From 3d94643e0c73480d1ae60d846d7788fc9312290e Mon Sep 17 00:00:00 2001 From: Joshua Date: Fri, 1 Dec 2023 22:38:20 -0800 Subject: [PATCH] Nonsensical --- .../windows/dumb/backupCommonFolders.ps1 | 51 ++++++++++++ blue-team/windows/dumb/changeAllPassword.ps1 | 26 ++++++ blue-team/windows/dumb/exportDNS.ps1 | 21 +++++ blue-team/windows/dumb/getDomainUsers.ps1 | 13 +++ blue-team/windows/dumb/getPrevSignIn.ps1 | 31 +++++++ .../windows/dumb/getUsersAndAdminList.ps1 | 31 +++++++ blue-team/windows/dumb/importDNS.ps1 | 11 +++ blue-team/windows/dumb/simpleHarden.ps1 | 82 +++++++++++++++++++ 8 files changed, 266 insertions(+) create mode 100644 blue-team/windows/dumb/backupCommonFolders.ps1 create mode 100644 blue-team/windows/dumb/changeAllPassword.ps1 create mode 100644 blue-team/windows/dumb/exportDNS.ps1 create mode 100644 blue-team/windows/dumb/getDomainUsers.ps1 create mode 100644 blue-team/windows/dumb/getPrevSignIn.ps1 create mode 100644 blue-team/windows/dumb/getUsersAndAdminList.ps1 create mode 100644 blue-team/windows/dumb/importDNS.ps1 create mode 100644 blue-team/windows/dumb/simpleHarden.ps1 diff --git a/blue-team/windows/dumb/backupCommonFolders.ps1 b/blue-team/windows/dumb/backupCommonFolders.ps1 new file mode 100644 index 0000000..0dd0a43 --- /dev/null +++ b/blue-team/windows/dumb/backupCommonFolders.ps1 @@ -0,0 +1,51 @@ +# Backup common folders + +# Make TempLogs directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs")){ + New-Item -Path "C:\Windows\TempLogs" -ItemType Directory +} + +# Make backup directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs\backup")){ + New-Item -Path "C:\Windows\TempLogs\backup" -ItemType Directory +} + +# Try to save http files +try{ + Copy-Item -Path "C:\inetpub\wwwroot\*" -Destination "C:\Windows\TempLogs\backup\" +} +catch{ + Write-Host "Could not save http files" +} + +# Try to save ftp files +try{ + Copy-Item -Path "C:\inetpub\ftproot\*" -Destination "C:\Windows\TempLogs\backup\" +} +catch{ + Write-Host "Could not save ftp files" +} + +# Try to save dns files +try{ + Copy-Item -Path "C:\Windows\System32\dns\*" -Destination "C:\Windows\TempLogs\backup\" +} +catch{ + Write-Host "Could not save dns files" +} + +# Try to save dhcp files +try{ + Copy-Item -Path "C:\Windows\System32\dhcp\*" -Destination "C:\Windows\TempLogs\backup\" +} +catch{ + Write-Host "Could not save dhcp files" +} + +# Try to save iis files +try{ + Copy-Item -Path "C:\Windows\System32\inetsrv\*" -Destination "C:\Windows\TempLogs\backup\" +} +catch{ + Write-Host "Could not save iis files" +} \ No newline at end of file diff --git a/blue-team/windows/dumb/changeAllPassword.ps1 b/blue-team/windows/dumb/changeAllPassword.ps1 new file mode 100644 index 0000000..428a6f4 --- /dev/null +++ b/blue-team/windows/dumb/changeAllPassword.ps1 @@ -0,0 +1,26 @@ +# Changes all domain user passwords to a template password + +Import-module activedirectory + +# Disable password complexity + +secedit /export /cfg C:\securityPolicy.cfg +(Get-Content C:\securityPolicy.cfg).replace("PasswordComplexity = 1","PasswordComplexity = 0") | Out-File C:\securityPolicy.cfg +secedit /configure /db C:\windows\security\local.sdb /cfg C:\securityPolicy.cfg /areas SECURITYPOLICY +rm -force C:\securityPolicy.cfg -confirm:$false + +$template = read-host "Enter template password postfix" + +foreach ($user in (Get-ADUser -Filter *)){ + $newPassword = $user.samaccountname + $template + $user | Set-ADAccountPassword -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) -Reset + $user | Set-ADUser -ChangePasswordAtLogon $true + Write-Host "Changed password for user" $user.samaccountname +} + +# Enable password complexity + +secedit /export /cfg C:\securityPolicy.cfg +(Get-Content C:\securityPolicy.cfg).replace("PasswordComplexity = 0","PasswordComplexity = 1") | Out-File C:\securityPolicy.cfg +secedit /configure /db C:\windows\security\local.sdb /cfg C:\securityPolicy.cfg /areas SECURITYPOLICY +rm -force C:\securityPolicy.cfg -confirm:$false diff --git a/blue-team/windows/dumb/exportDNS.ps1 b/blue-team/windows/dumb/exportDNS.ps1 new file mode 100644 index 0000000..3c50540 --- /dev/null +++ b/blue-team/windows/dumb/exportDNS.ps1 @@ -0,0 +1,21 @@ +# Export DNS zones to be imported later + +# Make TempLogs directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs")){ + New-Item -Path "C:\Windows\TempLogs" -ItemType Directory +} + +# Make DNS directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs\dns")){ + New-Item -Path "C:\Windows\TempLogs\dns" -ItemType Directory +} + +$zones = Get-DNSServerZone +foreach ($zone in $zones){ + Write-Host "Exporting zone" $zone.ZoneName + $exportname = $zone.ZoneName + ".bak" + Export-DnsServerZone $zone.ZoneName $exportname + $backuppath = "C:\Windows\System32\dns\" + $exportname + $destination = "C:\Windows\TempLogs\dns\" + $exportname + Copy-Item $backuppath $destination +} \ No newline at end of file diff --git a/blue-team/windows/dumb/getDomainUsers.ps1 b/blue-team/windows/dumb/getDomainUsers.ps1 new file mode 100644 index 0000000..ec4d70a --- /dev/null +++ b/blue-team/windows/dumb/getDomainUsers.ps1 @@ -0,0 +1,13 @@ +# Get all users from AD and export to CSV file + +# Make TempLogs directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs")){ + New-Item -Path "C:\Windows\TempLogs" -ItemType Directory +} + +# Make userlist directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs\userlist")){ + New-Item -Path "C:\Windows\TempLogs\userlist" -ItemType Directory +} + +Get-ADUser -Filter * | Export-Csv -Path "C:\Windows\TempLogs\userlist\domainUsers.csv" -NoTypeInformation \ No newline at end of file diff --git a/blue-team/windows/dumb/getPrevSignIn.ps1 b/blue-team/windows/dumb/getPrevSignIn.ps1 new file mode 100644 index 0000000..8a78177 --- /dev/null +++ b/blue-team/windows/dumb/getPrevSignIn.ps1 @@ -0,0 +1,31 @@ +# Get previous sign in success and failure events from domains + +# Find DC list from Active Directory +$DCs = Get-ADDomainController -Filter * + +# Define time for report (default is 1 day) +$startDate = (get-date).AddDays(-1) + +$incre = 0 +$incre2 = 0 +# Store successful logon events from security logs with the specified dates and workstation/IP in an array +foreach ($DC in $DCs){ +$slogonevents = Get-Eventlog -LogName Security + +# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely + + foreach ($e in $slogonevents){ + # Logon Successful Events + # Local (Logon Type 2) + if (($e.EventID -eq 4624 ) ){ + write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] +$global:incre++ + } + if (($e.EventID -eq 4625 ) ){ + write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Failure`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] +$global:incre2++ + } + }} + +Write-host "Total Successful Logons: $incre" +Write-host "Total Failed Logons: $incre2" \ No newline at end of file diff --git a/blue-team/windows/dumb/getUsersAndAdminList.ps1 b/blue-team/windows/dumb/getUsersAndAdminList.ps1 new file mode 100644 index 0000000..466e93a --- /dev/null +++ b/blue-team/windows/dumb/getUsersAndAdminList.ps1 @@ -0,0 +1,31 @@ +# Get list of users and admins + +# Make TempLogs directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs")){ + New-Item -Path "C:\Windows\TempLogs" -ItemType Directory +} + +# Make userlist directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs\userlist")){ + New-Item -Path "C:\Windows\TempLogs\userlist" -ItemType Directory +} + +$admins = Get-LocalGroupMember -Group "Administrators" +$output = "C:\Windows\TempLogs\userlist\admins.txt" +$output2 = "C:\Windows\TempLogs\userlist\users.txt" +Clear-Content $output +Clear-Content $output2 +foreach ($admin in $admins){ + Add-Content $output $admin +} +Get-Content $output +notepad.exe $output + + +$users = (-Split ((Out-String -InputObject (net user)) -replace "The command completed successfully\.","" -replace "-*","" -replace "User accounts .*","")) +foreach ($user in $users){ + # Write-Output $user + Add-Content $output2 $user +} +Get-Content $output2 +notepad.exe $output2 diff --git a/blue-team/windows/dumb/importDNS.ps1 b/blue-team/windows/dumb/importDNS.ps1 new file mode 100644 index 0000000..776a96a --- /dev/null +++ b/blue-team/windows/dumb/importDNS.ps1 @@ -0,0 +1,11 @@ +# Move dns backup files back to System32\dns + +$zones = Get-ChildItem -Path "C:\Windows\TempLogs\dns\" +foreach ($zone in $zones){ + $backuppath = "C:\Windows\TempLogs\dns\" + $zone + $destination = "C:\Windows\System32\dns\" + $zone + $zonename = $zone -replace ".bak",".dns" + Write-Host "Importing zone" $zonename + Copy-Item $backuppath $destination + Rename-Item $destination $zonename +} \ No newline at end of file diff --git a/blue-team/windows/dumb/simpleHarden.ps1 b/blue-team/windows/dumb/simpleHarden.ps1 new file mode 100644 index 0000000..d8a9a10 --- /dev/null +++ b/blue-team/windows/dumb/simpleHarden.ps1 @@ -0,0 +1,82 @@ +# Simple hardening + +# Make TempLogs directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs")){ + New-Item -Path "C:\Windows\TempLogs" -ItemType Directory +} + +# Make userlist directory if it doesn't exist +if (!(Test-Path -Path "C:\Windows\TempLogs\userlist")){ + New-Item -Path "C:\Windows\TempLogs\userlist" -ItemType Directory +} + +disable-windowsoptionalfeature -online -featureName rasrip +disable-windowsoptionalfeature -online -featureName WindowsMediaPlayer +disable-windowsoptionalfeature -online -featureName SimpleTCP +disable-windowsoptionalfeature -online -featureName SNMP +disable-windowsoptionalfeature -online -featureName TelnetClient +disable-windowsoptionalfeature -online -featureName SMB1Protocol +$stopservices = @( +"Spooler" +"iprip" +"SNMPTRAP" +"SSDPSRV" +"TapiSrv" +"telnet" +"lfsvc" +"MapsBroker" +"NetTcpPortSharing" +"XblAuthManager" +"XblGameSave" +"XboxNetApiSvc" +"RpcLocator" +) +foreach ($service in $stopservices) { + Write-Output "Trying to disable $service" + Get-Service -Name $service | Set-Service -StartupType Disabled + Stop-Service -Force $service +} +$startservices = @( +"WSearch" +"MpsSvc" +"EventLog" +"Wuauserv" +"WinDefend" +"WdNisSvc" +) +foreach ($service in $startservices) { + Write-Output "Trying to enable $service" + Set-Service $service -StartupType Automatic + Start-Service $service +} + +Set-ADUser -Identity "tseug" -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -AllowReversiblePasswordEncryption $false +Disable-ADACcount -Identity "tseug" +Set-ADUser -Identity "nimda" -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -AllowReversiblePasswordEncryption $false +Disable-ADACcount -Identity "nimda" +Set-ADUser -Identity "DefaultAccount" -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -AllowReversiblePasswordEncryption $false +Disable-ADACcount -Identity "DefaultAccount" + +$groups = "" +# Get all groups and members of each group +foreach ($group in (Get-ADGroup -Filter *)){ + $groups += $group.Name + ":`n" + foreach ($member in (Get-ADGroupMember -Identity $group.Name)){ + $groups += $member.Name + "`n" + } + $groups += "`n" +} +$output = "C:\Windows\TempLogs\userlist\groups.txt" +Clear-Content $output +Add-Content $output $groups +Get-Content $output +notepad.exe $output + + +NetSh Advfirewall set allprofiles state on +Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True +auditpol /set /category:* /success:enable /failure:enable +Set-MpPreference -DisableRealtimeMonitoring $false + +# Get all users from AD and export to CSV file +Get-ADUser -Filter * | Export-Csv -Path domainUsers.txt -NoTypeInformation \ No newline at end of file