forked from ralphmwr/PowerShell-ThreatHunting
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSecureModule.ps1
195 lines (176 loc) · 8.81 KB
/
SecureModule.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
#region Lab1 Baseline Processes
$targets = Import-csv .\Winhosts.csv | Where-Object {$_.os -eq "Win10"} | Select-Object -ExpandProperty IP
$ht = @{
ReferenceObject = Import-Csv .\Win10BaselineProcs.csv
DifferenceObject = $null #I added this initially because that's the way we taught compare-object. We tested by removing and still had errors.
Property = "hash","path"
PassThru = $True
}
$current = Survey-Processes -ComputerName $targets -Credential $creds
ForEach ($ip in $targets) {
$ht.differenceobject = $current | Where-Object {$_.pscomputername -eq $ip} | Sort-Object -Property hash,path -Unique
Compare-Object @ht | Where-Object {$_.sideindicator -eq "=>" -and $_.path -ne $null}
}#end of foreach loop
#endregion
#region Lab1 Baseline Accounts
$targets = Import-csv .\Winhosts.csv | Select-Object -ExpandProperty IP
$ht = @{
ReferenceObject = Import-Csv .\LocalAccountBaseline.csv
DifferenceObject = $null #I added this initially because that's the way we taught compare-object. We tested by removing and still had errors.
Property = "name"
PassThru = $True
}
$current = Survey-Accounts -ComputerName $targets -Credential $creds
ForEach ($ip in $targets) {
$ht.differenceobject = $current | Where-Object {$_.pscomputername -eq $ip} | Sort-Object -Property name -Unique
Compare-Object @ht | Where-Object {$_.sideindicator -eq "=>"}
}#end of foreach loop
#endregion
#region Lab1 Baseline Services
$targets = Import-csv .\Winhosts.csv | Where-Object {$_.os -eq "Win7"} | Select-Object -ExpandProperty IP
$ht = @{
ReferenceObject = Import-Csv .\Win7ServiceBaseline.csv
DifferenceObject = $null #I added this initially because that's the way we taught compare-object. We tested by removing and still had errors.
Property = "name"
PassThru = $True
}
$current = Survey-Services -ComputerName $targets -Credential $creds
ForEach ($ip in $targets) {
#code in Instructor notes differs between labs...not sure if it was just an old version way of doing it
#previous code:
#$diff = $current | Where-Object {$_.pscomputername -eq $ip} | Sort-Object -Property name -Unique
#Compare-Object @ht -DifferenceObject $diff | Where-Object {$_.sideindicator -eq "=>"}
#current code:
$ht.differenceobject = $current | Where-Object {$_.pscomputername -eq $ip} | Sort-Object -Property name -Unique
Compare-Object @ht | Where-Object {$_.sideindicator -eq "=>"}
}#end of foreach loop
#endregion
#region Lab1 Baseline AutoRuns
$targets = Import-csv .\Winhosts.csv | Where-Object {$_.os -eq "Win Server 2012R2"} | Select-Object -ExpandProperty IP
$ht = @{
ReferenceObject = Import-Csv .\WinServer2012AutoBaseline.csv
DifferenceObject = $null #I added this initially because that's the way we taught compare-object. We tested by removing and still had errors.
Property = "hash"
PassThru = $True
}
$current = Survey-AutoRuns -ComputerName $targets -Credential $creds -RegistryAutoRunLoc (get-content .\AutoRunKeys.txt)
ForEach ($ip in $targets) {
#code in Instructor notes differs between labs...not sure if it was just an old version way of doing it
#previous code:
#$diff = $current | Where-Object {$_.pscomputername -eq $ip} | Sort-Object -Property name -Unique
#Compare-Object @ht -DifferenceObject $diff | Where-Object {$_.sideindicator -eq "=>"}
#the way we copied and ran in class:
$ht.differenceobject = $current | Where-Object {$_.pscomputername -eq $ip} | Sort-Object -Property hash -Unique
Compare-Object @ht | Where-Object {$_.sideindicator -eq "=>"}
}#end of foreach loop
#endregion
#region Lab1 Baseline Firewall
$targets = Import-csv .\Winhosts.csv | Where-Object {$_.os -eq "Win10"} | Select-Object -ExpandProperty IP
$ht = @{
ReferenceObject = Import-Csv .\Win10Firewall.csv
DifferenceObject = $null #I added this initially because that's the way we taught compare-object. We tested by removing and still had errors.
Property = "direction","action","localaddress","remoteaddress","localport","remoteport"
PassThru = $True
}
$current = Survey-Firewall -ComputerName $targets -Credential $creds
ForEach ($ip in $targets) {
#code in Instructor notes differs between labs...not sure if it was just an old version way of doing it
#previous code:
#$diff = $current | Where-Object {$_.pscomputername -eq $ip} |
#Sort-Object -Property direction,action,localaddress,remoteaddress,localport,remoteport -Unique
#Compare-Object @ht -DifferenceObject $diff
#the way we copied and ran in class:
$ht.differenceobject = $current | Where-Object {$_.pscomputername -eq $ip} |
Sort-Object -Property direction,action,localaddress,remoteaddress,localport,remoteport -Unique
Compare-Object @ht | Select-Object -Property *,@{n="IP";e={"$IP"}}
}#end of foreach loop
#endregion
#region Lab2 LFA Windows 10 Processes
$targets = Import-csv .\Winhosts.csv | Where-Object {$_.os -eq "Win10"} | Select-Object -ExpandProperty IP
#$targets.count * .1 (10% example)
$procs = Survey-Processes -ComputerName $targets -Credential $creds
$procs | sort -Unique pscomputername, hash | Group-Object hash | Where-Object count -lt 2 |Select-Object -ExpandProperty Group
#endregion
#region Lab2 LFA Windows 7 Services
$targets = Import-csv .\Winhosts.csv | Where-Object {$_.os -eq "Win7"} | Select-Object -ExpandProperty IP
#$targets.count * .1 (10% example)
$svcs = Survey-Services -ComputerName $targets -Credential $creds
#We changed pathname to name to help ease the students
$svcs | sort -Unique pscomputername, name | Group-Object name | Where-Object count -lt 2 |Select-Object -ExpandProperty Group
#endregion
#region Lab2 LFA Windows Server 2012 AutoRuns
$targets = Import-csv .\Winhosts.csv | Where-Object {$_.os -eq "Win Server 2012R2"} | Select-Object -ExpandProperty IP
#$targets.count * .1 (10% example)
$auto = Survey-AutoRuns -ComputerName $targets -Credential $creds -RegistryAutoRunLoc (get-content .\AutoRunKeys.txt)
$auto | sort -Unique pscomputername,hash | Group-Object hash | Where-Object count -lt 2 |Select-Object -ExpandProperty Group
#endregion
#region Lab3 New User
$On_Target = @{
ComputerName = "ws16.vaoc.net"
Credential = $creds
}#end of $On_Target
Invoke-Command @On_Target {
$logfilter = @{}
$logfilter.logname = "Security"
$logfilter.ID = 4720
Get-WinEvent -FilterHashtable $logfilter
} | Select-Object RecordID,Message |format-table -wrap
#endregion
#region Lab3 Security Group
$On_Target = @{
ComputerName = "ws16.vaoc.net"
Credential = $creds
}#end of $On_Target
Invoke-Command @On_Target {
$logfilter = @{}
$logfilter.logname = "Security"
$logfilter.ID = 4728,4732,4756
Get-WinEvent -FilterHashtable $logfilter |Where-Object message -like "*<SID>*"
} | Select-Object RecordID,Message |format-table -wrap
#endregion
#region Lab3 New Firewall Rule
$On_Target = @{
ComputerName = "ws13.vaoc.net"
Credential = $creds
}#end of $On_Target
Invoke-Command @On_Target {
$logfilter = @{}
$logfilter.logname = "*fire*"
$logfilter.ID = 2004
Get-WinEvent -FilterHashtable $logfilter
} | Select-Object TimeCreated,RecordID,Message |format-table -wrap
#endregion
#region Lab3 Successful Logons
$On_Target = @{
ComputerName = "ws5.vaoc.net"
Credential = $creds
}#end of $On_Target
(Invoke-Command @On_Target {
$logfilter = @{}
$logfilter.logname = "Security"
$logfilter.ID = 4624
$logfilter.starttime = [datetime]"04/14/2020 00:00:00Z"
$logfilter.endtime = [datetime]"04/14/2020 23:59:59Z"
Get-WinEvent -FilterHashtable $logfilter
}).count
#endregion
#region Lab4 Copy TO Remote Machine
$session = New-PSSession -ComputerName ws20.vaoc.net -Credential $creds
Copy-Item -path .\last_first.txt -ToSession $session -Destination C:\Users\Student\lastname_first.txt
Remove-PSSession $session
#endregion
#region Lab4 Copy FROM Remote Machine
$session = New-PSSession -ComputerName ws20.vaoc.net -Credential $creds
Copy-Item -path c:\users\student\lastname_first.txt -FromSession $session -Destination .\last_firstnew.txt
Remove-PSSession $session
#endregion
#region Lab5 Regular Expressions
Invoke-Command -ComputerName fsvr1.vaoc.net -Credential $creds -ScriptBlock {
$expression = "\d{3}-\d{2}-\d{4}" #SSN
$expression = "[\w\.-]+@[\w\.-]+\.[\w]{2,3}" #Email Address
$expression = "(?=.*Power Stone)(?=.*xandar|.*Nova Corps) " #Text search of "A" & "B or C"
$filepath = "C:\users\student\share"
Get-ChildItem $filepath -Recurse -File |
Select-String -Pattern $expression -AllMatches | format-table Path, line -wrap
}
#endregion