Fabian Bader f-bader
f-bader
/ FindMissingFirstPartyAppIds.kql
Created
January 7, 2025 08:43
Find missing first party Microsoft based on WorkloadIdentityInfo - Create a pull request to help https://github.com/merill/microsoft-info/blob/main/customdata/OtherMicrosoftApps.csv
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let 1stPartyMicrosoftAppIds = externaldata (AppId: string, AppDisplayName: string, AppOwnerOrganizationId: string, Source: string)[ | |
| "https://raw.githubusercontent.com/merill/microsoft-info/main/_info/MicrosoftApps.csv" | |
| ] with(format="csv", ignoreFirstRecord=true); | |
| _GetWatchlist('WorkloadIdentityInfo') | |
| | where AppOwnerTenantId in ("f8cdef31-a31e-4b4a-93e4-5f571e91255a", "72f988bf-86f1-41af-91ab-2d7cd011db47") | |
| | summarize by tostring(AppId), tostring(AppDisplayName), tostring(AppOwnerTenantId) | |
| | join kind=leftanti (1stPartyMicrosoftAppIds) on AppId | |
| | extend Source ="GitHub" | |
| | project AppId, AppDisplayName, AppOwnerOrganizationId=AppOwnerTenantId, Source |
f-bader
/ GetTracelogProviderSecurity.ps1
Created
January 3, 2025 19:03
— forked from olafhartong/GetTracelogProviderSecurity.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### USAGE: | |
| ### | |
| ### GetTracelogProviderSecurity.ps1 (to get all provider info) | |
| ### | |
| ### GetTracelogProviderSecurity.ps1 -ProviderName f2e68291-2367-5d51-3488-46f7a0e3f2cf | |
| ### (to get the info for 1 provider guid) | |
| ## | |
| # | |
| # Provider: f2e68291-2367-5d51-3488-46f7a0e3f2cf | |
| # Control Flags: 45076 |
f-bader
/ docker-compose.yml
Created
October 13, 2024 18:12
Tailscale + Pihole completely containerized with docker compose
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| services: | |
| tailscale-pihole: | |
| image: tailscale/tailscale | |
| container_name: tailscale | |
| hostname: tailscale-pihole | |
| restart: unless-stopped | |
| environment: | |
| - TS_STATE_DIR=/var/lib/tailscale | |
| - TS_AUTHKEY=tskey-auth- | |
| cap_add: |
f-bader
/ GetAllRegisterdaaGuids.ps1
Last active
April 14, 2024 19:46
List all AAGUIDs in an Entra ID / Azure AD tenant
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # looking for a all in one solution? | |
| # https://github.com/f-bader/EntraIDPasskeyHelper | |
| Connect-MGGraph -UseDeviceAuthentication -Scopes "AuditLog.Read.All", "UserAuthenticationMethod.Read.All" | |
| $NextUri = "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$filter=methodsRegistered/any(x:x eq 'passKeyDeviceBound')" | |
| do { | |
| $Result = Invoke-MgGraphRequest -Uri $NextUri | |
| $NextUri = $Result['@odata.nextLink'] | |
| $ReturnValue += $Result['value'] |
f-bader
/ Get-Guid.ps1
Created
October 12, 2023 17:25
— forked from azurekid/Get-Guid.ps1
PowerShell function to create a GUID from a string value
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Generates a GUID from a given string value using MD5 hashing. | |
| .PARAMETER Value | |
| The string value to generate a GUID from. | |
| .EXAMPLE | |
| Get-Guid -Value "example string" | |
| Returns a GUID generated from the string "example string". |
f-bader
/ HuntForCVE-2023-38545.kql
Last active
October 12, 2023 09:09
CVE-2023-38545 detection based on usage of curl process and TVM data in MDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // List all devices that have curl installed or use curl. | |
| let ProcessBasedDevices = DeviceProcessEvents | |
| | where Timestamp > ago(30d) | |
| | where ProcessCommandLine has "curl" and FileName != "SenseNdr.exe" | |
| | extend Method = "Process" | |
| | summarize by DeviceId, DeviceName, Method; | |
| let TVMBasedDevices = DeviceTvmSoftwareInventory | |
| | where SoftwareName has "curl" | |
| | extend Method = "Software Inventory" | |
| | project DeviceId, DeviceName, Method, SoftwareName, SoftwareVersion, SoftwareVendor; |
f-bader
/ 2022 Top Routinely Exploited Vulnerabilities.csv
Created
August 21, 2023 20:34
2022 Top Routinely Exploited Vulnerabilities - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CveId | |
| CVE-2018-13379 | |
| CVE-2021-34473 | |
| CVE-2021-31207 | |
| CVE-2021-34523 | |
| CVE-2021-40539 | |
| CVE-2021-26084 | |
| CVE-2021-44228 | |
| CVE-2022-22954 | |
| CVE-2022-22960 |
f-bader
/ OneLiner.ps1
Created
August 17, 2023 06:33
Delete all branches excpect main using Powershell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| git branch | Select-String -NotMatch -Pattern "main" | % {$branch = $_ -replace '\s'; git branch -D $branch } |
f-bader
/ HuntForMidnightBlizzard.kql
Last active
August 7, 2023 13:58
Hunting query for Midnight Blizzard based on the IoCs from https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OfficeActivity | |
| | where TimeGenerated > ago(90d) | |
| | where UserId has_any ("msftprotection","identityVerification","accountsVerification","azuresecuritycenter","teamsprotection") and UserId has "onmicrosoft" | |
| | summarize by UserId |
f-bader
/ gist:d7e2371d5d5760b427697b7464e72cb1
Created
December 12, 2021 12:39
Detection for exploitation and old TGT usage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| CVE-2021-42287 - Authentication updates | |
| CVE-2021-42278 - Active Directory Security Accounts Manager hardening changes | |
| This updates introduced additional Event Ids to monitor. | |
| Use this script to check every domain controller for those eventIds | |
| #> | |
| $EventIds = @{ | |
| 35 = "PAC without attributes" | |
| 36 = "Ticket without a PAC" | |
| 37 = "Ticket without Requestor" |
NewerOlder