├── Misc ├── AutoRunRegLocations.md ├── changePasswords.bat └── disable_psexec.md ├── Mof ├── cmdeveryminute.mof └── processTopayload.mof ├── Powershell ├── OUMove.ps1 ├── SetDirectoryAuditRule.ps1 ├── StartupDirectoryList.ps1 ├── bulkAddUsers.ps1 ├── changePasswords.ps1 ├── createdUserDetect.ps1 ├── disableNetbiosTcpip.ps1 ├── newSchtaskAudit.ps1 ├── newServicesAudit.ps1 ├── registryChangeAudit.ps1 └── wmiDetect.ps1 └── README.md /Misc/AutoRunRegLocations.md: -------------------------------------------------------------------------------- 1 | Use this on a domain controller to query (some) autorun registry locations on your domain 2 | hosts.txt is a file with all hosts (one per line) 3 | Note that these are only a few of the *many many* autorun registry locations 4 | 5 | ``` 6 | psexec.exe @hosts.txt reg query 7 | 8 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9 | HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 10 | HKLM\Software\Microsoft\Windows\CurrentVersion\Run 11 | HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 12 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 13 | 14 | # For 32 bit locations on 64 bit system 15 | HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 16 | HKCU\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\RunOnce 17 | HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Run 18 | HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\RunOnce 19 | ``` -------------------------------------------------------------------------------- /Misc/changePasswords.bat: -------------------------------------------------------------------------------- 1 | :: Batch File for changing all user names in a domain except one called scorebot or krbtgt 2 | :: Used this for a competition so scorebot password needed to remain the same 3 | :: Changing Krbtgt password can be ok sometimes, but also might be dangerous. 4 | 5 | FOR /F "usebackq tokens=2 delims=,,=" %i IN (`dsquery user -name *`) DO (IF %i == scorebot (echo pass) ELSE IF %i == krbtgt (echo pass) ELSE (net user %i Passord1!) -------------------------------------------------------------------------------- /Misc/disable_psexec.md: -------------------------------------------------------------------------------- 1 | This is a crazy spell that will somehow disable PSExec due to some Windows magic. 2 | Credit to [John Lambert's tweet](https://twitter.com/johnlatwc/status/802218490404798464?lang=en) for telling me how to do this 3 | 4 | Below is an sc query and the expected output when PSExec is ENABLED 5 | ``` 6 | sc.exe \\targethost 7 | D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC) 8 | ``` 9 | 10 | Run this command in a CMD shell (not Powershell) to disable psexec on the target 11 | ``` 12 | sc.exe \\targethost sdset scmanager D:(D;;GA;;;NU)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC) 13 | ``` -------------------------------------------------------------------------------- /Mof/cmdeveryminute.mof: -------------------------------------------------------------------------------- 1 | // This file is a MOF file that uses an EventFilter, CommandLineEventConsumer and FilterToConsumerBinding to fire off a cmd every minute 2 | 3 | // define the namespace that this subscription should live in. This is a popular spot 4 | #pragma namespace ("\\\\.\\root\\subscription") 5 | 6 | // Define a Command Line Event as the Consumer. This will fire off the command of my choosing every time the Event Filter catches something 7 | instance of CommandLineEventConsumer as $ConsStart 8 | { 9 | Name = "ProcExpStart"; 10 | CommandLineTemplate = "{c:\\windows\\system32\\cmd.exe}"; 11 | 12 | }; 13 | 14 | // WQL Event Filter that fires every time the seconds equals 0 15 | instance of __EventFilter as $FiltStart 16 | { 17 | Name = "StartFilterProcess"; 18 | Query = "Select * from Win32_LocalTime WHERE Second = 00 "; 19 | QueryLanguage = "WQL"; 20 | EventNameSpace = "root\\cimv2"; 21 | 22 | }; 23 | 24 | // Bind the above Consumer and Filter so Windows knows what to Fire off when the Filter catches something 25 | instance of __FilterToConsumerBinding 26 | { 27 | Filter = $FiltStart; 28 | Consumer = $ConsStart; 29 | }; -------------------------------------------------------------------------------- /Mof/processTopayload.mof: -------------------------------------------------------------------------------- 1 | // This MOF File will trigger a command line template every time a filter catches something. 2 | // The filter here will look for a process with a certain name to StartFilterProcess 3 | // Some generic payload.bat file is listed as the consumer 4 | 5 | 6 | // define the namespace that this subscription should live in. This is a popular spot 7 | #pragma namespace ("\\\\.\\root\\subscription") 8 | 9 | // Define a Command Line Event as the Consumer. This will fire off the command of my choosing every time the Event Filter catches something 10 | instance of CommandLineEventConsumer as $ConsStart 11 | { 12 | Name = "ProcExpStart"; 13 | CommandLineTemplate = "{c:\\windows\\system32\\payload.bat}"; 14 | 15 | }; 16 | 17 | // Event Filter that looks for a process that contains 'procexp' 18 | // This can be used to look for process that have started. 19 | // So, if you want to kill a program every time it starts up, this could be a way to do that 20 | instance of __EventFilter as $FiltStart 21 | { 22 | Name = "StartFilterProcess"; 23 | Query = "SELECT * FROM Win32_ProcessTrace WHERE ProcessName LIKE \"%procexp%\""; 24 | QueryLanguage = "WQL"; 25 | EventNameSpace = "root\\cimv2"; 26 | 27 | }; 28 | 29 | // Bind the above Consumer and Filter so Windows knows what to Fire off when the Filter catches something 30 | instance of __FilterToConsumerBinding 31 | { 32 | Filter = $FiltStart; 33 | Consumer = $ConsStart; 34 | }; -------------------------------------------------------------------------------- /Powershell/OUMove.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | This script will move AD Computer objects into or out of a specified OU. 4 | The default is to move 50% of the computers to that OU at random, but you can 5 | also pass in a file with a list of computers you wish to move, specify a custom 6 | percentage or specify an exact number. 7 | This was built for an exercise so the random factor was desired. Randomness is not required. 8 | 9 | .PARAMETER ou 10 | The OU that you would like to move computer objects into 11 | 12 | .PARAMETER file 13 | File that contains computers which are to move to the new OU 14 | This should be one computer name per line 15 | 16 | .PARAMETER remove 17 | Set this boolean parameter to remove Computers from the OU instead of add them to the OU. 18 | If remove is used with a file, then those listed computers will be removed from any OUs and 19 | placed in the generic 'Computers' container. 20 | If remove is used without a file, then all computers in the specified OU are removed from the OU 21 | and placed in the generic 'Computers' container. 22 | 23 | The defualt is to add computers to the specified OU 24 | 25 | .PARAMETER percent 26 | Set this parameter if you wish to move a random percentage of the computers in a Domain to an OU. 27 | Pass in as an INT. 28 | Example pass in 25 for this parameter to move 25% of the computers to the OU 29 | 30 | .PARAMETER number 31 | Set this parameter to move an exact number of computers to an OU. 32 | #> 33 | Param( 34 | [Parameter(Mandatory=$true)][String]$ou, 35 | [Parameter(Mandatory=$false)][String]$file, 36 | [Parameter(Mandatory=$false)][bool]$remove=$false, 37 | [Parameter(Mandatory=$false)][int]$percent=50, 38 | [Parameter(Mandatory=$false)][int]$number 39 | ) 40 | 41 | 42 | function Get-RandomNumbers{ 43 | <# 44 | .SYNOPSIS 45 | Generates *count* different random numbers in a range from 0 to Max. 46 | Returns an array of these values 47 | #> 48 | 49 | param ( 50 | [Parameter(Mandatory=$true)][int]$count, 51 | [Parameter(Mandatory=$true)][int]$max 52 | ) 53 | 54 | # error checking 55 | if($count -gt $max){ 56 | Write-Error "Count cannot be greater than max" 57 | return 58 | } 59 | 60 | $rands = @() # init array of randoms 61 | 62 | # Generate a new random number *count* times 63 | for($i = 0; $i -lt $count; $i++){ 64 | 65 | # generate a number that is not already in the list 66 | $n = Get-Random -Minimum 0 -Maximum $max 67 | while($n -in $rands){ 68 | $n = Get-Random -Minimum 0 -Maximum $max 69 | } 70 | 71 | $rands += $n # add random number to the list 72 | } 73 | return $rands 74 | } 75 | 76 | $computers = @() # init array of computers 77 | 78 | # if a file is specified, add all computers in that file to the list 79 | if($file){ 80 | get-content -path $file | ForEach-Object { 81 | $computers += Get-AdComputer -Filter "Name -like `"$_`"" 82 | } 83 | 84 | } 85 | 86 | # if no file is specified and remove is not specified, then we should generate a random list of computers 87 | elseif (!$remove){ 88 | $all = Get-AdComputer -filter * 89 | 90 | # if a specific number is not given, then use a percentage of the total computers in the domain 91 | if(!$number){ 92 | $number = [int]($all.count*($percent/100)) # calc a percantage of the total number of computers 93 | } 94 | 95 | $number = [Math]::Min($number, $all.count) # make sure to not generate more numbers than computers 96 | $indexes = Get-RandomNumbers -count $number -max $all.count 97 | 98 | # add each random index from all computers to the list of computers we wish to move 99 | foreach($i in $indexes){ 100 | $computers += $all[$i] 101 | } 102 | 103 | # set the move-to target to the desired OU 104 | $target = Get-AdOrganizationalUnit -Filter "Name -like `"$ou`"" 105 | } 106 | 107 | # no file specified and remove is set. 108 | # Must get objects from a specific OU to remove them all 109 | else{ 110 | # get all computers in an OU 111 | $sb = Get-AdOrganizationalUnit -Filter "Name -like `"$ou`"" 112 | $computers = Get-AdComputer -Filter * -Searchbase $sb 113 | 114 | # Set the move-to target to be the generic computers container 115 | $target = get-AdObject -Filter 'Name -like "Computers"' 116 | } 117 | 118 | Write-Host "COMPUTERS TO MOVE" 119 | $computers 120 | 121 | # move all computers in the array to the target 122 | foreach($computer in $computers){ 123 | Move-AdObject -Identity $computer -TargetPath $target 124 | } -------------------------------------------------------------------------------- /Powershell/SetDirectoryAuditRule.ps1: -------------------------------------------------------------------------------- 1 | # Change the permissions on each file in the startup directory for every user and computer in the domain 2 | # Note that the startup location might be different than listed here 3 | 4 | foreach($account in Get-ADUser -Filter *){ 5 | $username = $account.SamAccountName 6 | foreach($system in Get-ADComputer -Filter *){ 7 | $computername = $system.name 8 | try{ 9 | $dir = "\\$computername\C$\Users\$username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" 10 | if(-not (Test-Path $dir)){ 11 | throw("Directory does not exist") 12 | } 13 | $directoryACL = Get-Acl $dir 14 | 15 | # This is the line that does the magic 16 | # The example given below will give Everyone NO permissions to create files 17 | # This means that nobody can create any files 18 | # This will also log audit successes, meaning that it will log if somone does create a file 19 | # For more info: https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemauditrule?view=netframework-4.8 20 | $accessrule = New-Object System.Security.AccessControl.FileSystemAuditRule(` 21 | "Everyone", "CreateFiles", "none", "Success") 22 | $directoryACL.AddAuditRule($accessrule) 23 | Get-ChildItem $dir 24 | } 25 | catch{ 26 | #Failure can mean that the host is off or the dir does not exist (user has not logged on) 27 | } 28 | } 29 | } -------------------------------------------------------------------------------- /Powershell/StartupDirectoryList.ps1: -------------------------------------------------------------------------------- 1 | # List the contents of the startup directory for all computers and all users in the domain 2 | # Note that the startup location might be different than listed here 3 | 4 | foreach($account in Get-ADUser -Filter *){ 5 | $username = $account.SamAccountName 6 | foreach($system in Get-ADComputer -Filter *){ 7 | $computername = $system.name 8 | $dir = "\\$computername\C$\Users\$username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" 9 | if(Test-Path $dir){ 10 | Get-ChildItem $dir 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /Powershell/bulkAddUsers.ps1: -------------------------------------------------------------------------------- 1 | # Easy Bulk User Add Script 2 | # Check to make sure the CSV has the required fields or change the fields to what you want 3 | # CSV should have headers in it 4 | 5 | $csv = Import-Csv 'INSERT LOCATION OF FILE HERE IN SINGLE QUOTES' 6 | $csv 7 | 8 | 9 | foreach($line in $csv){ 10 | # Saving some vars for later 11 | $samaccountname = $line.username 12 | $OU = $line.Role 13 | $password = $line.Password 14 | 15 | # From the Active Directgory Module. 16 | # See this link for more info on the module https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps 17 | New-ADUser -name $line.'First name' -SamAccountName $samaccountname -Path "OU=$OU,DC=INSERT (CORP/SALES/PRODUCTION) HERE,DC=team1,DC=tu" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PasswordNeverExpires $true -Enabled $true 18 | 19 | } -------------------------------------------------------------------------------- /Powershell/changePasswords.ps1: -------------------------------------------------------------------------------- 1 |  2 | # For each user in the domain, change the password of that user 3 | foreach($user in Get-ADUser -Filter *){ 4 | # Have to use Convert-ToSecureString here because Powershell doesn't like plaintext passwords to be on the command line 5 | Set-ADAccountPassword -Identity $user -NewPassword (ConvertTo-SecureString -String Password1! -AsPlainText -Force) -Reset 6 | } -------------------------------------------------------------------------------- /Powershell/createdUserDetect.ps1: -------------------------------------------------------------------------------- 1 | # This should detect new users that were created within the last x amount of time 2 | 3 | # Params that this takes with defaults set to find new users in the last 30 min 4 | param( 5 | [int]$hour = 0, 6 | [int]$minute = 30 7 | ) 8 | $current = get-date 9 | $start = $current.AddHours(-1*$hour).AddMinutes(-1*$minute) 10 | Get-EventLog -logname Security -after $start -InstanceId 4720 # 4720 is the user created event log ID -------------------------------------------------------------------------------- /Powershell/disableNetbiosTcpip.ps1: -------------------------------------------------------------------------------- 1 | # Script to disable NetBIOS over TCP for every computer in the domain 2 | 3 | # for each computer in the domain, 4 | foreach($system in Get-AdComputer -Filter *){ 5 | $computername = $system.name 6 | $adapters = Get-WmiObject -ComputerName $computername Win32_NetworkAdapterConfiguration 7 | 8 | # turn off netbios over tcp for every network adapter 9 | foreach($adapter in $adapters){ 10 | if($adapter.IPAddress -ne $null){ 11 | $adapter.SetTcpipNetbios(2) 12 | } 13 | } 14 | } -------------------------------------------------------------------------------- /Powershell/newSchtaskAudit.ps1: -------------------------------------------------------------------------------- 1 | # Audit each system in domain for new scheduled tasks that were created in the last x time 2 | 3 | param( 4 | [int]$hour = 3 5 | ) 6 | 7 | # For each system in domain, 8 | foreach($system in Get-AdComputer -Filter *){ 9 | $computername = $system.name 10 | $currenttime = Get-Date 11 | $hoursago = $currenttime.AddHours(0-$hours) 12 | 13 | # Query event log for event ID 4698, new scheduled task 14 | Get-WinEvent -ComputerName $computername -FilterHashtable @{` 15 | logname='Security'; 16 | id=4698; 17 | StartTime=$hoursago} -ErrorAction SilentlyContinue ` 18 | | Format-List 19 | } -------------------------------------------------------------------------------- /Powershell/newServicesAudit.ps1: -------------------------------------------------------------------------------- 1 | # Audit all computers in a domain for any new services created in the last X amount of time 2 | 3 | param( 4 | [int]$hour = 3 5 | ) 6 | 7 | # for each system in the domain, 8 | foreach($system in Get-AdComputer -Filter *){ 9 | $computername = $system.name 10 | $currenttime = Get-Date 11 | $hoursago = $currenttime.AddHours(0-$hour) # have to add negative hours here to go back in time 12 | 13 | # check for any services that were created (event ID 7045) 14 | Get-WinEvent -ComputerName $computername -FilterHashtable @{` 15 | logname='system'; 16 | id=7045; 17 | StartTime=$hoursago} -ErrorAction SilentlyContinue ` 18 | | Format-List 19 | } -------------------------------------------------------------------------------- /Powershell/registryChangeAudit.ps1: -------------------------------------------------------------------------------- 1 | # Audit each system in the domain for registry changes 2 | 3 | param( 4 | [int]$hour = 3 5 | ) 6 | 7 | # For each system in domain, 8 | foreach($system in Get-AdComputer -Filter *){ 9 | $computername = $system.name 10 | $currenttime = Get-Date 11 | $hoursago = $currenttime.AddHours(0-$hoursago) # add negative hours here to go back in time 12 | 13 | # Query event log for event ID 4657, registry change 14 | Get-WinEvent -ComputerName $computername -FilterHashtable @{` 15 | logname='Security'; 16 | id=4657; 17 | StartTime=$hoursago} -ErrorAction SilentlyContinue ` 18 | | Format-List 19 | } -------------------------------------------------------------------------------- /Powershell/wmiDetect.ps1: -------------------------------------------------------------------------------- 1 | # Will list WMI subscriptions on all computers in the domain 2 | 3 | foreach($system in Get-AdComputer -Filter *){ 4 | $computername = $system.name 5 | Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding -ComputerName $computername ` 6 | | Format-List -Property Path 7 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WindowsScripts 2 | Some scripts and things that are useful for Windows things 3 | Thanks to Dr. Mike O'Leary (Twitter: [@MikeOlearyTU](https://twitter.com/MikeOLearyTu) ) and his book [Cyber Operations](https://www.apress.com/us/book/9781484242933) for a lot of these 4 | 5 | 6 | ## Misc 7 | 1. AutorunRegistryLocations -- a handful of autorun locations in registry and how to query them using PSExec 8 | 2. changePasswords.bat -- Batch one-liner to change all the passwords in a domain 9 | 3. disable_Psexec -- Magical Spell that will turn off PSexec for you 10 | 11 | ## MOF 12 | 1. cmdeveryminute -- MOF file that will fire off a command prompt every minute 13 | 2. processToPayload -- MOF file that will fire off a payload or other program of your choosing each time that another program starts up 14 | 15 | ## Powershell 16 | 1. bulkaddusers -- Add a whole bunch of users to AD from a CSV file 17 | 2. changepasswords -- Change the passwords for all the users in a domain 18 | 3. createdUserDected -- Query the event log to determine if any new users have been added 19 | 4. disableNetBiosTcpip -- Disable NetBIOS over TCP on every adapter for every system in a domain 20 | 5. newSchTaskAudit -- Query all computers on a domain for new Scheduled Tasks 21 | 6. newServicesAudit -- Query the event log to find any services that have been created on any domain computer in the the last X amount of time 22 | 7. OUmove -- Move users in and out of an Active Directory Organizational Unit 23 | 8. registryChangeAudit -- Query the domain computers for any registry values that have been changed in the last X amount of time 24 | 9. setDirectoryAuditRule -- Set the permissions of a directory on every computer in the domain 25 | 10. StartupDirectoryList -- List the files that are in each users startup directory on every computer on the domain 26 | 11. wmiDetect -- List the WMI Subscriptions for each computer on the domain 27 | --------------------------------------------------------------------------------