Sunday, March 30, 2025

KQL - Group Object Audits ADDS 

This is a KQL written for Azure Sentinel. 
Purpose is to search for eventid from Active Directory Domain Services related to Group objects.


SecurityEvent
| where EventID in (4728, 4729, 4732, 4733, 4756, 4757, 4727, 4730, 4731, 4734) // Add or remove from group, create or delete group
| extend 
    Action = case(
        EventID == 4728, "Added to Global Group",
        EventID == 4729, "Removed from Global Group",
        EventID == 4732, "Added to Local Group",
        EventID == 4733, "Removed from Local Group",
        EventID == 4756, "Added to Universal Group",
        EventID == 4757, "Removed from Universal Group",
        EventID == 4727, "Created a Security-Enabled Global Group",
        EventID == 4730, "Deleted a Security-Enabled Global Group",
        EventID == 4731, "Created a Security-Enabled Local Group",
        EventID == 4734, "Deleted a Security-Enabled Local Group",
        "Unknown Action"
    ),
    Initiator = coalesce(tostring(SubjectUserName), tostring(AccountName), "Unknown Initiator")
| summarize 
    FirstOccurrence = min(TimeGenerated)    
    by Action, TargetGroup = TargetAccount, Initiator, Domain = TargetDomainName, MemberName, EventID
| project FirstOccurrence, Action, Initiator, Domain, TargetGroup, MemberName, EventID
- No comments:
Labels: , , , , , ,

Powershell - Search Azure/Entra AD for current status of an employeeID accounts using Graph Batch 

Graph is a pain to work with if you are like me and just a scripter 

Takes a list of employee IDs via the $employeeIDs variable 
Queries Azure AD via Microsoft Graph in batches of 20
Retrieves userPrincipalName, employeeId, accountEnabled, 
and LastPasswordChangeDateTime
Outputs results to console and CSV


Connect-MgGraph -Scopes "User.Read.All"

$employeeIds = @"
EMPID
0000001
"@ | ConvertFrom-Csv

$employeeIds = $employeeIds.empid   

# Create batch request body
$batchRequests = @()
$batchSize = 20  # Microsoft Graph allows up to 20 requests per batch
$idCounter = 1

for ($i = 0; $i -lt $employeeIds.Count; $i++) {
    $request = @{
        "id" = "$idCounter"
        "method" = "GET"
        "url" = "/users?`$filter=employeeId eq '$($employeeIds[$i])'&`$select=userPrincipalName,employeeId,accountEnabled,LastPasswordChangeDateTime"
    }
    $batchRequests += $request
    $idCounter++
}

# Split into batches of 20 which i believe is the limit 
$batchedResults = @()
for ($i = 0; $i -lt $batchRequests.Count; $i += $batchSize) {
    $batchEnd = [Math]::Min($i + $batchSize, $batchRequests.Count)
    $currentBatch = $batchRequests[$i..($batchEnd-1)]
    
    $batchBody = @{
        "requests" = $currentBatch
    } | ConvertTo-Json -Depth 10

    # Send batch request
    $response = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/`$batch" -Body $batchBody
    
    # Process responses
    foreach ($resp in $response.responses) {
        if ($resp.status -eq 200 -and $resp.body.value) {
            $batchedResults += $resp.body.value | Select-Object @{
                Name = "UserPrincipalName"; Expression = {$_.userPrincipalName}
            }, @{
                Name = "EmployeeID"; Expression = {$_.employeeId}
            }, @{
                Name = "AccountEnabled"; Expression = {$_.accountEnabled}
            }, @{
                Name = "LastPasswordChangeDateTime"; Expression = {$_.LastPasswordChangeDateTime}
            }
        }
    }
}

#Tesults
$batchedResults | Format-Table -AutoSize
$batchedResults | Export-Csv -Path "C:\AzureAD_Employee_Search.csv" -NoTypeInformation
- No comments:
Labels: , , , ,

Friday, September 20, 2024

Powershell: Read windows event log remotely and write to csv 


#reads event logs for filter and exports to

$Date = (Get-Date).AddMinutes(-30)

$LogName = 'Security'

$ProviderName = "Microsoft-Windows-Security-Auditing"

$EventID  = 6273

$computer = "server.microsoft.com"

Write-Output "Searching $computer"

$Events = Get-WinEvent -ComputerName $computer -FilterHashtable @{
    LogName = $LogName
    ProviderName = $ProviderName
    Id = $EventID
    StartTime = $Date
}

$report = @()

$Events | ForEach-Object -Process {
    [xml]$ConvertedFromXML = $_.ToXml()
    $params = @{} 

    foreach ($entry in $ConvertedFromXML.Event.EventData.Data) {
        $name = $entry.Name
        $Value = $entry.'#text'
        $params[$name] = $Value
    }
    
    $report += [pscustomobject]$params
}

$report | Export-Csv -NoTypeInformation -Path "C:\Temp\Events.csv"
- No comments:
Labels: , , ,

Tuesday, August 15, 2023

Websites that disable right click and highlight bypass 

Using Google Chrome or MS Edge:

Disable Javascript post page load.
1. Open console in dev tools
2. press ctrl - alt - p
3. In the run dialog blox type in javascript and select 
"Disable Javascript"

Disable CSS from loading 
1. Open console in dev tools
2. press ctrl - alt - p
3. In the run dialog box type in "Network request blocking"
4. on the drawer that appears check "Enable Network request blocking"
5. Click the plus button and add pattern
6. type in pattern "*.css"
- No comments:
Labels: , , , , , ,

Tuesday, June 20, 2023

Powershell - Microsoft Graph reports - Get MFA status of users.

Requires an App Registration be setup with proper API permissions and a self-signed certificate for authentication to it.


Import-Module Microsoft.Graph.Reports

Select-MgProfile -Name "beta"



$TenantId = "XXXXX"

$AppId = "XXXXX"



Connect-MgGraph -ClientId $AppId -TenantId $TenantId -CertificateThumbprint "XXXXXXX"



$report = Get-MgReportCredentialUserRegistrationDetail -all



$report| select @{name="AuthMethods";e={$_.AuthMethods -join ","}},IsCapable,IsEnabled,IsMfaRegistered,IsRegistered,UserDisplayName,UserPrincipalName | Select UserPrincipalName,UserDisplayName,IsCapable,IsEnabled,IsMfaRegistered,IsRegistered,AuthMethods | export-csv -NoTypeInformation -Path "c:\reports\MFA - MFA Audit Logs.csv"



Disconnect-MgGraph
- No comments:

Thursday, June 1, 2023

Custom View for Events NTLMv1 on a DC

 <QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(EventID=4624)] and EventData[Data[@Name='LmPackageName']='NTLM V1']]</Select>

  </Query>

</QueryList>

- No comments:

Friday, March 17, 2023

Powershell: Get all DNS records from AD DNS

  # Load the DNS Server module
Import-Module DnsServer

# Set the output folder
$outputFolder = "C:\temp\Final"
$DNSServer = DNSServer.com
# Get all DNS zones
$zones = Get-DnsServerZone -ComputerName $DNSServer

# Loop through each zone and export its records to a separate CSV file
foreach ($zone in $zones) {
    $records = Get-DnsServerResourceRecord -ZoneName $zone.ZoneName -ComputerName $DNSServer| `
     select hostname,`
     recordtype,`
     type,timestamp,`
     timetolive,`
     @{n='Data';e={$rr = $_;`
     switch ($rr.RecordType) {
        'A'     {$rr.RecordData.IPv4Address}
        'CNAME' {$rr.RecordData.HostnameAlias}
        'NS' {$rr.RecordData.NameServer}
        'SOA' {$rr.RecordData.PrimaryServer}
        'SRV' {$rr.RecordData.DomainName}
        'PTR' {$rr.RecordData.PtrDomainName}
        'MX' {$rr.RecordData.MailExchange}
        'AAAA' {$rr.RecordData.IPv6Address}
        'TXT' {$rr.RecordData.DescriptiveText}
        }}}
    $outputFile = "$outputFolder\$($zone.ZoneName).csv"
 
    
   $records | Export-Csv -NoTypeInformation -path $outputFile
}

# Output confirmation message
Write-Host "DNS records exported to $outputFolder."
- No comments:
Labels:
Subscribe to: Posts (Atom)

KQL - Group Object Audits ADDS

This is a KQL written for Azure Sentinel. Purpose is to search for eventid from Active Directory Domain Services related to Group objects....