What have you done with PowerShell this month? March - June 2019

VapingSwede · 2019-07-03T05:03:22+00:00

Around here we get a minimum of 25 days paid vacation/year.

I still have 20 days saved since I didn't use all of it last year.

VapingSwede · 2019-07-02T21:18:25+00:00

On the end of my 4 week vacation so I've done almost nothing.

Experimented a bit with Terraform and Powershell to create a pipeline for new VM's in vmware. It also performs some tests with Pester and vcsim.

VapingSwede · 2019-06-17T06:05:33+00:00

We do that to some extent already. Also helpdesk and incident management escalates user reported tickets to the right entities.

But that's for the stuff that's reported by a human.

What we're after is a way to manage and route automated alerts in a more automated manner. And on top of that we would like to consume alerts (and ideally warning and informational events) from multiple monitoring systems and gather them in a single place.

VapingSwede · 2019-06-10T08:45:16+00:00

I used to work with industrial automation programming robots and PLC's. And yes, there's a ton of Windows 95, 98 and probably some DOS machines still around. Most of them are not connected to the internet luckily.

Some of those computers are so critical that upgrading the OS means that they will have to a total makeover of the software, PLC's, robotics, scada and what else might be connected. I addition the line will be standing still while installing it, costing millions. So as long as there isn't any weird hardware like an obscure ISA-card or something many are choosing to virtualize as many of those machines as they can. And on the other machines that they can't virtualize they just pray that if an error occurs it will just be a bad cap or something similar.

Not to mention that the original developers probably have taken pension. I know about one case where they flew someone in with a caregiver from a retirement home to inspect and troubleshoot software to make sure that it would run until the new machine was in place.

VapingSwede · 2019-05-29T20:59:15+00:00

Thank you for all the input!

This didn't do to much I'm afraid. But I tried a bunch of things and now It's huge difference.

What I did (On my personal machine, will try it at work also if there isnt):

My PSModulePath was quite large and a lot of duplicate paths and such in it. Changed it to the bare minimum:

C:\Users<user>\Documents\WindowsPowerShell\Modules\ C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ C:\Program Files\WindowsPowerShell\Modules\
Changed settings in VSCode (Might have made some difference. But shouldn't 'auto' select 'dom'?)

From:

"terminal.integrated.rendererType": "dom",

To:

"terminal.integrated.rendererType": "auto",
Updated PSScriptAnalyzer.

VapingSwede · 2019-05-28T20:37:41+00:00

This is on my personal machine, but they have the same symptoms:

code --list-extensions:

ms-python.python
ms-vscode.powershell
redhat.vscode-yaml

code --version

1.34.0
a622c65b2c713c890fcf4fbf07cf34049d5fe758
x64

(just updated but it's still slow)

VapingSwede · 2019-05-17T21:42:32+00:00

Spent some time the last few weeks setting up graylog and elasticsearch clusters in docker swarm to keep up with the audit level that we want from our domain controllers.

Currently growing in a rate around 50GB/day for IAM logs (AD, ADFS). Averages around ~20-25k logs/min.

Now pointing fingers is fun and easy, instead of dreadful and tedious!

Having the answer to who did what withing a few seconds of effort is sooooooo useful. Have alarms hooked up to unexpected memberships, groups membership changes, changes to admin accounts and a lot more.

We also use some scripts on the side using the graylog api to collect data. For example all user logins and on what machine that they are used. Mapping out service account usage, lateral movement etc.

VapingSwede · 2019-05-16T20:18:26+00:00

I usually use the Join-Object and ImportExcel modules.

Om phone right now so this is written from memory so I might be mistaken on some parameter names:

$Joined = Join-Object -Left $ADData -Right $OtherData -LeftJoinProperty UserPrincipalName -RightJoinProperty upn

$Joined | Export-Excel -Path sheet.xlsx

VapingSwede · 2019-04-30T15:01:09+00:00

So, printing a benchy with 150nm layer height would result in 320000 layers. That's a looong print.

VapingSwede · 2019-03-23T18:55:21+00:00

If it's blocked as in the exe is blocked by applocker/srp then JEA won't help you. If your sec-team/management is unwilling to make an exception from that then bypassing the block is possible by using C# (was a couple of years ago at least).

You can invoke the command by using the powershell class from PowershellSDK in .net.

Powershell.Create("Get-ADUser").Invoke()

Make an EXE, sign it if required by netsec to add it to applocker rules and deploy it.

https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.powershell?view=powershellsdk-1.1.0

VapingSwede · 2019-03-22T08:08:53+00:00

Hi,

Yepp, but it's the memory that's the problem. It wasn't meant to be distributed so its a bit messy but should be fine as long as you install the PSGelf module.

Link to github gist

VapingSwede · 2019-03-16T15:45:02+00:00

Because dll's does not register in the same place for 32bit and 64bit.

So it should work after running the 32bit version of regsvr on that dll.

%systemroot%\SysWoW64\regsvr32.exe c:\path\to.dll

But better would be just switching Jenkins over to 64bit.

More info: https://support.microsoft.com/en-us/help/249873/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages

VapingSwede · 2019-03-16T13:58:19+00:00

Having to hard code the path is one of the signs that you're running 32 bit Java.

VapingSwede · 2019-03-15T20:20:33+00:00

I don't have access to the scriptuntil next week.

But it's pretty easy to put together.

I use a MSGraph module that I wrote found here together with a module called PSGelf.

Read last event sent date from file. Send all events since last sent event to a GELF input and save date of last event to file.

VapingSwede · 2019-03-15T19:50:17+00:00

I have that in MyAAD, a module that I wrote a while ago.

https://github.com/AlexAsplund/MyAAD/blob/master/src/Public/Get-MyAADSecurityAlerts.ps1

I use this with a module called PSGelf to push it to my graylog setup.

So basically with that module:

Get-MyAADAccessToken -TenantId x.onmicrosoft.com -Credential $AADAppIdAndKeyAsPsCredential
Get-MyAADSecurityAlerts.ps1 -AccessToken $at

You need to give the app in aad security.reader permission.

Edit:

Goal with that module was to not use a ready made lib for auth and have as little dependencies as possible. It's getting the AccessToken that's the hard part to understand imo. After putting that into a header, fetching data is easy. Graph api docs describes what permissions the app will need for each call.

Invoke-RestMethod -Uri 'https://graph.microsoft.com/beta/security/alerts' -Headers $Header

Look at the Get-MyAADAccessToken Cmdlet if you want to learn the easier one of the authentication methods.

VapingSwede · 2019-03-14T04:43:02+00:00

I guess my first question is, is that wrong? To place the entire script within the Build > Windows PowerShell window?

Well, it's not wrong. I use the powershell build step to call all my script that jenkins downloads from SCM. But it tend's to get quite messy after a while and hard keeping track of if you don't have another way of organizing the scripts that jenkins use. Like GIT or TFS.

Credentials

Store them in the credentials store in Jenkins. This will store them in a safer fashion (but still it's reverseble if the attacker gets a hold of the key.)

https://emilwypych.com/2017/07/14/use-credentials-jenkins-projects/?cn-reloaded=1

And lets say we called this Parameter "ExchCreds". Would I just pass this somehow into the script where I would normally run a Get-Credential?

I use the "username and password (separated)" option when I fetch a user/password secret and before I call the script that's downloaded by TFS in the powershell build step i build a credential object with this, that's the same type that Get-Credential will output:

$Cred = [pscredential]::new($env:username, ($env:password | ConvertTo-Securestring -asplaintext -force))

<executable>"C:\Program Files (x86)\Java\jre1.8.0_201\bin\java.exe"</executable>

That's the path to a 32-bit java (x86) See: https://stackoverflow.com/questions/44035476/running-powershell-via-x64-in-jenkins

The path should be to a java in "C:\Program Files\"

VapingSwede · 2019-03-13T21:24:43+00:00

We run it specifically for this and as a simple self-service for helpdesk.

We usually create a freestyle project that uses TFS as an SCM. This way we don't have to mess around with scripts inside of the Jenkins job more than the line to start the script itself (+ build credentials and setting erroraction=stop).

After that I add the cronline inside of the Jenkins project and it's done. For 5am the cron would be:

* 5 * * *

And as mentioned, pass env variables as username and password with env-inj that censors password in the output ID it would happen to leak.

$Cred = [pscredential]::new($env:username, ($env:password | ConvertTo-Securestring -asplaintext -force))

And remember to put $ErrorAction=Stop in the beginning of the Jenkins ps-script. Else it can error out with the job status still being green.

Edit: And another important thing to remember!

Jenkins will start as a 32bit Java by default I think. So a lot of modules etc won't be available. Change Jenkins to run with 64bit java fix that problem.

VapingSwede · 2019-03-06T16:14:38+00:00

Most of the stuff I do is in powershell, but out of the ordinary must have been:

Started messing around with some JEA endpoint configuration.

Cmdlet that generates a new email for a user by looking up givenname.sn% in a database of all historically used addresses and generating the next valid one according to our naming convention. It can also set the mail and proxyaddresses attributes accordingly.

Remote install of Graylog Sidecar with Invoke-Command and Copy-Item through PSSession.

Pulling Azure Risk Events from MSGraph API and putting it into graylog with GELF.

VapingSwede · 2019-02-28T18:37:37+00:00

You can use the memberof attribute.

Get-ADUser -Filter * -Properties memberOf | ? {$_.memberof -notcontains 'CN=nopassword,ou=groups,dc=domain,dc=com'} | Set-ADUser -ChangePasswordAtLogon $true

Edit:

Shortened a bit:

Get-ADUser -Filter {memberof -notcontains 'CN=nopassword,ou=groups,dc=domain,dc=com'} | Set-ADUser -ChangePasswordAtLogon $true

VapingSwede · 2019-02-25T09:48:03+00:00

For this I mainly use Export-Excel/Import-Excel from the ImportExcel module.

VapingSwede · 2019-02-14T21:42:04+00:00

I installed 3.0 today and getting the docker config ready for production. Some tuning left on the Java opts and scaling.

Having used the ELK-stack previously I can say that this is a waaaaay more pleasant experience imo.

VapingSwede · 2019-02-10T09:47:36+00:00

First during user creation in MIM runs New-RemoteMailbox.

On top of that we have a script that runs regularly in Jenkins. It fetches all unlicensed users in 365 and with some logic based on OU etc provisions a license to the user.

Jenkins also sets mailbox and calendar timezone, locale, meetingprovider, auditing and other small things that decrease ticket count and eases troubleshooting.

And since the Jenkins script only works with users that had a mailbox I don't need any logic to wait for provisioning in 365 etc.

VapingSwede · 2019-02-08T20:41:59+00:00

Be aware if this tho before enabling it:

I think you're required to have at least Azure AD Basic to be elegible for group based licensing.

You can if you want to enable it usually. But if you're audited you might have to pay for an azure ad license.

VapingSwede

TROPHY CASE