Export a listing of all enabled Active Directory users

Exports a listing of all enabled Active Directory users

Author: Brandon Lanczak

Date: 03-20-2023

Note: Adjust properties as needed. 

Get-ADUser -LDAPFilter "(objectCategory=User)" -Properties Enabled, Name, EmailAddress, Title | Where { $_.Enabled -eq $True } | Select-Object Name, EmailAddress,Title, Enabled | Sort-Object -Property Name | Export-CSV -NoType 'C:\Temp\blah mm-dd-yyyy.csv'

Export GAL as Standard Outlook User

[Microsoft.Office.Interop.Outlook.Application] $outlook = New-Object -ComObject Outlook.Application
$entries = $outlook.Session.GetGlobalAddressList().AddressEntries
foreach($entry in $entries){
    write-output ("{0}: {1}" -f $entry.Name, $entry.GetExchangeUser().PrimarySMTPAddress), $entry.GetExchangeUser().MobileTelephoneNumber)


param (
$OutFile = (Get-Date -Format yyyy-MM-dd) + "_GALEntries.csv"

$Outlook = New-Object -ComObject Outlook.Application
$GlobalAddressList = $Outlook.Session.GetGlobalAddressList().AddressEntries
$TotalObjects = $GlobalAddressList.Count

$i = 1
foreach ($entry in $GlobalAddressList)
    Write-Progress -Id 1 -Activity "Exporting Global Address List Entries" -PercentComplete (($i / $TotalObjects) * 100) -Status "[$($i)/$($TotalObjects)] entries exported"
    If ($entry.Address -match "\/o\=")
        $EntryData = $entry.GetExchangeUser()
        $RecordData = [ordered]@{
            Name                = $EntryData.Name
            First                = $EntryData.FirstName
            Last                = $EntryData.Last
            PrimarySmtpAddress     = $EntryData.PrimarySmtpAddress
            UserPrincipalName    = $EntryData.PrimarySmtpAddress
            x500                 = $EntryData.Address
            Alias                = $EntryData.Alias
            AssistantName         = $EntryData.AssistantName
            BusinessPhone         = $EntryData.BusinessTelephoneNumber
            MobilePhone            = $EntryData.MobileTelephoneNumber
            Title                 = $EntryData.JobTitle
            Department            = $EntryData.Department
            Company              = $EntryData.CompanyName
            OfficeLocation         = $EntryData.OfficeLocation
            Address             = $EntryData.StreetAddress
            City                = $EntryData.City
            StateOrProvince     = $EntryData.StateOrProvince
            PostalCode            = $EntryData.PostalCode
        $Record = New-Object PSobject -Property $RecordData
        $Record | Export-csv $OutFile -NoTypeInformation -Append
Write-Progress -Id 1 -Status "Completed." -Completed

Powershell Find & Replace IPs in a PCAP

# Netshark Powershell Module is required for this operation. Install if needed with this line
#Install-Module NetShark

# Import the NetShark module
Import-Module NetShark

# Set the path to the input pcap file
$inputFile = "C:\Path\To\Input\File.pcap"

# Set the path to the output pcap file
$outputFile = "C:\Path\To\Output\File.pcap"

# Set the original IP address to be replaced
$originalIpAddress = ""

# Set the new IP address to replace the original one
$newIpAddress = ""

# Create a filter expression to match packets with the original IP address
$filterExpression = "ip.addr == $originalIpAddress"

# Use NetShark to read the input pcap file and filter packets matching the filter expression
Get-NetSharkCapture -FilePath $inputFile -FilterExpression $filterExpression |
ForEach-Object {
    # Replace the original IP address with the new IP address in each matching packet
    $_.Packet.IP.DstAddr = $newIpAddress
    $_.Packet.IP.SrcAddr = $newIpAddress
} |
# Use NetShark to write the modified packets to the output pcap file
Set-NetSharkCapture -FilePath $outputFile

Upcoming Microsoft Time bombs

Microsoft Authenticator for M365 users

Synopsis: Microsoft will turn on number matching on 2/27/2023 which will undoubtedly cause chaos if you have users who are not smart enough to use mobile devices that are patchable and updated automatically.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match.

Date of change: March 2023


DCOM changes

Synopsis: Changes to the security posture of DCOM (first released in June of 2021) become enforced.

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26414 and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c.

Date of change: 03-14-2023


AD Connect 2.0.x

Synopsis: AD Connect 2.0.x versions are going end-of-life for those syncing with M365.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Date of change: April 2023


AD Permissions issue becomes enforced

Synopsis: To address an Active Directory Domain Services Elevation of Privilege Vulnerability and AD audit mode will become enforced.

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42291 and https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1

Date of change: 04-11-2023


NetLogon RPC becomes enforced

Synopsis: Windows domain controllers will require that Netlogon clients use RPC seal if they are running Windows, or if they are acting as either domain controllers or as trust accounts.

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38023 and https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25

Date of Change: 04-11-2023


Kerberos Protocol Changes

Synopsis: Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices (aka those using weak RC4-HMAC for negotiation).

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37966 , https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d , https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37967 , and https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb#timing

Date of change: 07-11-2023


Office 2016/2019 dropped from being able to connect to M365 services

Synopsis: Office 2016/2019 dropped from being able to connect to M365 services due to end-of-support.

References: https://learn.microsoft.com/en-us/deployoffice/endofsupport/microsoft-365-services-connectivity

Date of Change: 10-10-2023


Kerberos/Certificate-based authentication on DCs becomes enforced

Synopsis: Kerberos/Certificate-based authentication on DCs becomes enforced. By 11-14-2023, or later, all devices will be updated to Full Enforcement mode. In this mode, if a certificate fails the strong (secure) mapping criteria, authentication will be denied.

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26931 and https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Date of change: 11-14-2023

PowerShell Move Mouse every 10-seconds

Add-Type -AssemblyName System.Windows.Forms
while ($true)
  $Pos = [System.Windows.Forms.Cursor]::Position
  $x = ($pos.X % 500) + 1
  $y = ($pos.Y % 500) + 1
  [System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point($x, $y)
  Start-Sleep -Seconds 10

SolarWinds SQL Correlate WMI Credential to Node

USE SolarWindsOrion
from dbo.NodesData
join dbo.NodeSettings on NodesData.NodeID = NodeSettings.NodeID
join Credential on NodeSettings.SettingValue = Credential.ID
where NodesData.ObjectSubType = 'WMI'
and nodesettings.SettingName = 'WMICredential'

PowerShell Split File

function Split-File
      Splits a file into multiple parts 
      Splits a file into smaller parts. The maximum size of the part files can be specified. The number of parts required is calculated. 
      Split-File -Path 'c:\test.zip' -PartSizeBytes 2.5MB 
      Splits the file c:\test.zip in as many parts as necessary. Each part file is no larger than 2.5MB 
      Split-File -Path 'c:\test.zip' -PartSizeBytes 2.5MB -AddSelfExtractor 
      Splits the file c:\test.zip in as many parts as necessary. Each part file is no larger than 2.5MB 
      Adds a powershell script that joins the parts when run, and adds a shortcut file to 
      run the PowerShell extractor script on double-click, essentially adding a self-extractor 

        # Path to the file you want to split
        [Parameter(Mandatory,HelpMessage='Path to the file you want to split')]

        # maximum size of file chunks (in bytes)
        $PartSizeBytes = 1MB,

        # when specified, add a an extractor script and link file to easily convert
        # chunks back into the original file

        # get the path parts to construct the individual part
        # file names:
        $fullBaseName = [IO.Path]::GetFileName($Path)
        $baseName = [IO.Path]::GetFileNameWithoutExtension($Path)
        $parentFolder = [IO.Path]::GetDirectoryName($Path)
        $extension = [IO.Path]::GetExtension($Path)

        # get the original file size and calculate the
        # number of required parts:
        $originalFile = New-Object -TypeName System.IO.FileInfo -ArgumentList ($Path)
        $totalChunks = [int]($originalFile.Length / $PartSizeBytes) + 1
        $digitCount = [int][Math]::Log10($totalChunks) + 1

        # read the original file and split into chunks:
        $reader = [IO.File]::OpenRead($Path)
        $count = 0
        $buffer = New-Object -TypeName Byte[] -ArgumentList $PartSizeBytes
        $moreData = $true

        # read chunks until there is no more data
            # read a chunk
            $bytesRead = $reader.Read($buffer, 0, $buffer.Length)
            # create the filename for the chunk file
            $chunkFileName = "$parentFolder\$fullBaseName.{0:D$digitCount}.part" -f $count
            Write-Verbose -Message "saving to $chunkFileName..."
            $output = $buffer

            # did we read less than the expected bytes?
            if ($bytesRead -ne $buffer.Length)
                # yes, so there is no more data
                $moreData = $false
                # shrink the output array to the number of bytes
                # actually read:
                $output = New-Object -TypeName Byte[] -ArgumentList $bytesRead
                [Array]::Copy($buffer, $output, $bytesRead)
            # save the read bytes in a new part file
            [IO.File]::WriteAllBytes($chunkFileName, $output)
            # increment the part counter
        # done, close reader

        # add self-extractor
        if ($AddSelfExtractor)
            Write-Verbose -Message "Adding extractor scripts..."
            # define the self-extractor powershell script:
            $extractorName = "${fullBaseName}.{0:D$digitCount}.part.ps1" -f $count
            $extractorPath = Join-Path -Path $parentFolder -ChildPath $extractorName
            $filePath = '$PSScriptRoot\' + "$baseName$extension"

            # define the self-extractor shortcut file that launches
            # the powershell script on double-click:
            $linkName = "Extract ${fullBaseName}.lnk"
            $linkPath = Join-Path -Path $parentFolder -ChildPath $linkName

            # this will be used inside the extractor script to find the
            # part files via relative path:
            $currentFile = '"$PSCommandPath"'
            $currentFolder = '"$PSScriptRoot"'
            # write the extractor script source code to file:
                # copy the join-file source code into the extractor script: 
                function Join-File { 
                # join the part files and delete the part files after joining: 
                Join-File -Path ""$filePath"" -Verbose -DeletePartFiles 
                # remove both extractor scripts: 
                (Join-Path -Path $currentFolder -ChildPath '$linkName') | Remove-Item 
                Remove-Item -Path $currentFile 
                # open the extracted file in windows explorer 
                explorer.exe ""/select,""""$filepath"""""" 
            " | Set-Content -Path $extractorPath

            # create a shortcut file that launches the extractor script
            # when it is double-clicked:
            $shell = New-Object -ComObject WScript.Shell
            $scut = $shell.CreateShortcut($linkPath)
            $scut.TargetPath = "powershell.exe"
            $scut.Arguments = "-nop -executionpolicy bypass -file ""$extractorPath"""
            $scut.WorkingDirectory = ""
            $scut.IconLocation = "$env:windir\system32\shell32.dll,162"
        throw "Unable to split file ${Path}: $_"