Friday, September 20, 2024

Powershell: Read windows event log remotely and write to csv

 #reads event logs for filter and exports to


$Date = (Get-Date).AddMinutes(-30)

$LogName = 'Security'

$ProviderName = "Microsoft-Windows-Security-Auditing"

$EventID  = 6273

$computer = "server.microsoft.com"

Write-Output "Searching $computer"


 $Events = Get-WinEvent -ComputerName $computer -FilterHashtable @{

    LogName = $LogName

    ProviderName = $ProviderName

    Id = $EventID

    StartTime = $Date

}


 


$report = @()

$Events | ForEach-Object -Process {

    [xml]$ConvertedFromXML = $_.ToXml()

    $params = @{} 


    foreach ($entry in $ConvertedFromXML.Event.EventData.Data) {

        $name = $entry.Name

        $Value = $entry.'#text'

        $params[$name] = $Value

    }

    

    $report += [pscustomobject]$params


}


 


$report | Export-Csv -NoTypeInformation -Path "C:\Temp\Events.csv"

Tuesday, August 15, 2023

Websites that disable right click and highlight bypass

Using Google Chrome or MS Edge:

Disable Javascript post page load.
1. Open console in dev tools
2. press ctrl - alt - p
3. In the run dialog blox type in javascript and select 
"Disable Javascript"

Disable CSS from loading 
1. Open console in dev tools
2. press ctrl - alt - p
3. In the run dialog box type in "Network request blocking"
4. on the drawer that appears check "Enable Network request blocking"
5. Click the plus button and add pattern
6. type in pattern "*.css"

Tuesday, June 20, 2023

Powershell - Microsoft Graph reports - Get MFA status of users.

Requires an App Registration be setup with proper API permissions and a self-signed certificate for authentication to it.


Import-Module
 Microsoft.Graph.Reports

Select-MgProfile -Name "beta"



$TenantId = "XXXXX"

$AppId = "XXXXX"



Connect-MgGraph -ClientId $AppId -TenantId $TenantId -CertificateThumbprint "XXXXXXX"



$report = Get-MgReportCredentialUserRegistrationDetail -all



$report| select @{name="AuthMethods";e={$_.AuthMethods -join ","}},IsCapable,IsEnabled,IsMfaRegistered,IsRegistered,UserDisplayName,UserPrincipalName | Select UserPrincipalName,UserDisplayName,IsCapable,IsEnabled,IsMfaRegistered,IsRegistered,AuthMethods | export-csv -NoTypeInformation -Path "c:\reports\MFA - MFA Audit Logs.csv"



Disconnect-MgGraph

Thursday, June 1, 2023

Custom View for Events NTLMv1 on a DC

 <QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(EventID=4624)] and EventData[Data[@Name='LmPackageName']='NTLM V1']]</Select>

  </Query>

</QueryList>

Friday, March 17, 2023

Powershell: Get all DNS records from AD DNS

  # Load the DNS Server module
Import-Module DnsServer

# Set the output folder
$outputFolder = "C:\temp\Final"
$DNSServer = DNSServer.com
# Get all DNS zones
$zones = Get-DnsServerZone -ComputerName $DNSServer

# Loop through each zone and export its records to a separate CSV file
foreach ($zone in $zones) {
    $records = Get-DnsServerResourceRecord -ZoneName $zone.ZoneName -ComputerName $DNSServer| `
     select hostname,`
     recordtype,`
     type,timestamp,`
     timetolive,`
     @{n='Data';e={$rr = $_;`
     switch ($rr.RecordType) {
        'A'     {$rr.RecordData.IPv4Address}
        'CNAME' {$rr.RecordData.HostnameAlias}
        'NS' {$rr.RecordData.NameServer}
        'SOA' {$rr.RecordData.PrimaryServer}
        'SRV' {$rr.RecordData.DomainName}
        'PTR' {$rr.RecordData.PtrDomainName}
        'MX' {$rr.RecordData.MailExchange}
        'AAAA' {$rr.RecordData.IPv6Address}
        'TXT' {$rr.RecordData.DescriptiveText}
        }}}
    $outputFile = "$outputFolder\$($zone.ZoneName).csv"
 
    
   $records | Export-Csv -NoTypeInformation -path $outputFile
}

# Output confirmation message
Write-Host "DNS records exported to $outputFolder."

Thursday, February 2, 2023

Powershell: AD DHCP scope information

Needed a script to export dhcp scope and scope id for a domain.


  
  $report = @()
  $DHCPServer = DHCPServerHostname
  $scopes =Get-DhcpServerv4Scope -ComputerName $DHCPServer
  
  foreach ($scope in $Scopes){
    $scopeID = $scope.ScopeId
    $report += Get-DhcpServerv4OptionValue -ScopeId $scopeID -ComputerName $DHCPServer |`
    select @{name="ScopeID";e={$scopeID}},OptionID,Name,Type,@{Name="Value";e={$_.value -join ";"}
  }
    
    $report | export-csv -NoTypeInformation -path "c:\temp\DHCPScopeIDwithOption.csv"
    $scopes | export-csv -NoTypeInformation -path "c:\temp\DHCPScopeIDwithMask.csv"

Monday, August 9, 2021

Powershell - Extract ADFS certificates from ADFS server

Wrote script so people specify the adfs server and the signature and encryption certificate will extract the certs to two files stored in c:\temp


# just put in the ADFS server name 

$AdfsServer = 'adfs.microsoft.com'



[xml]$XmlDocument = (New-Object System.Net.WebClient).DownloadString("https://$AdfsServer/FederationMetadata/2007-06/FederationMetadata.xml")

#ADFS Signing Certificate

$Cert = $xmldocument.entitydescriptor.roledescriptor.keydescriptor | select Use,@{Name="x509"; Expression={(($_.keyinfo).X509data).x509certificate}}

#Sign Cert

$cert | ? {$_.use -eq "signing"} | select -ExpandProperty x509 | out-file c:\temp\Signcert.cer

#Encryption Cert

$cert | ? {$_.use -eq "encryption"} | select -ExpandProperty x509 | out-file c:\temp\Encryptioncert.cer



$Cert