Alex Verboon alexverboon
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // define known tasks | |
| let knowntasks = dynamic (["Windows Defender Cleanup", | |
| "Windows Defender Scheduled Scan", | |
| "Windows Defender Verification", | |
| "Windows Defender Cache Maintenance", | |
| @"\MicrosoftEdgeUpdateBrowserReplacementTask", | |
| @"\MicrosoftEdgeUpdateTaskMachineUA", | |
| @"\MicrosoftEdgeUpdateBrowserReplacementTask", | |
| @"\MicrosoftEdgeUpdateTaskMachineCore", | |
| @"\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-KQPSModuleFunctions | |
| { | |
| <# | |
| .Synopsis | |
| New-KQPSModulecmdlets | |
| .DESCRIPTION | |
| New-KQPSModulecmdlets creates kusto query to search for PowerShell commands | |
| included in the specified PowerShell module name | |
| .PARAMETER ModuleName | |
| The name of the PowerShell module |
alexverboon
/ T1089 - Disabling Security Tools - sc.kql
Created
May 31, 2020 11:13
T1089 - Disabling Security Tools - using sc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // T1089 - Disabling Security Tools | |
| // https://attack.mitre.org/techniques/T1089/ | |
| search in (DeviceProcessEvents) | |
| FileName == "sc.exe" | |
| | where ProcessCommandLine has_any ("stop Wuauserv","stop WinDefend","stop wscsvc","stop mpssvc" ,"stop Sense","stop WdNisSvc","stop DiagTrack","stop gpsvc") | |
| | extend SecurityTool = iff(ProcessCommandLine contains "stop wuauserv","Windows Update" | |
| ,iff(ProcessCommandLine contains "stop WinDefend","Windows Defender",iff(ProcessCommandLine contains "stop wscsvc", "Defender Security Center" | |
| ,iff(ProcessCommandLine contains "stop mpssvc","Defender Firewall",iff(ProcessCommandLine contains "stop WdNisSvc","Defender Antivirus Network Inspection" | |
| ,iff(ProcessCommandLine contains "stop diagtrack","Telemetry",iff(ProcessCommandLine contains "stop gpsvc","Group Policy" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Check if Hawk is installed | |
| If(!(Get-Module "Hawk")) | |
| { | |
| Install-Module -Name "Hawk" -scope CurrentUser | |
| } | |
| Else | |
| { | |
| Write-Output "Hawk Module is already installed" | |
| } |
alexverboon
/ TestDL.ps1
Last active
June 2, 2020 07:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-host "I was just downloaded" | |
| Function RunMe{ | |
| Param( | |
| $Param1 | |
| ) | |
| write-host "And executed with $Param1" | |
| pause | |
| } |
alexverboon
/ TestDL.ps1
Created
May 21, 2020 16:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-host "I was just downloaded" | |
| Param( | |
| $Param1 | |
| ) | |
| write-host "And executed with $Param1" | |
| pause |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-host "I was just downloaded" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Start-MDATPAnalyzer{ | |
| <# | |
| .Synopsis | |
| Start-MDATPAnalyzer | |
| .DESCRIPTION | |
| Start-MDATPAnalyzer downloads and then runs the Microsoft Defender Connectivity Analyzer tool referenced here: | |
| https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#verify-client-connectivity-to-microsoft-defender-atp-service-urls | |
| .PARAMETER TargetPath | |
| Location where MDATP Analyzer will be downloaded and executed from. | |
| .NOTES |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Validate-DkimConfig | |
| { | |
| [cmdletbinding()] | |
| Param( | |
| [parameter(Mandatory=$false)] | |
| [string]$domain, | |
| [parameter(Mandatory=$false)] | |
| [switch]$showAll | |
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-AzMFADeploymentStats | |
| <# | |
| .Synopsis | |
| Get-AzMFADeploymentStats | |
| .DESCRIPTION | |
| Get-AzMFADeploymentStats retrieves the MFA registration information from all users in the | |
| Tenant and summarizes the results by MFA Authentication mode. | |
| .EXAMPLE | |
| Get-AzMFADeploymentStats |