Add some simple server scripts

blue-team/windows/dumb/backupCommonFolders.ps1

@@ -0,0 +1,51 @@
+# Backup common folders
+
+# Make TempLogs directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs")){
+    New-Item -Path "C:\Windows\TempLogs" -ItemType Directory
+}
+
+# Make backup directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs\backup")){
+    New-Item -Path "C:\Windows\TempLogs\backup" -ItemType Directory
+}
+
+# Try to save http files
+try{
+    Copy-Item -Path "C:\inetpub\wwwroot\*" -Destination "C:\Windows\TempLogs\backup\"
+}
+catch{
+    Write-Host "Could not save http files"
+}
+
+# Try to save ftp files
+try{
+    Copy-Item -Path "C:\inetpub\ftproot\*" -Destination "C:\Windows\TempLogs\backup\"
+}
+catch{
+    Write-Host "Could not save ftp files"
+}
+
+# Try to save dns files
+try{
+    Copy-Item -Path "C:\Windows\System32\dns\*" -Destination "C:\Windows\TempLogs\backup\"
+}
+catch{
+    Write-Host "Could not save dns files"
+}
+
+# Try to save dhcp files
+try{
+    Copy-Item -Path "C:\Windows\System32\dhcp\*" -Destination "C:\Windows\TempLogs\backup\"
+}
+catch{
+    Write-Host "Could not save dhcp files"
+}
+
+# Try to save iis files
+try{
+    Copy-Item -Path "C:\Windows\System32\inetsrv\*" -Destination "C:\Windows\TempLogs\backup\"
+}
+catch{
+    Write-Host "Could not save iis files"
+}

blue-team/windows/dumb/changeAllPassword.ps1

@@ -0,0 +1,26 @@
+# Changes all domain user passwords to a template password
+
+Import-module activedirectory
+
+# Disable password complexity
+
+secedit /export /cfg C:\securityPolicy.cfg
+(Get-Content C:\securityPolicy.cfg).replace("PasswordComplexity = 1","PasswordComplexity = 0") | Out-File C:\securityPolicy.cfg
+secedit /configure /db C:\windows\security\local.sdb /cfg C:\securityPolicy.cfg /areas SECURITYPOLICY
+rm -force C:\securityPolicy.cfg -confirm:$false
+
+$template = read-host "Enter template password postfix"
+
+foreach ($user in (Get-ADUser -Filter *)){
+    $newPassword = $user.samaccountname + $template
+    $user | Set-ADAccountPassword -NewPassword (ConvertTo-SecureString -AsPlainText $newPassword -Force) -Reset
+    $user | Set-ADUser -ChangePasswordAtLogon $true
+    Write-Host "Changed password for user" $user.samaccountname
+}
+
+# Enable password complexity
+
+secedit /export /cfg C:\securityPolicy.cfg
+(Get-Content C:\securityPolicy.cfg).replace("PasswordComplexity = 0","PasswordComplexity = 1") | Out-File C:\securityPolicy.cfg
+secedit /configure /db C:\windows\security\local.sdb /cfg C:\securityPolicy.cfg /areas SECURITYPOLICY
+rm -force C:\securityPolicy.cfg -confirm:$false

blue-team/windows/dumb/exportDNS.ps1

@@ -0,0 +1,21 @@
+# Export DNS zones to be imported later
+
+# Make TempLogs directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs")){
+    New-Item -Path "C:\Windows\TempLogs" -ItemType Directory
+}
+
+# Make DNS directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs\dns")){
+    New-Item -Path "C:\Windows\TempLogs\dns" -ItemType Directory
+}
+
+$zones = Get-DNSServerZone
+foreach ($zone in $zones){
+    Write-Host "Exporting zone" $zone.ZoneName
+    $exportname = $zone.ZoneName + ".bak"
+    Export-DnsServerZone $zone.ZoneName $exportname
+    $backuppath = "C:\Windows\System32\dns\" + $exportname
+    $destination = "C:\Windows\TempLogs\dns\" + $exportname
+    Copy-Item $backuppath $destination
+}

blue-team/windows/dumb/getDomainUsers.ps1

@@ -0,0 +1,13 @@
+# Get all users from AD and export to CSV file
+
+# Make TempLogs directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs")){
+    New-Item -Path "C:\Windows\TempLogs" -ItemType Directory
+}
+
+# Make userlist directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs\userlist")){
+    New-Item -Path "C:\Windows\TempLogs\userlist" -ItemType Directory
+}
+
+Get-ADUser -Filter * | Export-Csv -Path "C:\Windows\TempLogs\userlist\domainUsers.csv" -NoTypeInformation

blue-team/windows/dumb/getPrevSignIn.ps1

@@ -0,0 +1,31 @@
+# Get previous sign in success and failure events from domains
+
+# Find DC list from Active Directory
+$DCs = Get-ADDomainController -Filter *
+
+# Define time for report (default is 1 day)
+$startDate = (get-date).AddDays(-1)
+
+$incre = 0
+$incre2 = 0
+# Store successful logon events from security logs with the specified dates and workstation/IP in an array
+foreach ($DC in $DCs){
+$slogonevents = Get-Eventlog -LogName Security
+
+# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely
+
+  foreach ($e in $slogonevents){
+    # Logon Successful Events
+    # Local (Logon Type 2)
+    if (($e.EventID -eq 4624 ) ){
+      write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
+$global:incre++
+    }
+    if (($e.EventID -eq 4625 ) ){
+      write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Failure`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
+$global:incre2++
+    }
+    }}
+
+Write-host "Total Successful Logons: $incre"
+Write-host "Total Failed Logons: $incre2"

blue-team/windows/dumb/getUsersAndAdminList.ps1

@@ -0,0 +1,31 @@
+# Get list of users and admins
+
+# Make TempLogs directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs")){
+    New-Item -Path "C:\Windows\TempLogs" -ItemType Directory
+}
+
+# Make userlist directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs\userlist")){
+    New-Item -Path "C:\Windows\TempLogs\userlist" -ItemType Directory
+}
+
+$admins = Get-LocalGroupMember -Group "Administrators"
+$output = "C:\Windows\TempLogs\userlist\admins.txt"
+$output2 = "C:\Windows\TempLogs\userlist\users.txt"
+Clear-Content $output
+Clear-Content $output2
+foreach ($admin in $admins){
+	Add-Content $output $admin
+}
+Get-Content $output
+notepad.exe $output
+
+
+$users = (-Split ((Out-String -InputObject (net user)) -replace "The command completed successfully\.","" -replace "-*","" -replace "User accounts .*",""))
+foreach ($user in $users){
+	# Write-Output $user
+	Add-Content $output2 $user
+}
+Get-Content $output2
+notepad.exe $output2

blue-team/windows/dumb/importDNS.ps1

@@ -0,0 +1,11 @@
+# Move dns backup files back to System32\dns
+
+$zones = Get-ChildItem -Path "C:\Windows\TempLogs\dns\"
+foreach ($zone in $zones){
+    $backuppath = "C:\Windows\TempLogs\dns\" + $zone
+    $destination = "C:\Windows\System32\dns\" + $zone
+    $zonename = $zone -replace ".bak",".dns"
+    Write-Host "Importing zone" $zonename
+    Copy-Item $backuppath $destination
+    Rename-Item $destination $zonename
+}

blue-team/windows/dumb/simpleHarden.ps1

@@ -0,0 +1,82 @@
+# Simple hardening
+
+# Make TempLogs directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs")){
+    New-Item -Path "C:\Windows\TempLogs" -ItemType Directory
+}
+
+# Make userlist directory if it doesn't exist
+if (!(Test-Path -Path "C:\Windows\TempLogs\userlist")){
+    New-Item -Path "C:\Windows\TempLogs\userlist" -ItemType Directory
+}
+
+disable-windowsoptionalfeature -online -featureName rasrip
+disable-windowsoptionalfeature -online -featureName WindowsMediaPlayer
+disable-windowsoptionalfeature -online -featureName SimpleTCP
+disable-windowsoptionalfeature -online -featureName SNMP
+disable-windowsoptionalfeature -online -featureName TelnetClient
+disable-windowsoptionalfeature -online -featureName SMB1Protocol
+$stopservices = @(
+"Spooler"
+"iprip"
+"SNMPTRAP"
+"SSDPSRV"
+"TapiSrv"
+"telnet"
+"lfsvc"
+"MapsBroker"
+"NetTcpPortSharing"
+"XblAuthManager"
+"XblGameSave"
+"XboxNetApiSvc"
+"RpcLocator"
+)
+foreach ($service in $stopservices) {
+    Write-Output "Trying to disable $service"
+    Get-Service -Name $service | Set-Service -StartupType Disabled
+    Stop-Service -Force $service
+}
+$startservices = @(
+"WSearch"
+"MpsSvc"
+"EventLog"
+"Wuauserv"
+"WinDefend"
+"WdNisSvc"
+)
+foreach ($service in $startservices) {
+    Write-Output "Trying to enable $service"
+    Set-Service $service -StartupType Automatic
+    Start-Service $service
+}
+
+Set-ADUser -Identity "tseug" -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -AllowReversiblePasswordEncryption $false
+Disable-ADACcount -Identity "tseug"
+Set-ADUser -Identity "nimda" -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -AllowReversiblePasswordEncryption $false
+Disable-ADACcount -Identity "nimda"
+Set-ADUser -Identity "DefaultAccount" -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -AllowReversiblePasswordEncryption $false
+Disable-ADACcount -Identity "DefaultAccount"
+
+$groups = ""
+# Get all groups and members of each group
+foreach ($group in (Get-ADGroup -Filter *)){
+    $groups += $group.Name + ":`n"
+    foreach ($member in (Get-ADGroupMember -Identity $group.Name)){
+        $groups += $member.Name + "`n"
+    }
+    $groups += "`n"
+}
+$output = "C:\Windows\TempLogs\userlist\groups.txt"
+Clear-Content $output
+Add-Content $output $groups
+Get-Content $output
+notepad.exe $output
+
+
+NetSh Advfirewall set allprofiles state on
+Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True 
+auditpol /set /category:* /success:enable /failure:enable
+Set-MpPreference -DisableRealtimeMonitoring $false
+
+# Get all users from AD and export to CSV file
+Get-ADUser -Filter * | Export-Csv -Path domainUsers.txt -NoTypeInformation