils
168 | # Copy to a temp
169 |
170 | Copy-Item "$dirFiles\sysmon.exe" "C:\Temp\" -Force
171 | Copy-Item "$dirSupportFiles\sysmonconfig-export.xml" "C:\Temp\" -Force
172 |
173 | # More Workaround because CCM Client hates me. This is getting ridiculous.
174 | # Read more... where some internet stranger called me 'Ape'
175 | # https://social.technet.microsoft.com/Forums/en-US/a89efd1d-878d-4b75-ae8e-6daefbcec6cc/sysmon-5200-deployment-issues-via-sccm?forum=miscutils
176 |
177 | $env:TMP = "C:\Temp\"
178 |
179 | # Basic install with whatever config is in this folder
180 | Start-Process -FilePath "C:\Temp\sysmon.exe" -ArgumentList "-accepteula -i `"C:\Temp\sysmonconfig-export.xml`" -n" -WindowStyle Hidden -Wait
181 |
182 | # Add the permissions for Windows Event Forwarding.
183 | # Don't be a muppet, move gradually from WEF to SIEM - or just thank me for setting the permissions.
184 | Start-Process -Filepath 'wevtutil.exe' `
185 | -ArgumentList "sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)" `
186 | -Wait
187 |
188 | ##*===============================================
189 | ##* POST-INSTALLATION
190 | ##*===============================================
191 | [string]$installPhase = 'Post-Installation'
192 |
193 | ##
194 |
195 | # Track versions in teh registry to make detection and version changes easy.
196 | # Just blow me kisses across a conference floor next time you upgrade sysmon . . .
197 |
198 | New-Item HKLM:\Software\Sysmon
199 | Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\SOFTWARE\Sysmon' -name 'version' -value $appVersion
200 |
201 | # Sweep the floor behind ourselves on the way out the door.
202 | Remove-Item C:\Temp -Recurse -Force -confirm:$false
203 | $env:TMP = "C:\Windows\CCMTemp\"
204 | ## Display a message at the end of the install
205 | If (-not $useDefaultMsi) { Show-InstallationPrompt -Message 'SYSMON has been installed and configured' -ButtonRightText 'OK' -Icon Information -NoWait }
206 | }
207 | ElseIf ($deploymentType -ieq 'Uninstall')
208 | {
209 | ##*===============================================
210 | ##* PRE-UNINSTALLATION
211 | ##*===============================================
212 | [string]$installPhase = 'Pre-Uninstallation'
213 |
214 | ## Show Welcome Message, close Internet Explorer with a 60 second countdown before automatically closing
215 | Show-InstallationWelcome -CloseApps 'iexplore' -CloseAppsCountdown 60
216 |
217 | ## Show Progress Message (with the default message)
218 | Show-InstallationProgress
219 |
220 | ##
221 |
222 |
223 | ##*===============================================
224 | ##* UNINSTALLATION
225 | ##*===============================================
226 | [string]$installPhase = 'Uninstallation'
227 |
228 | ## Handle Zero-Config MSI Uninstallations
229 | If ($useDefaultMsi) {
230 | [hashtable]$ExecuteDefaultMSISplat = @{ Action = 'Uninstall'; Path = $defaultMsiFile }; If ($defaultMstFile) { $ExecuteDefaultMSISplat.Add('Transform', $defaultMstFile) }
231 | Execute-MSI @ExecuteDefaultMSISplat
232 | }
233 |
234 | #
235 |
236 | if(Test-Path $env:windir\sysmon.exe -PathType 'Leaf') {
237 | Execute-Process -Path "$env:windir\Sysmon.exe" -Parameters '-u' -WindowStyle 'Hidden'
238 | Remove-File -Path "$env:windir\sysmon.exe"
239 | }
240 |
241 | ## Use our custom version numbers to track the config and the installed versions.
242 |
243 |
244 | ##*===============================================
245 | ##* POST-UNINSTALLATION
246 | ##*===============================================
247 | [string]$installPhase = 'Post-Uninstallation'
248 |
249 | ## Registry Cleanup
250 |
251 | ##
252 | try{
253 | $sysmonflag = Get-ItemProperty HKLM:\Software\Sysmon\ -erroraction stop | Select-Object -expandproperty version
254 | }catch{}
255 |
256 | if($sysmonflag){Remove-ItemProperty HKLM:\Software\Sysmon -name version}
257 | remove-item "HKLM:\Software\Sysmon"
258 | }
259 |
260 | ##*===============================================
261 | ##* END SCRIPT BODY
262 | ##*===============================================
263 |
264 | ## Call the Exit-Script function to perform final cleanup operations
265 | Exit-Script -ExitCode $mainExitCode
266 | }
267 | Catch {
268 | [int32]$mainExitCode = 60001
269 | [string]$mainErrorMessage = "$(Resolve-Error)"
270 | Write-Log -Message $mainErrorMessage -Severity 3 -Source $deployAppScriptFriendlyName
271 | Show-DialogBox -Text $mainErrorMessage -Icon 'Stop'
272 | Exit-Script -ExitCode $mainExitCode
273 | }
274 |
--------------------------------------------------------------------------------
/Installers/Sysmon/Install.ps1:
--------------------------------------------------------------------------------
1 | $Source = "\\FileServer\Location\Sysmon.exe"
2 | $configSource = "\\FileServer\Location\SwiftOnSecurity.XML"
3 |
4 | # Temp the TMP like a boss
5 | $rollback = $env:TMP
6 | $env:TMP = $SystemDrive\Temp\
7 | try{
8 | new-item -type Directory "$Env:TMP" -errorAction Stop
9 | }catch{return 666}
10 |
11 | if(!(Test-Path $source)){return 667}
12 |
13 | Copy-Item $source $env:TMP
14 | Start-Process -FilePath $env:TMP\sysmon.exe -ArgumentList "-acceptEula -i $configSource" -wait
15 |
16 | # Cleanup and go home, folks.
17 | Remove-Item "$env:TMP" -recurse -force -errorAction silentlyContinue
18 | $env:tmp = $rollBack
19 |
20 | ## Lemme know if there any typos, mmkay?
21 | ## Abe - Chief Ninja - https://blueteam.ninja
22 |
--------------------------------------------------------------------------------
/Installers/readme.md:
--------------------------------------------------------------------------------
1 | Just hang up your tophat and enjoy the ride.
2 |
3 | ## Sysmon
4 |
5 | Installing Sysmon 10 via SCCM. Using either:
6 | * PSADT: Deploy-Application.ps1 (including a bunch of cleanup and uninstall) or
7 | * Good ole' fashioned Powershell like the common folk of our lands.
8 |
9 | Choose your weapon.
10 |
--------------------------------------------------------------------------------
/Inventory Tools/Assign-Users.ps1:
--------------------------------------------------------------------------------
1 | $SnipeURL = "https://snipeit.domain.com"
2 | $SCCMSiteName = "DEF"
3 | $SCCMServer = "SCCM.local"
4 | $SCCMDefaultInstallUser = "Administrator"
5 |
6 |
7 | try{
8 | #Put the API key in a text file in teh same folder as this script to make life easy.
9 | #Handle permissions with care.
10 | #do not folder or bend.
11 |
12 | $SnipeAPI = Get-content "$PSScriptRoot\key.txt"
13 | Set-Info -url $SnipeURL -apiKey $SnipeAPI -ErrorAction Stop
14 | }catch{
15 | #I use this for SCCM Exit codes
16 | #I also lean on POSIX error codes because I'm a greybeard and wokefulness is lit, fam.
17 | return 126;
18 |
19 | }
20 |
21 | function Get-SCCMPCInfo {
22 | param (
23 | [string]$SiteName,
24 | [string]$SCCMServer=
25 | )
26 |
27 |
28 |
29 | #Inventory Query
30 | $query = @"
31 | SELECT
32 | A.[Manufacturer00] AS Make
33 | ,A.[Model00] AS Model
34 | ,A.[Name00] AS AssetTag
35 | ,A.[UserName00] AS PrimaryUser
36 | ,B.[SerialNumber00] AS Serial
37 | ,C.[DefaultIPGateway00] AS Network
38 | FROM [CM_$SITENAME].[dbo].[Computer_System_DATA] A,
39 | [CM_$SITENAME].[dbo].[PC_BIOS_DATA] B,
40 | [CM_$SITENAME].[dbo].[Network_DATA] C
41 | WHERE A.[MachineID] = B.[MachineID]
42 | AND A.[MachineID] = C.[MachineID]
43 | AND C.[DefaultIPGateway00] IS NOT NULL;
44 | "@
45 |
46 | Write-Progress -Activity "Querying SCCM SQL DB to PC Information"
47 | Import-Module SQLSERVER
48 |
49 | $SCCMPCData = Invoke-SQLCMD -server $SCCMServer -Database "CM_$SiteName" -Query $query | Where-Object {$_.Make -notlike "Vmware, Inc."}
50 | return $SCCMPCData
51 | }
52 |
53 |
54 |
55 | $Assets = Get-SCCMPCInfo -SiteName $SCCMSiteName -SCCMServer $SCCMServer | Where-Object {($_.PrimaryUser -notlike "*${SCCMDefaultInstallUser}*") -and ($_.PrimaryUser -notlike "")}
56 | $SnipeAssets = get-asset -limit 9999
57 | $snipeUsers = get-user -limit 9999
58 | $results = @();
59 |
60 | foreach($asset in $assets){
61 | $user = ""
62 | $serial = ""
63 | $snipeUserID = ""
64 |
65 | $user = $asset.PrimaryUser.split('\')[1]
66 | $serial = $asset.Serial
67 |
68 | $snipeUserID = $snipeUsers | Where-Object {$_.username -eq $user} | Select-Object -expandproperty id
69 |
70 | if(-not($serial -in $SnipeAssets.serial)){
71 | $lineout = [PSCustomObject]@{
72 | 'Asset' = $asset.AssetTag
73 | 'Serial' = $serial
74 | 'User' = $user
75 | 'Action' = "Skipping...Serial Not Found"
76 | }
77 | $results += $lineout;
78 | continue;
79 | }else{
80 | $snipeAsset = $snipeAssets | Where-Object{$_.serial -eq $serial}
81 | }
82 |
83 |
84 | if(-not($SnipeUserID)) {
85 | $lineout = [PSCustomObject]@{
86 | 'Asset' = $asset.AssetTag
87 | 'Serial' = $serial
88 | 'User' = $user
89 | 'Action' = "Skipping...User ID Not Found"
90 | }
91 | $results += $lineout;
92 | continue;
93 | }elseif($snipeAsset.assigned_to.username -eq $user){
94 | $lineout = [PSCustomObject]@{
95 | 'Asset' = $asset.AssetTag
96 | 'Serial' = $serial
97 | 'User' = $user
98 | 'Action' = "No Change"
99 | }
100 | $results += $lineout;
101 | continue;
102 | }else{
103 |
104 | $BuildParms = @{
105 | 'id' = $snipeAsset.id
106 | 'model_id' = $snipeAsset.model.id
107 | }
108 |
109 | try{
110 |
111 | # Clear first - because I filled 'assigned_to' fields with garbage by accident
112 |
113 | set-asset -id $BuildParms.id -Model_id $BuildParms.model_id -Status_id 2 -customfields @{'assigned_to'='';'checkout_to_type'=''} -ErrorAction Stop | Out-Null
114 | Set-ASsetOwner -id $buildparms.id -assigned_id $SnipeUserID -checkout_to_type 'user'
115 |
116 | $lineout = [PSCustomObject]@{
117 | 'Asset' = "$($asset.AssetTag) [$($snipeAsset.model_id)]"
118 | 'Serial' = $serial
119 | 'User' = "${user} [${SnipeUserID}]"
120 | 'Action' = "Updated"
121 | }
122 | $results += $lineout;
123 |
124 | }catch{
125 | $lineout = [PSCustomObject]@{
126 | 'Asset' = $asset.AssetTag
127 | 'Serial' = $serial
128 | 'User' = $user
129 | 'Action' = "Failed:" + $error[0]
130 | }
131 | $results += $lineout;
132 | }
133 |
134 | }
135 |
136 |
137 | }
138 | $results | Export-Csv asset-owners.csv -NoTypeInformation -Force
139 |
140 |
--------------------------------------------------------------------------------
/Inventory Tools/Get-AssetInfo.ps1:
--------------------------------------------------------------------------------
1 |
2 |
3 | $s = $Env:Computername
4 | #Don't do a trailing slash or your socks will start to smell funny.
5 |
6 | $WorkStationShare = "\\FileServer\Hardware\Workstations"
7 | $MonitorShare = "\\FileServer\Hardware\Monitors"
8 |
9 | $WShareName = "$WorkStationShare\$s.csv"
10 | $MShareName = "$MonitorShare\$s.csv"
11 |
12 | Try { [io.file]::OpenWrite($WShareName).close() }
13 | Catch {
14 | Write-Warning "Unable to write to output file $WshareName"
15 | return 1;
16 | }
17 |
18 | Try { [io.file]::OpenWrite($MShareName).close() }
19 | Catch {
20 | Write-Warning "Unable to write to output file $MshareName"
21 | return 1;
22 | }
23 |
24 | $MonitorArray = @();
25 |
26 | $LastUser = Get-CimInstance Win32_UserProfile -Filter 'Special=FALSE' | Sort-Object LastUseTime -Descending |
27 | Select-Object -First 1 | ForEach-Object {
28 | ([System.Security.Principal.SecurityIdentifier]$_.SID).Translate([System.Security.Principal.NTAccount]).Value
29 | }
30 |
31 | $CIMCS = Get-Ciminstance -class win32_ComputerSystem
32 | $CPUInfo = $CIMcs.name
33 | $MN = $CIMcs.Model
34 |
35 | $OSInfo = Get-CIMinstance Win32_OperatingSystem
36 | $OSInstallDate = $OSInfo.InstallDate
37 |
38 | $CIMMemory = Get-CIMINStance CIM_PhysicalMemory
39 | $OSTotalVirtualMemory = [math]::round($OSInfo.TotalVirtualMemorySize / 1MB, 2)
40 | $OSTotalVisibleMemory = [math]::round(($OSInfo.TotalVisibleMemorySize / 1MB), 2)
41 | $PhysicalMemory = [Math]::Round((($CIMMemory | Measure-Object -Property capacity -sum).sum / 1GB), 2)
42 |
43 | $CIMBios = Get-Ciminstance Win32_BIOS
44 | $SN = $CIMBios.serialnumber
45 | $MF = $CIMBios.manufacturer
46 |
47 | $CIMDisk = Get-Ciminstance Win32_logicalDisk
48 | $DISKTOTAL = $CIMDisk | Where-Object caption -eq "C:" | foreach-object { Write-Output "$('{0:N2}' -f ($_.Size/1gb)) GB " }
49 | $DISKFREE = $CIMDisk | Where-Object caption -eq "C:" | foreach-object { Write-Output "$('{0:N2}' -f ($_.FreeSpace/1gb)) GB " }
50 |
51 | $CIMNetwork = Get-CimInstance Win32_NetworkAdapter
52 | $WifiMac = $CIMNetwork | Where-Object { $_.Name -match ("Wireless|wifi|wi\-fi") -and ($_.name -notlike "*virtual*") } |
53 | Select-object -ExpandProperty MacAddress
54 |
55 | $CIMNetCfg = Get-Ciminstance Win32_NetworkAdapterConfiguration
56 | $MAC = $CIMNetCfg | Where-Object { $_.ipenabled -EQ $true } | select-object -first 1 -ExpandProperty MacAddress
57 |
58 | $CIMMonitors = Get-WMIObject WmiMonitorID -Namespace root\wmi
59 |
60 | $CIMChassis = Get-CimInstance Win32_SystemEnclosure | Select-object -ExpandProperty ChassisTypes
61 |
62 | $BuiltInChassis = @("8","9","10","11","13","14")
63 | if (($CIMChassis -in $BuiltInChassis) -and ($CIMMonitors.count -le 1)) {$BuiltInOnly = $true }
64 |
65 | ## Really hacky check to ensure I don't pull in thousands of built-in displays from laptops.
66 |
67 | if (-not($BuiltInOnly)) {
68 | ForEach ($Monitor in $CIMMonitors) {
69 | $monitorData = @();
70 | $Manufacturer = ($Monitor.ManufacturerName -ne 0 | ForEach-Object { [char]$_ }) -join ""
71 | if ($monitor.UserFriendlyName) {
72 | $Name = ($Monitor.UserFriendlyName -ne 0 | ForEach-Object { [char]$_ }) -join ""
73 | }
74 | else {
75 | $Name = ($Monitor.ProductCodeID -ne 0 | ForEach-Object { [char]$_ }) -join ""
76 | }
77 |
78 | #Do some voodoo to clean up Lenovo Monitor names and take out the Manufacturer code
79 | if ($Name -like "LEN *") {
80 | $Name = $name.split(' ')[1]
81 | }
82 |
83 |
84 | #If you need to beef up this list, start here: https://github.com/MaxAnderson95/Get-Monitor-Information/blob/master/Get-Monitor.ps1
85 | #If you need more beef: go here : http://edid.tv/manufacturer/
86 |
87 | $Serial = ($Monitor.SerialNumberID -ne 0 | ForEach-Object { [char]$_ }) -join ""
88 |
89 | switch ($Manufacturer) {
90 | 'LEN' { $Make = "Lenovo" }
91 | 'ACI' { $Make = "ASUS" }
92 | 'LGD' { $Make = "LG" }
93 | 'SDC' { $Make = "Surface Display" }
94 | 'SEC' { $Make = "Epson" }
95 | 'SAM' { $Make = "Samsung" }
96 | 'SNY' { $Make = "Sony" }
97 | 'GSM' { $Make = "LG (Goldstar) TV" }
98 | 'GWY' { $Make = "Gateway 2000" }
99 | 'ITE' { $Make = "Integrated Tech Express" }
100 |
101 | default { $Make = "Unknown: $Manufacturer" }
102 | }
103 |
104 | $Friendly = "[$make] ${name}: $serial"
105 |
106 | $MonitorData = [PSCustomObject] @{
107 | Vendor = $Make
108 | Model = $Name
109 | Serial = $Serial
110 | Friendly = $Friendly
111 | 'Last Seen' = $(Get-Date)
112 | 'Attached To' = $s
113 | }
114 | $MonitorArray += $MonitorData
115 | }
116 | }
117 |
118 |
119 | switch ($CIMChassis) {
120 | ## https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.1.1.pdf
121 | ## Chassis types liberated from this PDF
122 |
123 | "1" { $Chassis = "Other" }
124 | "2" { $Chassis = "Unknown" }
125 | "3" { $Chassis = "Desktop" }
126 | "4" { $Chassis = "Low Profile Desktop" }
127 | "5" { $Chassis = "Pizza Box" }
128 | "6" { $Chassis = "Mini Tower" }
129 | "7" { $Chassis = "Tower" }
130 | "8" { $Chassis = "Portable" }
131 | "9" { $Chassis = "Laptop" }
132 | "10" { $Chassis = "Notebook" }
133 | "11" { $Chassis = "Hand Held" }
134 | "12" { $Chassis = "Docking Station" }
135 | "13" { $Chassis = "All in One" }
136 | "14" { $Chassis = "Sub Notebook" }
137 | "15" { $Chassis = "Space-saving" }
138 | "16" { $Chassis = "Lunch Box" }
139 | "17" { $Chassis = "Main Server Chassis" }
140 | "18" { $Chassis = "Expansion Chassis" }
141 | "19" { $Chassis = "SubChassis" }
142 | "20" { $Chassis = "Bus Expansion Chassis" }
143 | "21" { $Chassis = "Peripheral Chassis" }
144 | "22" { $Chassis = "RAID Chassis" }
145 | "23" { $Chassis = "Rack Mount Chassis" }
146 | "24" { $Chassis = "Sealed-case PC" }
147 | "25" { $Chassis = "Multi-system chassis" }
148 | "26" { $Chassis = "Compact PCI" }
149 | "27" { $Chassis = "Advanced TCA" }
150 | "28" { $Chassis = "Blade" }
151 | "29" { $Chassis = "Blade Enclosure" }
152 | "30" { $Chassis = "Tablet" }
153 | "31" { $Chassis = "Convertible" }
154 | "32" { $Chassis = "Detachable" }
155 | "33" { $Chassis = "ioT Gateway" }
156 | "34" { $Chassis = "Embedded PC" }
157 | "35" { $Chassis = "Mini PC" }
158 | "36" { $Chassis = "Stick PC" }
159 | default { $Chassis = "Invalid Chassis Type" }
160 | }
161 |
162 |
163 | $MonitorFriendly = $MonitorArray.Friendly -join ', '
164 |
165 | $AT = $s
166 | $status = "Ready to Deploy"
167 |
168 | $IP = (Test-Connection $CPUInfo -count 1).IPv4Address.IPAddressToString
169 |
170 | Foreach ($CPU in $CPUInfo) {
171 | $infoObject = [PSCustomObject][ordered]@{
172 | #The following add data to the infoObjects.
173 | "Asset: Name" = $CPUInfo
174 | "Asset: Tag" = $AT
175 | "Asset: Model Number" = $MN
176 | "Asset: Manufacturer" = $MF
177 | "Asset: Serial Number" = $SN
178 |
179 | "Inventory: Status" = $status
180 | "Inventory: Timestamp" = $(Get-Date)
181 | "Inventory: Chassis" = $Chassis
182 |
183 | "OS: Name" = $OSInfo.Caption
184 | "OS: Install Date" = $OSInstallDate
185 | "OS: Last User" = $lastuser
186 |
187 | "Sub-Assets: Monitors" = $MonitorFriendly
188 |
189 | "Specs: Physical RAM" = $PhysicalMemory
190 | "Specs: Virtual Memory" = $OSTotalVirtualMemory
191 | "Specs: Visable Memory" = $OSTotalVisibleMemory
192 | "Specs: Total Disk Space" = $DISKTOTAL
193 | "Specs: Free Disk Space" = $DISKFREE
194 |
195 | "Network: IP Address" = $IP
196 | "Network: Wireless MAC Address" = $WifiMAC
197 | "Network: Ethernet MAC Address" = $MAC
198 | }
199 |
200 |
201 | }
202 |
203 | $infoObject | Export-Csv -Path $WshareName -NoClobber -NoTypeInformation -Encoding UTF8 -Append -Force
204 | $MonitorArray | Select-Object Vendor, Model, Serial, 'Last Seen', 'Attached To' | Export-Csv -Path $MShareName -NoTypeInformation -Encoding UTF8 -Force
205 |
--------------------------------------------------------------------------------
/Inventory Tools/MonitorTags.csv:
--------------------------------------------------------------------------------
1 | serial,tag
2 | ABC123HIJK,MON-IT-001
3 | ABC123HILM,MON-IT-002
4 | ABC123HINO,MON-IT-003
5 |
--------------------------------------------------------------------------------
/Inventory Tools/README.md:
--------------------------------------------------------------------------------
1 | # SCCM / Snipe IT Inventory Automation
2 |
3 | ### Dependencies
4 |
5 | > `Install-Module SnipeITPS`
6 |
7 | > Snipe API Key with permissions to view and create...pretty much everything.
8 |
9 | > Every MODEL NUMBER needs to be in Snipe IT (*WILL* Fail without)
10 |
11 | > Every Location needs to be in Snipe IT (Won't Fail without)
12 |
13 | > Those locations need their DHCP address scopes in the proper Function in Set-AssetInfo
14 |
15 | > User Affinity enabled in SCCM.
16 |
17 |
18 | ## What does it do?
19 |
20 | The `Get-AssetInfo.ps1` is meant to be run at Startup or as an SCCM SCript (It works running as SYSTEM). It will gather the relevant information
21 | and much more and send it to a file share. This is what it gathers:
22 | ```
23 | Asset: Name : PC-HOSTNAME
24 | Asset: Tag : PC-HOSTNAME
25 | Asset: Model Number : XXYYZZ
26 | Asset: Manufacturer : LENOVO
27 | Asset: Serial Number : AAABBBCCDD
28 | Inventory: Status : Ready to Deploy
29 | Inventory: Timestamp : 10/04/2019 10:15:54 AM
30 | Inventory: Chassis : Desktop
31 | OS: Name : Microsoft Windows 10 Enterprise
32 | OS: Install Date : 08/03/2019 5:31:17 PM
33 | OS: Last User : DOMAIN\username
34 | Sub-Assets: Monitors : [Lenovo] ModelXXYY: SERIAL, [Lenovo] ModelXXYY: SERIAL
35 | Specs: Physical RAM : 16
36 | Specs: Virtual Memory : 18.27
37 | Specs: Visable Memory : 15.9
38 | Specs: Total Disk Space : 235.48 GB
39 | Specs: Free Disk Space : 110.32 GB
40 | Network: IP Address : 10.10.10.5
41 | Network: Wireless MAC Address :
42 | Network: Ethernet MAC Address : AA:BB:CC:11:22:33
43 | ```
44 |
45 | It also parses out to the best of my ability monitor information - and matches them against a spreadsheet with Serial numbers that match Model numbers:
46 | ```
47 | Vendor : Lenovo
48 | Model : ModelXXYY
49 | Serial : SERIALA
50 | Friendly : [Lenovo] ModelXXYY: SERIALA
51 | Last Seen : 10/04/2019 10:15:54 AM
52 | Attached To : PC-HOSTNAME
53 |
54 | Vendor : Lenovo
55 | Model : ModelXXYY
56 | Serial : SERIALB
57 | Friendly : [Lenovo] ModelXXYY: SERIALB
58 | Last Seen : 10/04/2019 10:15:54 AM
59 | Attached To : PC-HOSTNAME
60 | ```
61 |
62 | Using these CSVs - I used https://github.com/snazy2000/SnipeitPS @Snazzy2000 's Powershell API wrapper (One day I'll probably fork it out, but its pretty awesome as is!)
63 | then I dump in all the information - with most of the extra information in notes. So you can easily find the last time a PC was inventoried.
64 |
65 | ## Wishlist
66 |
67 | * Send to a database instead of CSV
68 | * Pull Location names from a DHCP scope server to handle changes better
69 | * Create a report from the logs
70 | * Send abnormal data to SIEM / Log solution (Graylog... I mean to send to Graylog)
71 | * Integrate a NAC with the Inventory solution and find a quarantine/onboarding process
72 |
73 | Set `get-assetinfo.ps1` it up as a scheduled task at login - and also add it as a Script in SCCM and you're good to go.
74 | Run `Set-Assetinfo.ps1` At whatever interval you want to true up your inventory
75 | Run `Assign-Users.ps1` right after running the above.
76 |
--------------------------------------------------------------------------------
/Inventory Tools/Set-AssetInfo.ps1:
--------------------------------------------------------------------------------
1 | $Wshare = "\\FileServer\hardware\Workstations"
2 | $Mshare = "\\FileServer\hardware\Monitors"
3 | $TagFile = "\\FileServer\MonitorTags.csv"
4 |
5 | $SnipeURL = "https://inventory.domain.com"
6 |
7 | try{
8 | $SnipeAPI = Get-content "$PSScriptRoot\key.txt"
9 | Set-Info -url $SnipeURL -apiKey $SnipeAPI -ErrorAction Stop
10 | }catch{
11 | #I use this for SCCM Exit codes
12 | #I also lean on POSIX error codes because I'm a greybeard and wokefulness is lit, fam.
13 | return 126;
14 |
15 | }
16 |
17 | Function Get-LocationNameFromIP {
18 | [CmdletBinding()]
19 |
20 | Param(
21 | [string]$ip
22 | )
23 | switch -Wildcard ($ip){
24 | '10.100.0.*' {$location="Main Building - Basement"}
25 | '10.100.1.*' {$location="Main Building - Floor 1"}
26 | '192.168.*.*' {$location="Guest Wifi"}
27 | '10.110.0.*' {$location="Legacy LAN"}
28 | default {$location ="Unknown"}
29 |
30 | }
31 | return $location
32 |
33 |
34 | }
35 |
36 |
37 | $WItems = @();
38 |
39 | Get-ChildITem "$Wshare\*.csv" | ForEach-Object{
40 | $WItems += Import-Csv $_ | Sort-Object 'Inventory: Timestamp' -Descending | Select-Object -First 1
41 | }
42 |
43 |
44 |
45 |
46 |
47 | $MItems = @();
48 |
49 | Get-ChildITem "$Mshare\*.csv" | ForEach-Object{
50 | $MItems += Import-Csv $_ | Where-Object {$_.serial -ne ""}
51 | }
52 |
53 |
54 |
55 | ## Progress
56 | $count = 0
57 | $total = (($witems).count + ($mitems).count)
58 |
59 |
60 | $SnipeLocations = Get-snipeitlocation -limit 99999 | Select-Object Id,Name
61 | $SnipeModels = Get-Model | Select-Object Id,model_number
62 | $AllAssets = Get-Asset -limit 99999
63 | $MonitorTags = Import-Csv $TagFile
64 |
65 | $results = @();
66 |
67 |
68 |
69 | foreach($witem in $witems){
70 | $AssetActions =@()
71 | $Comments = @()
72 | $lineout = @()
73 | $wbuildparms = @{}
74 | $BuildCustomFields = @();
75 |
76 | $statusid = [int]"2"
77 | $SnipeAsset = ""
78 | $locationid = ""
79 | $model = ""
80 |
81 | Write-Progress -Activity "Processing Workstation: $($witem.'Asset: Name')" -PercentComplete ($count / $total * 100)
82 | $count++
83 |
84 | $Notes = @"
85 | [Last Seen]: $($Witem.'Inventory: Timestamp')
86 | [Last User]: $($Witem.'OS: Last User')
87 | [OS]: $($Witem.'OS: Name')
88 | [OS Install]: $($Witem.'OS: Install Date')
89 | [Ram]: $($witem.'Specs: Physical Ram')
90 | [HDD]: $($witem.'Specs: Total Disk Space')
91 | [MAC]: $($witem.'Network: Ethernet Mac Address')
92 | [Wi-Fi MAC]: $($witem.'Network: Wireless MAC Address')
93 | "@
94 |
95 |
96 |
97 | $SnipeAsset = $AllAssets | Where-Object {$_.asset_tag -eq $witem.'Asset: Tag'}
98 | $currentLocation = Get-LocationNameFromIP $witem.'Network: IP Address'
99 |
100 | If($SnipeAsset){
101 | ### Actions on updating an ASSET ###
102 | $AssetActions += "Update"
103 | $wbuildparms += @{
104 | "id" = [int]$SnipeAsset.id
105 | "name" = $SnipeAsset.asset_tag
106 | }
107 |
108 | ## Verify Model Number is the same
109 | if($SnipeAsset.model_number -ne $Witem.'Asset: Model Number'){
110 | $AssetActions += "Model Mismatch"
111 | $Comments += "Model number mismatch - please remove $($witem.'Asset: Tag') : $($witem.'Asset: Model Number') from inventory"
112 | continue;
113 | }else{
114 | $wbuildparms += @{
115 | "model_id" = $SnipeAsset.model.id
116 | }
117 | }
118 |
119 | if($SnipeAsset.Notes -ne $notes){
120 | $AssetActions += "Updated Notes"
121 | }
122 |
123 | if($SnipeAsset.location.name -ne $currentLocation){
124 | $locationid = $snipeLocations | Where-Object {$_.Name -eq $CurrentLocation} | select-object -ExpandProperty id
125 | if($locationid){
126 | $AssetActions += "Update Location"
127 | $buildCustomFields += @{
128 | "location_id" = $locationid
129 | }
130 | }else{
131 | $Comments += "IP Address $($witem.'Network: IP Address') or location $currentLocation not known"
132 | }
133 |
134 | }
135 |
136 | $wbuildparms += @{
137 | 'customfields' = $BuildCustomFields
138 | }
139 |
140 |
141 | if($AssetActions[1]){
142 | try{
143 | Set-Asset -id $($wbuildparms.id) -Model_id $($wbuildparms.model_id) -Status_id $statusid -Name $($wbuildparms.name) -customfields $($wbuildparms.customfields) | Out-Null
144 | $AssetActions += "Updated Asset"
145 | }catch{
146 | $Comments += "Failed to Set Asset"
147 | $comments += $error[0]
148 | }
149 | }else{
150 | $AssetActions = "No change"
151 | }
152 |
153 | $lineout = [PSCustomObject]@{
154 | "Asset" = $($wbuildparms.name)
155 | "Asset ID" = $($wbuildparms.id)
156 | "Assigned"= $($SnipeAsset.Assigned_to.name)
157 | "Comments" = $($Comments -join "|")
158 | "Actions" = $($AssetActions -join "|")
159 | }
160 | $results += $lineout
161 | }else{
162 |
163 | ### Actions on a NEW ASSET ###
164 | $AssetActions += "New"
165 | $wbuildparms = @{
166 | 'name' = $witem.'Asset: Name'
167 | 'tag' = $witem.'Asset: Tag'
168 | 'status_id' = $statusid
169 | }
170 |
171 | $model = $SnipeModels | Where-Object {$_.model_number -eq $witem.'Asset: Model Number'}
172 | if(-not($model))
173 | {
174 | $AssetActions += "No Model"
175 | $Comments += "Model $($witem.'Asset: Model Number') not in Snipe Models"
176 | $lineout = [PSCustomObject]@{
177 | "Asset" = $($wbuildparms.name)
178 | "Asset ID" = $($wbuildparms.id)
179 | "Comments" = $($Comments -join "|")
180 | "Actions" = $($AssetActions -join "|")
181 | }
182 | $results += $lineout
183 | continue
184 | }
185 |
186 | $locationid = $snipeLocations | Where-Object {$_.Name -eq $CurrentLocation} |
187 | select-object -ExpandProperty id
188 | $Comments += "Setting Initial Default location to current location"
189 |
190 |
191 | $buildCustomFields = @{
192 | 'notes' = $Notes
193 | 'location_id' = $locationid
194 | 'rtd_location' = $locationid
195 | 'serial' = $witem.'Asset: Serial Number'
196 |
197 | }
198 |
199 | $wbuildparms += @{
200 | 'model_id' = $model.id
201 | 'customfields' = $BuildCustomFields
202 | }
203 |
204 | try{
205 | New-Asset -name $($wbuildparms.tag) -tag $($wbuildparms.tag) -model_id $($wbuildparms.model_id) -Status_id $($wbuildparms.status_id) -customfields $($wbuildparms.customfields) | Out-Null
206 | $AssetActions += "Created Asset"
207 | }catch{
208 | $Comments += "Failed to create Asset: $($wbuildparms.tag)"
209 | $comments += $error
210 | }
211 | }
212 | $lineout = [PSCustomObject]@{
213 | "Asset" = $($wbuildparms.name)
214 | "Asset ID" = $($wbuildparms.id)
215 | "Comments" = $($Comments -join "|")
216 | "Actions" = $($AssetActions -join "|")
217 | }
218 | $results += $lineout
219 |
220 | }
221 |
222 | foreach($mitem in $mitems){
223 |
224 | $AssetActions =@()
225 | $Comments = @()
226 | $lineout = @()
227 | $mbuildparms = @()
228 | $mBuildCustomFields = @()
229 | $statusid = [int]"2"
230 | $SnipeAsset = ""
231 | $ParentAsset = ""
232 | $locationid = ""
233 | $model = ""
234 | $TagNumber = ""
235 |
236 | $Notes = @"
237 | [Last Seen]: $($mitem.'Last Seen')
238 | "@
239 | Write-Progress -Activity "Processing Monitors of: $($mitem.'Attached To')" -PercentComplete ($count / $total * 100)
240 | $count++
241 |
242 | $SnipeAsset = $AllAssets | Where-Object {$_.serial -eq $mitem.Serial}
243 |
244 | $TagNumber = $MonitorTags | Where-Object {$_.serial -eq $mitem.serial } | Select-Object -ExpandProperty tag -First 1
245 |
246 |
247 | if(-not($TagNumber)) {
248 | $TagNumber = $mitem.Serial
249 | $Comments += "Missing SerialToTag"
250 | }else{
251 | $Comments += "Found SerialToTag"
252 | }
253 | $mbuildparms += @{
254 | 'name' = $TagNumber
255 | }
256 |
257 |
258 | $ParentAsset = $AllAssets | Where-Object {$_.asset_tag -eq $mitem.'Attached To'}
259 |
260 |
261 | ## Logic on FOUND item
262 | if($SnipeAsset) {
263 | $AssetActions += "Update"
264 | $Comments += "Found Asset"
265 |
266 | $mbuildparms += @{
267 | "id" = [int]$SnipeAsset.id
268 | "model_id" = $SnipeAsset.model.id
269 | }
270 |
271 | if($notes -ne $SnipeAsset.notes){
272 | $AssetActions += "Update Notes"
273 |
274 | }
275 |
276 | if($ParentAsset.id -ne $SnipeAsset.assigned_to.id){
277 | $AssetActions += "Update Parent"
278 | }
279 | $mbuildCustomFields = @{
280 | 'notes' = $Notes
281 | 'serial' = $mitem.serial
282 | 'assigned_asset' = $ParentAsset.Id
283 | 'asset_tag' = $TagNumber
284 |
285 | }
286 | $mbuildparms += @{
287 | 'customfields' = $mBuildCustomFields
288 | }
289 |
290 | try{
291 | set-Asset -id $($mbuildparms.id) -name $($mbuildparms.name) -model_id $($mbuildparms.model_id) -Status_id $statusid -customfields $($mBuildparms.customfields) | Out-Null
292 | $AssetActions += "Updated Asset"
293 | }catch{
294 | $Comments += "Failed to update Asset: $($mbuildparms.asset_tag)"
295 | }
296 |
297 | }else{
298 |
299 | $AssetActions += "New"
300 |
301 |
302 | $model = $SnipeModels | Where-Object {$_.model_number -eq $mitem.'Model'}
303 | if(-not($model))
304 | {
305 | $AssetActions += "No Model"
306 | $Comments += "Model $($mitem.'model') not in Snipe Models"
307 | $lineout = [PSCustomObject]@{
308 | "Asset" = $($mbuildparms.name)
309 | "Assigned" = $($mitem.'Attached To')
310 | "Comments" = $($Comments -join "|")
311 | "Actions" = $($AssetActions -join "|")
312 | }
313 | $results += $lineout
314 | continue
315 | }
316 |
317 | $mbuildCustomFields = @{
318 | 'notes' = $Notes
319 | 'serial' = $mitem.serial
320 | 'assigned_asset' = $ParentAsset.Id
321 |
322 | }
323 |
324 | $mbuildparms += @{
325 | 'model_id' = $model.id
326 | 'customfields' = $BuildCustomFields
327 | 'status_id' = $statusid
328 | }
329 |
330 | try{
331 | New-Asset -name $($mbuildparms.name) -tag $TagNumber -model_id $($mbuildparms.model_id) -Status_id $($mbuildparms.status_id) -customfields $($mbuildparms.customfields) | Out-Null
332 | $AssetActions += "Created Asset"
333 | }catch{
334 | $Comments += "Failed to create Asset: $($mbuildparms.name)"
335 | }
336 | }
337 | $lineout = [PSCustomObject]@{
338 | "Asset" = $($mbuildparms.name)
339 | "Asset ID" = $($mbuildparms.id)
340 | "Comments" = $($Comments -join "|")
341 | "Assigned" = $($ParentAsset.asset_tag)
342 | "Actions" = $($AssetActions -join "|")
343 | }
344 | $results += $lineout
345 |
346 | }
347 |
348 |
349 | $results
350 | $results | Export-Csv log.csv -NoTypeInformation -Force
351 |
352 |
353 | ########### CopyPasta ###########
354 |
--------------------------------------------------------------------------------
/Nasty Stuff/encoder.py:
--------------------------------------------------------------------------------
1 | from Crypto.Cipher import AES
2 | from Crypto.Util.Padding import pad, unpad
3 | from base64 import b64encode, b64decode
4 | from binascii import unhexlify
5 |
6 | iv = "7bde5a0f3f39fd658efc45de143cbc94"
7 | iv = unhexlify(iv)
8 | key = b'3e83b13d99bf0de6c6bde5ac5ca4ae68'
9 | cipher = AES.new(key, AES.MODE_CBC, iv)
10 |
11 | # This is where your source code goes for the other bits n pieces.
12 | your_source_code = """
13 | import getpass
14 |
15 | username = getpass.getuser()
16 | # This code has a comment just to mess with things
17 | print(f"{username} is the most powerful security practitioner in the world")
18 | """
19 |
20 | encrypted_source = b64encode(cipher.encrypt(pad(your_source_code.encode('utf-8'), AES.block_size))).decode('utf-8')
21 | print("Encrypted source:\n\t* * *\n", encrypted_source)
22 | print("iv: ",iv)
23 | print("key: ",key)
24 | print("\t* * *\nValidating Source Codei:\n\t* * *")
25 | exec(your_source_code)
26 |
--------------------------------------------------------------------------------
/Nasty Stuff/polymorphic.py:
--------------------------------------------------------------------------------
1 | import os
2 | import random
3 | from Crypto.Cipher import AES
4 | from Crypto.Util.Padding import pad, unpad
5 | from base64 import b64encode, b64decode
6 | from binascii import unhexlify, hexlify
7 | import secrets
8 |
9 | def mutate_source(decrypted_source):
10 | filename = os.path.abspath(__file__)
11 |
12 | new_iv_readable = secrets.token_hex(16)
13 | new_iv = unhexlify(new_iv_readable)
14 |
15 | new_key_readable = secrets.token_hex(16)
16 | new_key = bytes(new_key_readable, 'utf-8')
17 |
18 | encrypt_cipher = AES.new(new_key, AES.MODE_CBC, new_iv)
19 | encrypted_data = pad(decrypted_source.encode('utf-8'), AES.block_size)
20 | new_source_encrypted = b64encode(encrypt_cipher.encrypt(encrypted_data)).decode('utf-8')
21 | # cipher = AES.new(new_key, AES.MODE_CBC, new_iv)
22 |
23 | with open(filename, 'r') as file:
24 | lines = file.readlines()
25 |
26 | for i, line in enumerate(lines):
27 | if line.startswith("source_encrypted"):
28 | lines[i] = f"source_encrypted = \'{new_source_encrypted}\'\n"
29 | elif line.startswith("iv = \'"):
30 | lines[i] = f"iv = \'{new_iv_readable}\'\n"
31 | elif line.startswith("key = \'"):
32 | lines[i] = f"key = \'{new_key_readable}\'\n"
33 |
34 | with open(filename, 'w') as file:
35 | file.writelines(lines)
36 |
37 | iv = '7bde5a0f3f39fd658efc45de143cbc94'
38 | iv = unhexlify(iv)
39 |
40 | key = '3e83b13d99bf0de6c6bde5ac5ca4ae68'
41 | key = bytes(key, 'utf-8')
42 |
43 | source_encrypted = 'rlwnC4udhkX1FNcI6SQVfML37bL+pHQyeu3Bc7Ou3Yfu4AC4F/WQ5OeaLtAVWlMgBOyqd9Alp38I6xIscHZ/OBi5P6s2uPyROROsKJISZKntAsZBztj37LuEqSYyBnchmn/FEzFvr31OkgXgP4G5qz2qgxxO9CpeenvwdgiMb7K6oNyD4X7GO9oR0+xCUStepeQQQsN/sYKUsSeTOh60MNwWNT5rqdXeFWvpAsgjKD0='
44 |
45 | cipher = AES.new(key, AES.MODE_CBC, iv)
46 | decrypted_source = unpad(cipher.decrypt(b64decode(source_encrypted)), AES.block_size).decode('utf-8')
47 | exec(decrypted_source)
48 |
49 | mutate_source(decrypted_source)
50 |
--------------------------------------------------------------------------------
/Network Tools/Get-DNSHostRecords.ps1:
--------------------------------------------------------------------------------
1 | # By Abe - https://grownuphacker.com
2 |
3 |
4 | # Get your current DNS to find the server
5 | $myDns = Get-DnsClientServerAddress | Select-Object -ExpandProperty ServerAddresses -First 1 | select-object -First 1
6 |
7 | # Grab the zones
8 | $zones = Get-DnsServerZone -ComputerName $MyDns | Where-Object {($_.ZoneName -notlike "*.in-addr.arpa") -and ($_.zoneName -notlike "_msdcs*")} |
9 | Select-object -ExpandProperty ZoneName
10 |
11 | $results = @();
12 |
13 | foreach($zone in $zones){
14 |
15 | $records = Get-DnsServerResourceRecord -ZoneName $Zone -ComputerName $myDns | where-Object {($_.RecordType -like "A") -or ($_.RecordType -like "CNAME") -or ($_.RecordType -like "AAAA")} |
16 | Where-Object {$_.HostName -notlike "*${Zone}"}
17 |
18 |
19 |
20 | foreach($record in $records) {
21 | $lineout = @();
22 |
23 | if($record.RecordData.IPV4Address.IpAddressToString){
24 | $recordType = "IP4"
25 | $recordData = $record.RecordData.IPV4Address.IpAddressToString
26 | }elseif($record.RecordData.IPV6Address.IpAddressToString){
27 | $recordType = "IP6"
28 | $recordData = $record.RecordData.IPV6Address.IpAddressToString
29 | }else{
30 | $recordType = "CNAME"
31 | $recordData = $record.RecordData.HostNameAlias
32 | }
33 |
34 | $hostData = $record.HostName
35 | if($HostData -eq "@") {
36 | $URI = "${zone}"
37 | }else{
38 | $Uri = "${HostData}.${zone}"
39 | }
40 |
41 | $lineout = [PSCustomObject] @{
42 | "Host" = $hostData
43 | "URI" = $Uri
44 | "Record Type" = $recordType
45 | "Record Data" = $recordData
46 | "Domain" = $Zone
47 |
48 | }
49 |
50 | $results += $lineout
51 | }
52 |
53 | }
54 |
55 | $results
56 |
--------------------------------------------------------------------------------
/PSADT_Tools/Deploy-Sysmon.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .SYNOPSIS
3 | This script performs the installation or uninstallation of an application(s).
4 | # LICENSE #
5 | PowerShell App Deployment Toolkit - Provides a set of functions to perform common application deployment tasks on Windows.
6 | Copyright (C) 2017 - Sean Lillis, Dan Cunningham, Muhammad Mashwani, Aman Motazedian.
7 | This program is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8 | You should have received a copy of the GNU Lesser General Public License along with this program. If not, see .
9 | .DESCRIPTION
10 | The script is provided as a template to perform an install or uninstall of an application(s).
11 | The script either performs an "Install" deployment type or an "Uninstall" deployment type.
12 | The install deployment type is broken down into 3 main sections/phases: Pre-Install, Install, and Post-Install.
13 | The script dot-sources the AppDeployToolkitMain.ps1 script which contains the logic and functions required to install or uninstall an application.
14 | .PARAMETER DeploymentType
15 | The type of deployment to perform. Default is: Install.
16 | .PARAMETER DeployMode
17 | Specifies whether the installation should be run in Interactive, Silent, or NonInteractive mode. Default is: Interactive. Options: Interactive = Shows dialogs, Silent = No dialogs, NonInteractive = Very silent, i.e. no blocking apps. NonInteractive mode is automatically set if it is detected that the process is not user interactive.
18 | .PARAMETER AllowRebootPassThru
19 | Allows the 3010 return code (requires restart) to be passed back to the parent process (e.g. SCCM) if detected from an installation. If 3010 is passed back to SCCM, a reboot prompt will be triggered.
20 | .PARAMETER TerminalServerMode
21 | Changes to "user install mode" and back to "user execute mode" for installing/uninstalling applications for Remote Destkop Session Hosts/Citrix servers.
22 | .PARAMETER DisableLogging
23 | Disables logging to file for the script. Default is: $false.
24 | .EXAMPLE
25 | powershell.exe -Command "& { & '.\Deploy-Application.ps1' -DeployMode 'Silent'; Exit $LastExitCode }"
26 | .EXAMPLE
27 | powershell.exe -Command "& { & '.\Deploy-Application.ps1' -AllowRebootPassThru; Exit $LastExitCode }"
28 | .EXAMPLE
29 | powershell.exe -Command "& { & '.\Deploy-Application.ps1' -DeploymentType 'Uninstall'; Exit $LastExitCode }"
30 | .EXAMPLE
31 | Deploy-Application.exe -DeploymentType "Install" -DeployMode "Silent"
32 | .NOTES
33 | Toolkit Exit Code Ranges:
34 | 60000 - 68999: Reserved for built-in exit codes in Deploy-Application.ps1, Deploy-Application.exe, and AppDeployToolkitMain.ps1
35 | 69000 - 69999: Recommended for user customized exit codes in Deploy-Application.ps1
36 | 70000 - 79999: Recommended for user customized exit codes in AppDeployToolkitExtensions.ps1
37 | .LINK
38 | http://psappdeploytoolkit.com
39 | #>
40 | [CmdletBinding()]
41 | Param (
42 | [Parameter(Mandatory=$false)]
43 | [ValidateSet('Install','Uninstall')]
44 | [string]$DeploymentType = 'Install',
45 | [Parameter(Mandatory=$false)]
46 | [ValidateSet('Interactive','Silent','NonInteractive')]
47 | [string]$DeployMode = 'Interactive',
48 | [Parameter(Mandatory=$false)]
49 | [switch]$AllowRebootPassThru = $false,
50 | [Parameter(Mandatory=$false)]
51 | [switch]$TerminalServerMode = $false,
52 | [Parameter(Mandatory=$false)]
53 | [switch]$DisableLogging = $false
54 | )
55 |
56 | Try {
57 | ## Set the script execution policy for this process
58 | Try { Set-ExecutionPolicy -ExecutionPolicy 'ByPass' -Scope 'Process' -Force -ErrorAction 'Stop' } Catch {}
59 |
60 | ##*===============================================
61 | ##* VARIABLE DECLARATION
62 | ##*===============================================
63 | ## Variables: Application
64 | [string]$appVendor = 'Sysinternals'
65 | [string]$appName = 'Sysmon'
66 | [string]$appVersion = '10.1'
67 | [string]$appArch = 'x64'
68 | [string]$appLang = 'EN'
69 | [string]$appRevision = '01'
70 | [string]$appScriptVersion = '1.0.0'
71 | [string]$appScriptDate = '02/12/2017'
72 | [string]$appScriptAuthor = 'Big Abe'
73 | ##*===============================================
74 | ## Variables: Install Titles (Only set here to override defaults set by the toolkit)
75 | [string]$installName = ''
76 | [string]$installTitle = ''
77 |
78 | ##* Do not modify section below
79 | #region DoNotModify
80 |
81 | ## Variables: Exit Code
82 | [int32]$mainExitCode = 0
83 |
84 | ## Variables: Script
85 | [string]$deployAppScriptFriendlyName = 'Deploy Application'
86 | [version]$deployAppScriptVersion = [version]'3.7.0'
87 | [string]$deployAppScriptDate = '02/13/2018'
88 | [hashtable]$deployAppScriptParameters = $psBoundParameters
89 |
90 | ## Variables: Environment
91 | If (Test-Path -LiteralPath 'variable:HostInvocation') { $InvocationInfo = $HostInvocation } Else { $InvocationInfo = $MyInvocation }
92 | [string]$scriptDirectory = Split-Path -Path $InvocationInfo.MyCommand.Definition -Parent
93 |
94 | ## Dot source the required App Deploy Toolkit Functions
95 | Try {
96 | [string]$moduleAppDeployToolkitMain = "$scriptDirectory\AppDeployToolkit\AppDeployToolkitMain.ps1"
97 | If (-not (Test-Path -LiteralPath $moduleAppDeployToolkitMain -PathType 'Leaf')) { Throw "Module does not exist at the specified location [$moduleAppDeployToolkitMain]." }
98 | If ($DisableLogging) { . $moduleAppDeployToolkitMain -DisableLogging } Else { . $moduleAppDeployToolkitMain }
99 | }
100 | Catch {
101 | If ($mainExitCode -eq 0){ [int32]$mainExitCode = 60008 }
102 | Write-Error -Message "Module [$moduleAppDeployToolkitMain] failed to load: `n$($_.Exception.Message)`n `n$($_.InvocationInfo.PositionMessage)" -ErrorAction 'Continue'
103 | ## Exit the script, returning the exit code to SCCM
104 | If (Test-Path -LiteralPath 'variable:HostInvocation') { $script:ExitCode = $mainExitCode; Exit } Else { Exit $mainExitCode }
105 | }
106 |
107 | #endregion
108 | ##* Do not modify section above
109 | ##*===============================================
110 | ##* END VARIABLE DECLARATION
111 | ##*===============================================
112 |
113 | If ($deploymentType -ine 'Uninstall') {
114 | ##*===============================================
115 | ##* PRE-INSTALLATION
116 | ##*===============================================
117 | [string]$installPhase = 'Pre-Installation'
118 |
119 | ## Show Welcome Message, close Internet Explorer if required, allow up to 3 deferrals, verify there is enough disk space to complete the install, and persist the prompt
120 | #Show-InstallationWelcome -CloseApps 'iexplore' -AllowDefer -DeferTimes 3 -CheckDiskSpace -PersistPrompt
121 |
122 | ## Show Progress Message (with the default message)
123 | Show-InstallationProgress
124 |
125 |
126 | ##
127 |
128 | #stop any Processes - save some headache
129 | get-service sysmon -ErrorAction SilentlyContinue | stop-service -ErrorAction SilentlyContinue
130 | get-service sysmon64 -ErrorAction SilentlyContinue | stop-service -ErrorAction SilentlyContinue
131 |
132 | ## Use these binaries to uninstall any troubleshooting / snowflake entries ( I found a LOT in my shop)
133 |
134 | Execute-Process -Path "sysmon.exe" -Parameters "-u force" -WindowStyle 'Hidden' -ContinueOnError:$true
135 | Execute-Process -Path "sysmon64.exe" -Parameters "-u force" -WindowStyle 'Hidden' -ContinueOnError:$true
136 |
137 | ## Go big on the failed deployment checking
138 | ## Using PSADT to run 'sc delete' kind of feels like using a corvette to pull a wagon
139 | # I used start-process originally - but forgot to add the -wait so I broke lots of things and blamed everyone but myself.
140 | Execute-Process -Path "sc.exe" -Parameters "delete sysmon" -WindowStyle 'Hidden' -ContinueOnError:$true
141 | Execute-Process -Path "sc.exe" -Parameters "delete sysmon64" -WindowStyle 'Hidden' -ContinueOnError:$true
142 |
143 |
144 | ## Remove any existing orphaned binaries
145 | Remove-File -Path "$env:windir\sysmon64.exe" -erroraction SilentlyContinue
146 | Remove-File -Path "$env:windir\sysmon.exe" -erroraction SilentlyContinue
147 | Remove-File -path "C:\windows\CCMTEMP\sysmon.exe" -erroraction SilentlyContinue
148 |
149 | ## Create the workaround folder.
150 | New-Item "C:\Temp" -itemType Directory -Force
151 |
152 |
153 | ##*===============================================
154 | ##* INSTALLATION
155 | ##*===============================================
156 | [string]$installPhase = 'Installation'
157 |
158 | ## Handle Zero-Config MSI Installations
159 | If ($useDefaultMsi) {
160 | [hashtable]$ExecuteDefaultMSISplat = @{ Action = 'Install'; Path = $defaultMsiFile }; If ($defaultMstFile) { $ExecuteDefaultMSISplat.Add('Transform', $defaultMstFile) }
161 | Execute-MSI @ExecuteDefaultMSISplat; If ($defaultMspFiles) { $defaultMspFiles | ForEach-Object { Execute-MSI -Action 'Patch' -Path $_ } }
162 | }
163 |
164 | ##
165 | #Workaround because Sysmon hates me!
166 | # (Much frustration later comment) Turns out Sysmon hates others: `
167 | # https://social.technet.microsoft.com/Forums/azure/en-US/a89efd1d-878d-4b75-ae8e-6daefbcec6cc/sysmon-5200-deployment-issues-via-sccm?forum=miscutils
168 | # Copy to a temp
169 |
170 | Copy-Item "$dirFiles\sysmon.exe" "C:\Temp\" -Force
171 | Copy-Item "$dirSupportFiles\sysmonconfig-export.xml" "C:\Temp\" -Force
172 |
173 | # More Workaround because CCM Client hates me. This is getting ridiculous.
174 | # Read more... where some internet stranger called me 'Ape'
175 | # https://social.technet.microsoft.com/Forums/en-US/a89efd1d-878d-4b75-ae8e-6daefbcec6cc/sysmon-5200-deployment-issues-via-sccm?forum=miscutils
176 |
177 | $env:TMP = "C:\Temp\"
178 |
179 | # Basic install with whatever config is in this folder
180 | Start-Process -FilePath "C:\Temp\sysmon.exe" -ArgumentList "-accepteula -i `"C:\Temp\sysmonconfig-export.xml`" -n" -WindowStyle Hidden -Wait
181 |
182 | # Add the permissions for Windows Event Forwarding.
183 | # Don't be a muppet, move gradually from WEF to SIEM - or just thank me for setting the permissions.
184 | Start-Process -Filepath 'wevtutil.exe' `
185 | -ArgumentList "sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)" `
186 | -Wait
187 |
188 | ##*===============================================
189 | ##* POST-INSTALLATION
190 | ##*===============================================
191 | [string]$installPhase = 'Post-Installation'
192 |
193 | ##
194 |
195 | # Track versions in teh registry to make detection and version changes easy.
196 | # Just blow me kisses across a conference floor next time you upgrade sysmon . . .
197 |
198 | New-Item HKLM:\Software\Sysmon
199 | Set-RegistryKey -Key 'HKEY_LOCAL_MACHINE\SOFTWARE\Sysmon' -name 'version' -value $appVersion
200 |
201 | # Sweep the floor behind ourselves on the way out the door.
202 | Remove-Item C:\Temp -Recurse -Force -confirm:$false
203 | $env:TMP = "C:\Windows\CCMTemp\"
204 | ## Display a message at the end of the install
205 | If (-not $useDefaultMsi) { Show-InstallationPrompt -Message 'SYSMON has been installed and configured' -ButtonRightText 'OK' -Icon Information -NoWait }
206 | }
207 | ElseIf ($deploymentType -ieq 'Uninstall')
208 | {
209 | ##*===============================================
210 | ##* PRE-UNINSTALLATION
211 | ##*===============================================
212 | [string]$installPhase = 'Pre-Uninstallation'
213 |
214 | ## Show Welcome Message, close Internet Explorer with a 60 second countdown before automatically closing
215 | Show-InstallationWelcome -CloseApps 'iexplore' -CloseAppsCountdown 60
216 |
217 | ## Show Progress Message (with the default message)
218 | Show-InstallationProgress
219 |
220 | ##
221 |
222 |
223 | ##*===============================================
224 | ##* UNINSTALLATION
225 | ##*===============================================
226 | [string]$installPhase = 'Uninstallation'
227 |
228 | ## Handle Zero-Config MSI Uninstallations
229 | If ($useDefaultMsi) {
230 | [hashtable]$ExecuteDefaultMSISplat = @{ Action = 'Uninstall'; Path = $defaultMsiFile }; If ($defaultMstFile) { $ExecuteDefaultMSISplat.Add('Transform', $defaultMstFile) }
231 | Execute-MSI @ExecuteDefaultMSISplat
232 | }
233 |
234 | #
235 |
236 | if(Test-Path $env:windir\sysmon.exe -PathType 'Leaf') {
237 | Execute-Process -Path "$env:windir\Sysmon.exe" -Parameters '-u' -WindowStyle 'Hidden'
238 | Remove-File -Path "$env:windir\sysmon.exe"
239 | }
240 |
241 | ## Use our custom version numbers to track the config and the installed versions.
242 |
243 |
244 | ##*===============================================
245 | ##* POST-UNINSTALLATION
246 | ##*===============================================
247 | [string]$installPhase = 'Post-Uninstallation'
248 |
249 | ## Registry Cleanup
250 |
251 | ##
252 | try{
253 | $sysmonflag = Get-ItemProperty HKLM:\Software\Sysmon\ -erroraction stop | Select-Object -expandproperty version
254 | }catch{}
255 |
256 | if($sysmonflag){Remove-ItemProperty HKLM:\Software\Sysmon -name version}
257 | remove-item "HKLM:\Software\Sysmon"
258 | }
259 |
260 | ##*===============================================
261 | ##* END SCRIPT BODY
262 | ##*===============================================
263 |
264 | ## Call the Exit-Script function to perform final cleanup operations
265 | Exit-Script -ExitCode $mainExitCode
266 | }
267 | Catch {
268 | [int32]$mainExitCode = 60001
269 | [string]$mainErrorMessage = "$(Resolve-Error)"
270 | Write-Log -Message $mainErrorMessage -Severity 3 -Source $deployAppScriptFriendlyName
271 | Show-DialogBox -Text $mainErrorMessage -Icon 'Stop'
272 | Exit-Script -ExitCode $mainExitCode
273 | }
274 |
--------------------------------------------------------------------------------
/PSADT_Tools/Readme.MD:
--------------------------------------------------------------------------------
1 | The first of many. Using the latest copy of PSADT, just grab any of these files and replace the Deploy-Application.PS1 with them.
2 |
3 | Massage according to plans. Enjoy.
4 |
5 | ### Deploy-Sysmon.ps1
6 |
7 | Go read about my loathsome adventures: https://blueteam.ninja/blog/Sysmon-vs-SCCM/
8 |
9 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | # Tools
3 | A few things I've slapped together over time. I hope you find them useful.
4 | For you blueberries, just [Download](https://github.com/BlueTeamNinja/Tools/archive/master.zip "The path to greatness") from here.
5 |
6 | Do not fold or bend.
7 |
8 | **Script** | What it does... | Requisites
9 | ---|---|---:
10 | ||
*AD Tools* |
11 | **Intentional-Lockout** | Locks out a specified account. Used to test Event alerting, WMI query testing, and SIEM trigger. | *None*
12 | **Get-QuickPCInfo** | Toss in hostnames and glob together logged in User, with some AD details. | *None*
13 | ||
General Tools|
14 | **SMS Alert** | Because a tsunami of emails **AFTER** you've fixed exchange saying "*Exchange is down*" is just embarassing. | *None*
15 | **Mass E-Mailer** | *Coming soon - still scrubbing*, internal tool for emailing PoSH objects in bulk, grouped by an item (Usually a person, group by Supervisors etc). | *NA*
16 | **Open Ports** | _Netstat is boring_. Lucky for you, I'm not. I just added a bit of tweak for some decent info for listening ports. | *None*
17 | **Firefox Details** | I needed it once, I'm sharing it now. Hunts versions of 32 or 64-bit for SCCM detection or whatever. | *None*
18 | **Enable Copy/Paste** | Enable 'isolation.tools.copy.disable' eq FALSE on VMS by Wildcard. | **PowerCLI**
19 | ||
Ninja Bucket|
20 | **View Agent Logs** | Parsing out connection times regardless of protocol (PCoIP, RDP, etc). It's a snitch report. | *Horizon View Agent 4.X+*
21 | **Nuketown** | Pass an app string, easily signed, and nuke all instances on a remote PC (I.e. Java, Oracle, TightVNC). Easy pave for SCCM. | *A pulse*
22 | **Email Rescue Ops** | Exchange likes to topple over, and people get all uppity. This is a somewhat frequence cause, and an auto-doc to fix it. | *On Prem Exchange*
23 | ||
API Tools|
24 | **User Find** | Starts a listener for *really fast* API lookups | *Requires [Polaris](https://www.powershellgallery.com/packages/Polaris/0.2.0) *
25 | ||