Alex Verboon alexverboon
alexverboon
/ win10versiondistribution.kql
Created
January 26, 2021 23:25
KQL_Windows10versiondistribution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Windows 10 versions https://docs.microsoft.com/en-us/windows/release-information/ | |
| DeviceInfo | |
| | where isnotempty( OSPlatform) and OSPlatform == "Windows10" | |
| | summarize arg_max(Timestamp,*) by DeviceId | |
| | extend Version = case( | |
| OSBuild == "19041","2004", | |
| OSBuild == "19042","20H2", | |
| OSBuild == "18363","1909", | |
| OSBuild == "18362","1903", | |
| OSBuild == "17763","1809", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # run the modified mfa info gathering script stored here | |
| # https://gist.github.com/alexverboon/f8fd3300dcf999e1a5f5554cad05030d | |
| $mfa = .\MfaAuthMethodsAnalysis.ps1 -TenantId <TENANT ID> | |
| $MFA_Inactive = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0}) | |
| $MFA_Active = @( $MFA | Where-Object {$_.MfaAuthMethodCount -gt 0}) | |
| $MFA_Inactive_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $False}) | |
| $MFA_Active_NoLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $False}) | |
| $MFA_InActive_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -eq 0 -and $_.IsLicensed -eq $true}) | |
| $MFA_Active_HasLicense = @($MFA | Where-Object {$_.MfaAuthMethodCount -gt 0 -and $_.IsLicensed -eq $true}) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########################################################################################################## | |
| ########################################################################################################## | |
| <# | |
| .SYNOPSIS | |
| Analyses Azure AD users to make recommendations on how to improve their MFA stance. | |
| .DESCRIPTION |
alexverboon
/ CI_AsrPersistenceThroughWmi_Remediation.ps1
Created
October 29, 2020 21:40
CI_AsrPersistenceThroughWmi_Remediation.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| CI_AsrPersistenceThroughWmi_Remediation | |
| .DESCRIPTION | |
| Script for Configuration Manager - Configuration Item | |
| CI_AsrPersistenceThroughWmi_Remediation configures the Rule Block persistence through WMI event subscription in Block mode | |
| .NOTES | |
| v1.0, 28.10.2020, alex verboon |
alexverboon
/ CI_AsrPersistenceThroughWmi_Discovery.ps1
Created
October 29, 2020 21:40
CI_AsrPersistenceThroughWmi_Discovery
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| CI_AsrPersistenceThroughWmi_Discovery | |
| .DESCRIPTION | |
| Script for Configuration Manager - Configuration Item | |
| CI_AsrPersistenceThroughWmi_Discovery checks if the Defender ASR Rule Block persistence through WMI event subscription is configured to Block or Warn | |
| .NOTES |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Query for Microsoft Defender 365 - exploring devicenetwork info. Identify Wi-Fi hotspots, DHCP servers, DNS servers etc. | |
| DeviceNetworkInfo | |
| | where Timestamp > ago (30d) | |
| // | where DeviceName contains "ADD YOUR COMPUTERNAME HERE" | |
| | where NetworkAdapterStatus contains "Up" | |
| | extend NetworkName = tostring(parse_json(ConnectedNetworks)[0].Name) | |
| | extend Description = tostring(parse_json(ConnectedNetworks)[0].Description) | |
| | extend IsConnectedToInternet = tostring(parse_json(ConnectedNetworks)[0].IsConnectedToInternet) | |
| | extend Category = tostring(parse_json(ConnectedNetworks)[0].Category) | |
| | extend Dns1 = tostring(parse_json(DnsAddresses)[0]) |
alexverboon
/ Set-JumpHostDefenderConfiguration.ps1
Created
October 10, 2020 10:18
Set-JumpHostDefenderConfiguration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Set-JumpHostDefenderConfiguration | |
| { | |
| <# | |
| .Synopsis | |
| Set-JumpHostDefenderConfiguration | |
| .DESCRIPTION | |
| Set-JumpHostDefenderConfiguration configures the following Defender Security settings for JumpHosts that are not | |
| managed by Intune |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # convert service types | |
| $sku_lookup1 = @{ | |
| 1 ="KernelDriver" | |
| 2 = "FileSystemDriver" | |
| 4 ="Adapter" | |
| 8 = "RecognizerDriver" | |
| 16= "Win32OwnProcess" | |
| 32 ="Win32ShareProcess" | |
| 48 = "Win32" |
alexverboon
/ ignitesessionfinder.ps1
Last active
November 26, 2021 20:03
PowerShell session finder for Ignite and video hub
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # video hub: https://techcommunity.microsoft.com/t5/video-hub/bd-p/VideoHub | |
| # Ignite API: - https://api.myignite.microsoft.com/api/session/all | |
| $ALLSESSIONS = Invoke-WebRequest -Uri "https://api.myignite.microsoft.com/api/session/all" | |
| $sessions = $ALLSESSIONS | ConvertFrom-Json; | |
| # Solution Areas | |
| $sessions | Select-Object -ExpandProperty SolutionArea | Group-Object | Select-Object Name | Sort-Object -Property Name | |
| # Search Samples |
alexverboon
/ localgroupmembershipchanges.kql
Created
September 6, 2020 08:14
Hunting for local group membership changes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let ADAZUsers = IdentityInfo | |
| | extend DirectoryDomain = AccountDomain | |
| | extend DirectoryAccount = AccountName | |
| | distinct DirectoryDomain , DirectoryAccount , OnPremSid , CloudSid, AccountUpn, GivenName, Surname; | |
| // check for any new created or modified local accounts | |
| let NewUsers = DeviceEvents | |
| | where ActionType contains "UserAccountCreated" // or ActionType contains "UserAccountModified" | |
| | extend lUserAdded = AccountName | |
| | extend NewUserSID = AccountSid | |
| | extend laccountdomain = AccountDomain |