Export a listing of all enabled Active Directory users
<#
Exports a listing of all enabled Active Directory users
Author: Brandon Lanczak
Date: 03-20-2023
Note: Adjust properties as needed.
#>
#
Get-ADUser -LDAPFilter "(objectCategory=User)" -Properties Enabled, Name, EmailAddress, Title | Where { $_.Enabled -eq $True } | Select-Object Name, EmailAddress,Title, Enabled | Sort-Object -Property Name | Export-CSV -NoType 'C:\Temp\blah mm-dd-yyyy.csv'Export GAL as Standard Outlook User
[Microsoft.Office.Interop.Outlook.Application] $outlook = New-Object -ComObject Outlook.Application
$entries = $outlook.Session.GetGlobalAddressList().AddressEntries
foreach($entry in $entries){
write-output ("{0}: {1}" -f $entry.Name, $entry.GetExchangeUser().PrimarySMTPAddress), $entry.GetExchangeUser().MobileTelephoneNumber)
}
OR
param (
$OutFile = (Get-Date -Format yyyy-MM-dd) + "_GALEntries.csv"
)
$Outlook = New-Object -ComObject Outlook.Application
$GlobalAddressList = $Outlook.Session.GetGlobalAddressList().AddressEntries
$TotalObjects = $GlobalAddressList.Count
$i = 1
foreach ($entry in $GlobalAddressList)
{
Write-Progress -Id 1 -Activity "Exporting Global Address List Entries" -PercentComplete (($i / $TotalObjects) * 100) -Status "[$($i)/$($TotalObjects)] entries exported"
If ($entry.Address -match "\/o\=")
{
$EntryData = $entry.GetExchangeUser()
$RecordData = [ordered]@{
Name = $EntryData.Name
First = $EntryData.FirstName
Last = $EntryData.Last
PrimarySmtpAddress = $EntryData.PrimarySmtpAddress
UserPrincipalName = $EntryData.PrimarySmtpAddress
x500 = $EntryData.Address
Alias = $EntryData.Alias
AssistantName = $EntryData.AssistantName
BusinessPhone = $EntryData.BusinessTelephoneNumber
MobilePhone = $EntryData.MobileTelephoneNumber
Title = $EntryData.JobTitle
Department = $EntryData.Department
Company = $EntryData.CompanyName
OfficeLocation = $EntryData.OfficeLocation
Address = $EntryData.StreetAddress
City = $EntryData.City
StateOrProvince = $EntryData.StateOrProvince
PostalCode = $EntryData.PostalCode
}
$Record = New-Object PSobject -Property $RecordData
$Record | Export-csv $OutFile -NoTypeInformation -Append
}
$i++
}
Write-Progress -Id 1 -Status "Completed." -Completed
Powershell Find & Replace IPs in a PCAP
# Netshark Powershell Module is required for this operation. Install if needed with this line
#Install-Module NetShark
# Import the NetShark module
Import-Module NetShark
# Set the path to the input pcap file
$inputFile = "C:\Path\To\Input\File.pcap"
# Set the path to the output pcap file
$outputFile = "C:\Path\To\Output\File.pcap"
# Set the original IP address to be replaced
$originalIpAddress = "10.0.0.1"
# Set the new IP address to replace the original one
$newIpAddress = "192.168.0.1"
# Create a filter expression to match packets with the original IP address
$filterExpression = "ip.addr == $originalIpAddress"
# Use NetShark to read the input pcap file and filter packets matching the filter expression
Get-NetSharkCapture -FilePath $inputFile -FilterExpression $filterExpression |
ForEach-Object {
# Replace the original IP address with the new IP address in each matching packet
$_.Packet.IP.DstAddr = $newIpAddress
$_.Packet.IP.SrcAddr = $newIpAddress
$_
} |
# Use NetShark to write the modified packets to the output pcap file
Set-NetSharkCapture -FilePath $outputFile
Microsoft: February updates break some Windows Server 2022 VMs
Upcoming Microsoft Time bombs
Microsoft Authenticator for M365 users
Synopsis: Microsoft will turn on number matching on 2/27/2023 which will undoubtedly cause chaos if you have users who are not smart enough to use mobile devices that are patchable and updated automatically.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match.
Date of change: March 2023
_______
DCOM changes
Synopsis: Changes to the security posture of DCOM (first released in June of 2021) become enforced.
References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26414 and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c.
Date of change: 03-14-2023
_______
AD Connect 2.0.x
Synopsis: AD Connect 2.0.x versions are going end-of-life for those syncing with M365.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history
Date of change: April 2023
_______
AD Permissions issue becomes enforced
Synopsis: To address an Active Directory Domain Services Elevation of Privilege Vulnerability and AD audit mode will become enforced.
References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42291 and https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
Date of change: 04-11-2023
_______
NetLogon RPC becomes enforced
Synopsis: Windows domain controllers will require that Netlogon clients use RPC seal if they are running Windows, or if they are acting as either domain controllers or as trust accounts.
References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38023 and https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25
Date of Change: 04-11-2023
_______
Kerberos Protocol Changes
Synopsis: Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices (aka those using weak RC4-HMAC for negotiation).
References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37966 , https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d , https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37967 , and https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb#timing
Date of change: 07-11-2023
_______
Office 2016/2019 dropped from being able to connect to M365 services
Synopsis: Office 2016/2019 dropped from being able to connect to M365 services due to end-of-support.
References: https://learn.microsoft.com/en-us/deployoffice/endofsupport/microsoft-365-services-connectivity
Date of Change: 10-10-2023
_______
Kerberos/Certificate-based authentication on DCs becomes enforced
Synopsis: Kerberos/Certificate-based authentication on DCs becomes enforced. By 11-14-2023, or later, all devices will be updated to Full Enforcement mode. In this mode, if a certificate fails the strong (secure) mapping criteria, authentication will be denied.
References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26931 and https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
Date of change: 11-14-2023
PowerShell Move Mouse every 10-seconds
Add-Type -AssemblyName System.Windows.Forms
while ($true)
{
$Pos = [System.Windows.Forms.Cursor]::Position
$x = ($pos.X % 500) + 1
$y = ($pos.Y % 500) + 1
[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point($x, $y)
Start-Sleep -Seconds 10
}InfraGard Data Breach
VMware PowerCLI Cheat Sheet
SolarWinds SQL Correlate WMI Credential to Node
USE SolarWindsOrion
SELECT
NodesData.NodeID,
NodesData.Caption,
NodeSettings.SettingName,
NodeSettings.SettingValue,
Credential.Name
from dbo.NodesData
join dbo.NodeSettings on NodesData.NodeID = NodeSettings.NodeID
join Credential on NodeSettings.SettingValue = Credential.ID
where NodesData.ObjectSubType = 'WMI'
and nodesettings.SettingName = 'WMICredential'