This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# looking for a all in one solution? | |
# https://github.com/f-bader/EntraIDPasskeyHelper | |
Connect-MGGraph -UseDeviceAuthentication -Scopes "AuditLog.Read.All", "UserAuthenticationMethod.Read.All" | |
$NextUri = "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$filter=methodsRegistered/any(x:x eq 'passKeyDeviceBound')" | |
do { | |
$Result = Invoke-MgGraphRequest -Uri $NextUri | |
$NextUri = $Result['@odata.nextLink'] | |
$ReturnValue += $Result['value'] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Generates a GUID from a given string value using MD5 hashing. | |
.PARAMETER Value | |
The string value to generate a GUID from. | |
.EXAMPLE | |
Get-Guid -Value "example string" | |
Returns a GUID generated from the string "example string". |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// List all devices that have curl installed or use curl. | |
let ProcessBasedDevices = DeviceProcessEvents | |
| where Timestamp > ago(30d) | |
| where ProcessCommandLine has "curl" and FileName != "SenseNdr.exe" | |
| extend Method = "Process" | |
| summarize by DeviceId, DeviceName, Method; | |
let TVMBasedDevices = DeviceTvmSoftwareInventory | |
| where SoftwareName has "curl" | |
| extend Method = "Software Inventory" | |
| project DeviceId, DeviceName, Method, SoftwareName, SoftwareVersion, SoftwareVendor; |
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CveId | |
CVE-2018-13379 | |
CVE-2021-34473 | |
CVE-2021-31207 | |
CVE-2021-34523 | |
CVE-2021-40539 | |
CVE-2021-26084 | |
CVE-2021-44228 | |
CVE-2022-22954 | |
CVE-2022-22960 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
git branch | Select-String -NotMatch -Pattern "main" | % {$branch = $_ -replace '\s'; git branch -D $branch } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OfficeActivity | |
| where TimeGenerated > ago(90d) | |
| where UserId has_any ("msftprotection","identityVerification","accountsVerification","azuresecuritycenter","teamsprotection") and UserId has "onmicrosoft" | |
| summarize by UserId |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
CVE-2021-42287 - Authentication updates | |
CVE-2021-42278 - Active Directory Security Accounts Manager hardening changes | |
This updates introduced additional Event Ids to monitor. | |
Use this script to check every domain controller for those eventIds | |
#> | |
$EventIds = @{ | |
35 = "PAC without attributes" | |
36 = "Ticket without a PAC" | |
37 = "Ticket without Requestor" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Find dangerous API permissions as a user | |
$AzureTenantID = '<Your tenant ID>' | |
$AccountName = '<Username>@<Domain.com>' | |
$Password = ConvertTo-SecureString '<Your password>' -AsPlainText -Force | |
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password) | |
Connect-AzAccount -Credential $Credential -TenantID $AzureTenantID | |
function Get-AzureGraphToken | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Check Defender AV related health issues | |
// Microsoft Defender Antivirus is disabled - scid-2010 | |
// Microsoft Defender Antivirus definitions are outdated - scid-2011 | |
// Microsoft Defender Antivirus real-time behavior monitoring is disabled - scid-91 | |
// Microsoft Defender Antivirus real-time protection is disabled - scid-2012 | |
// Microsoft Defender Antivirus cloud service connectivity is impaired - scid-2014 | |
DeviceTvmSecureConfigurationAssessmentKB | |
| where ConfigurationName contains "Defender" | |
| join kind=innerunique DeviceTvmSecureConfigurationAssessment on ConfigurationId | |
| where ConfigurationId in ("scid-2010","scid-2011","scid-2012","scid-91","scid-2014") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
KB5008380 - Authentication updates (CVE-2021-42287) | |
This update introduces additional Event Ids to monitor. | |
Use this script to check every domain controller for those eventIds | |
#> | |
$EventIds = @{ | |
# https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041 | |
35 = "PAC without attributes" | |
36 = "Ticket without a PAC" | |
37 = "Ticket without Requestor" |
NewerOlder