jfrantz1-r7

function Enable-PSTranscription
{
    [CmdletBinding()]
    param(
        $OutputDirectory,
        [Switch] $IncludeInvocationHeader
    )

    ## Ensure the base path exists
    $basePath = “HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription”

jfrantz1-r7

md c:\Transcripts

## Kill all inherited permissions
$acl = Get-Acl c:\Transcripts
$acl.SetAccessRuleProtection($true, $false)

## Grant Administrators full control
$administrators = [System.Security.Principal.NTAccount] “Administrators”
$permission = $administrators,“FullControl”,“ObjectInherit,ContainerInherit”,“None”,“Allow”
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission

jfrantz1-r7

function Enable-PSScriptBlockLogging
{
    $basePath = “HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging”

    if(-not (Test-Path $basePath))
    {
        $null = New-Item $basePath -Force
    }
    
    Set-ItemProperty $basePath -Name EnableScriptBlockLogging -Value “1”

jfrantz1-r7

function Enable-ProtectedEventLogging
{
    param(
        [Parameter(Mandatory)]
        $Certificate
    )

    $basePath = “HKLM:\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging”
    if(-not (Test-Path $basePath))
    {

jfrantz1-r7

$String = ‘Really malicious code that will blow your computer up’
$GetBytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedString =[Convert]::ToBase64String($Bytes)
$EncodedString

jfrantz1-r7

SELECT count(da.asset_id) as asset_count, ds.vendor, ds.name as software_name,  ds.family, ds.version
FROM dim_asset_software das
  JOIN dim_software ds using (software_id)
  JOIN dim_asset da on da.asset_id = das.asset_id
GROUP BY ds.vendor, ds.name, ds.family, ds.version, ds.cpe
ORDER BY asset_count DESC

jfrantz1-r7

SELECT da.ip_address, da.host_name, ds.vendor, ds.name as software_name,  ds.family, ds.version
FROM dim_asset_software das
 JOIN dim_software ds using (software_id)
 JOIN dim_asset da on da.asset_id = das.asset_id
WHERE ds.name like 'Firefox'

jfrantz1-r7

with assets_vulns as (

SELECT

fasv.asset_id,

fasv.vulnerability_id,

baselineComparison (fasv.scan_id, current_scan) AS baseline,

jfrantz1-r7

vulnerability.categories NOT IN ["Zip", "Adobe", "Adobe Acrobat/Reader", "Adobe AIR", "Adobe ColdFusion", "Adobe Digital Editions", "Adobe Flash", "Adobe Shockwave", "Alpine Linux", "Anti-Virus", "Apache", "Apache HTTP Server", "Apache Struts", "Apache Tomcat", "Apple", "Apple iOS", "Apple iTunes", "Apple Java", "Apple Mac OS X", "Apple QuickTime", "Apple Safari", "Backdoor", "Backup", "Beanbag Review Board", "Browsers", "Canonical", "CentOS", "CGI", "Check Point", "Check Point Firewall", "Cisco", "Cisco ASA", "Cisco AsyncOS", "Cisco IOS", "Cisco IronPort", "Cisco NX-OS", "Cisco PIX", "Cisco SAN-OS", "Cisco TelePresence", "Cisco UCS", "Citect", "Citrix", "Citrix XenDesktop", "Conexant Systems", "Custom Web Application", "Debian Linux", "Default Account", "EulerOS", "Exim", "F", "F BIG-IP", "Fedora", "Fedora Core Linux", "FFmpeg", "Finger", "Fortinet", "Fortinet FortiAnalyzer", "Fortinet FortiGate", "Fortinet FortiManager", "Fortinet FortiOS", "FreeBSD", "Game", "General Remote Services", "Gentoo Linux", "Goog

jfrantz1-r7

WITH remediations AS (

    SELECT DISTINCT fr.solution_id AS ultimate_soln_id, summary, fix, estimate, riskscore, dshs.solution_id AS solution_id

    FROM fact_remediation(10,'riskscore DESC') fr

    JOIN dim_solution ds USING (solution_id)

    JOIN dim_solution_highest_supercedence dshs ON (fr.solution_id = dshs.superceding_solution_id AND ds.solution_id = dshs.superceding_solution_id)