-
Microsoft XDR Hunting Query – Events from Suspicious IP Address
This script allows you to view events that occurred from suspicious email address. I generally use this script when investigating alerts regarding Password Spray Attacks, Anonymous IP Address or Atypical Travel. Changing the timestamp allows you to view a larger time frame. let ip = “Insert IP ADDRESS”; search in (IdentityLogonEvents,IdentityQueryEvents,IdentityDirectoryEvents,EmailEvents,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents, DeviceLogonEvents,DeviceEvents,BehaviorEntities,CloudAppEvents,AADSpnSignInEventsBeta,AADSignInEventsBeta) Timestamp between (ago(7d)…
-
Microsoft XDR Hunting Query – Local Accounts
This is a script I run periodically to hunt down any local accounts on organisational devices. It returns with the device name, the name of the local accounts with admin and the amount of accounts present on the device. Removing the timestamp and adjusting the timestamp manually allows you to narrow down when the account…
-
Microsoft XDR Hunting Query – Email Threats
This KQL script provides graphical analysis of email threats in your environment. It uses EmailAction to identify ThreatTypes such as Malware, Phish and Quarantine. It then shows you graphically how many email threats are present and you can use the time parameter to adjust the timespan. let Threshold = 50; EmailEvents | where EmailAction ==…
-
Fog Project – Capture and Deployment
This document will outline a basic process of capturing an image from a host PC and deploy it to a different PC on the network. You must ensure that network boot is at the top of the boot sequence in order to allow the PC(s) to find the Fog Server when capturing and deploying. For…
-
Active Directory OU Export to CSV File
This command will allow you to export a list of devices in specific OUs to a CSV file. Open PowerShell as an Administrator and run this command: Get-ADComputer -SearchScope Subtree -SearchBase “OU=Room,OU=Building,OU=Staff,OU=Workstations,DC=Domain,DC=co,DC=uk” -Filter * -Properties Name | Export-Csv -Path “c:\Exported_Device_List.csv” You will need to specify the properties of the OU you want to export. The…
-
Active Directory Basics
This is only a short list of basics that I use to navigate around Active Directory and administrate machines on a daily basis. Working with Active Directory can be confusing if you don’t know your way round your domain so it’s best to stay away from areas you do not administer. Searching for an Asset…
-
Jamf – Management Commands Stuck as Pending
If a device has pending commands in the Management tab type: sudo profiles renew -type enrollment This solves issues with configuration profiles and policies not falling down to devices. Once the command is executed you can run: sudo jamf recon This will then instantly reach for any policies or configuration profiles that are pending and…
-
PowerShell Script to Restart Multiple Computers
Here’s an example of a PowerShell script that can be used to restart multiple computers: Define the list of computers to restart (Parameters) $Computers = @(“Computer1”,“Computer2”,“Computer3”) Loop through each computer and restart it foreach ($Computer in $Computers) {Write-Host “Restarting computer: $Computer”Restart-Computer -ComputerName $Computer -Force} In this script, you need to define an array of computer…
-
PowerShell Script to Create a New User
Here’s an example of a PowerShell script that can be used to install a new user: Define the user details (Parameters) $Username = “newuser”$Password = ConvertTo-SecureString “P@ssw0rd” -AsPlainText -Force$FullName = “New User”$Description = “This is a new user account.” Create a new user New-LocalUser -Name $Username -Password $Password -FullName $FullName -Description $Description -NoPasswordExpiration Add the…
-
Mac OS Fundamentals
This page provides a cheat cheat for mac OS. I use these commands regularly when testing, installing and developing solutions on Mac OS projects. File & Directory Commands Command Description defaults write com.apple.Finder AppleShowAllFiles true && killall Finder Enable the setting to view hidden files in finder from CLI ls Lists directory contents. ls -l…
-
Jamf Patch Management (Simplified)
The first step in the patch management process is to create a package that will install silently without any prompts. You need to initially run the file (.dmg or .pkg) to see how the software installation process works. This policy defines the parameters and scope of the installation Test any new policy on a Mac…
-
How to install and run Pentaho Desktop Applications
Prerequisites – Installation of Java JRE 1.8.0_361 and JDK-17.0.2 Firstly, you need to download the relevant desktop applications (Data Integration, Report Designer, Schema Workbench) and the server application from: https://www.hitachivantara.com/en-us/products/dataops-software/data-integration-analytics/pentaho-community-edition.html (Note: download the .zip versions of each application) Extract them to the desktop and copy them to a deployment share if you intend to deploy…
David Williams Technical 