A lot of MSPs use the B-Series VMs for tasks, and why woulnd’t you? It are cheap VMs that allow you to use azure as a cost effective solution for clients. The B-Series VM are “burstable” VMs, meaning they don’t get the full CPU performance constantly.
The description of Microsoft explains it best:
The B-series burstable VMs are ideal for workloads that do not need the full performance of the CPU continuously, like web servers, small databases and development and test environments. These workloads typically have burstable performance requirements. The B-Series provides these customers the ability to purchase a VM size with a price conscience baseline performance that allows the VM instance to build up credits when the VM is utilizing less than its base performance. When the VM has accumulated credit, the VM can burst above the VM’s baseline using up to 100% of the CPU when your application requires the higher CPU performance.
This is of course great for smaller servers such as domain controllers, small RemoteApp machines or generic low performance VMs, but you do need to pay attention that you don’t run out of “credits” when performance is required.
So let’s start alerting on B-Series VMs that are running out of steam. Full disclosure and credit where it’s due: A part of this script was shared with me by Andrew Cullen of Lanter Technologies, thanks for that Andrew!
The script
This script checks all the subscriptions for each VM that is in the B-series, from there on we check the current credits remaining and alert on it if those get under 90.
To fix this, you could temporarily upscale the VM to a larger series which gives you new credits, or move tasks to different VM’s if it happens a lot. This will most likely also help in the “why is my VM suddenly so slow” scenarios 😉
We’re using the secure application model and Azure Lighthouse for these tasks, as such you can load these scripts into any RMM system that is able to handle credentials securely.
So this blog is actually two blogs all wrapped into one lovely package; I’m going to be showing you how to setup Azure Lighthouse, giving you the ability to manage your clients from your own partner portal, or via PowerShell.
I’m also going to demonstrate how to document VMs in both a local HTML file and IT-Glue. So, lets get started shall we?
Setting up Azure Lighthouse
Azure Lighthouse is a method of getting delegated access to the Azure Subscriptions your client has. If you’re a T2 CSP you’ll need to set this up by hand. You could create a package in the partner portal and have users click on that package from within Azure but that is hardly automated. 😉
To use the script below, you’ll have to log in with the credentials that have access to the clients subscription. The script makes the “AdminAgents” which is the Partner Administrators group “Contributor” in the Azure Portal of the client.
We have a reminder for our billing department that this script needs to run when adding a subscription, that way we never miss getting delegate access to our clients.
$MSPName = "Your Good MSP"
$MSPOffering = "Managed Azure by Good MSP"
$TenantID = "YourTentnantID" #Find this in the Azure Portal -> Azure AD -> Tenant ID
$AdminAgentsID = "YourUserGroupID" #Find this in the Azure Portal -> Azure AD -> Groups -> Look for AdminAgents -> Object ID
$Location = "westeurope" #Enter your Azure Location here.
@"
{
"`$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspName": {
"type": "string",
"metadata": {
"description": "Specify the Managed Service Provider name"
}
},
"mspOfferDescription": {
"type": "string",
"metadata": {
"description": "Name of the Managed Service Provider offering"
}
},
"managedByTenantId": {
"type": "string",
"metadata": {
"description": "Specify the tenant id of the Managed Service Provider"
}
},
"authorizations": {
"type": "array",
"metadata": {
"description": "Specify an array of objects, containing tuples of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers."
}
}
},
"variables": {
"mspRegistrationName": "[guid(parameters('mspName'))]",
"mspAssignmentName": "[guid(parameters('mspName'))]"
},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationDefinitions",
"apiVersion": "2019-06-01",
"name": "[variables('mspRegistrationName')]",
"properties": {
"registrationDefinitionName": "[parameters('mspName')]",
"description": "[parameters('mspOfferDescription')]",
"managedByTenantId": "[parameters('managedByTenantId')]",
"authorizations": "[parameters('authorizations')]"
}
},
{
"type": "Microsoft.ManagedServices/registrationAssignments",
"apiVersion": "2019-06-01",
"name": "[variables('mspAssignmentName')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
],
"properties": {
"registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
}
}
],
"outputs": {
"mspName": {
"type": "string",
"value": "[concat('Managed by', ' ', parameters('mspName'))]"
},
"authorizations": {
"type": "array",
"value": "[parameters('authorizations')]"
}
}
}
"@ | Out-File "rgDelegatedResourceManagement.json"
@"
{
"`$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspName": {
"value": "$MSPName"
},
"mspOfferDescription": {
"value": "$MSPOffering"
},
"managedByTenantId": {
"value": "$TenantID"
},
"authorizations": {
"value": [
{
"principalId": "$AdminAgentsID",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalIdDisplayName": "AdminAgents"
}
]
}
}
}
"@ | out-file 'rgDelegatedResourceManagement.parameters.json'
Connect-AzAccount
$Subs = Get-AzSubscription
foreach ($sub in $subs) {
Set-AzContext -Subscription $sub.id
New-AzDeployment -Name LightHouse -Location $location -TemplateFile "rgDelegatedResourceManagement.json" -TemplateParameterFile "rgDelegatedResourceManagement.parameters.json" -Verbose
}
As always I’ve prepped two version; one plain HTML, and one for IT-Glue. The HTML versions uses PsWriteHTML to create a nice looking page. The IT-Glue version creates the flexible asset for you.
Before we do that though, execute the following code to allow your Secure Application Model to access Azure:
And that’s it, this will document your Azure VMs for you. Next time we’ll focus on other resources and resource groups. As always, Happy PowerShelling.
Special thanks on this blog go to Andrew Cullen whom helped me figure out some Azure Secure App Model issues I was encountering. 🙂
A while back someone asked me to convert a script they had to the Secure Application Model. This specific script checked the Office 365 audit log IPs against a online database of locations. I declined at first and suggested it to look into Microsoft 365, a P1 or P2 subscription which allows you to do this native.
The reader came back to me recently asking once more, and giving a explanation on why P1/P2 or M365 was not possible in her case. I understand that sometimes you might have to make due with what you have. I also figured others might be in the same boat.
So this script is made to monitor the O365 unified audit log and to compare the IP addresses to a database online. The database she used previously was very rate-limited and as such not really suitable. Not a lot of people know that there actually is a great 100% free online lookup service for IPs at https://ip2c.org/. The script uses that database as there are no API limitations. 🙂
As always, I’d like to note that this should just be one layer in your entire security model and you should not put all your faith in this. Enable MFA, and keep good security hygiene.
The Script
You’ll need the Secure Application Model for this script. The script currently checks all your tenants except the ones you state in “$Skiplist”.
A couple of years ago Eliot at GCITS wrote a great script to update the Office365 portal’s within IT-Glue. This script synced a lot of user information to IT-Glue and kept everything up to date if ran by a function.
I loved this script and have been using it pretty much since it’s inception. Some users recently contacted me and asked how to run this script with the Secure Application Model. Also there were some complaints that the script ran pretty slow. I didn’t really like directly modifying the script so I’ve decided to make a rewrite.
My version uses the Graph API to collect data. We also grab some more information such as mailboxes sizes, and the current multi-factor authentication state for the user.
As always, I’ve made two versions, one for IT-Glue, and one plain HTML version. A small difference in here is that I’ve decided to use the PSWriteHTML module. This is a great PowerShell module by Przemysław Kłys at Evotec that makes generating pretty html files a whole lot easier.
So the IT-Glue version creates the flexible asset for you, and then starts filling it with the data from O365. I’ve compared this version to the original one just to see if Graph was so much faster – and it is. The original version takes about 87 seconds per client. This version takes 17 seconds per client.
######### Secrets #########
$ApplicationId = 'ApplicationID'
$ApplicationSecret = 'AppSecret' | ConvertTo-SecureString -Force -AsPlainText
$TenantID = 'TenantID'
$RefreshToken = 'RefreshToken'
$UPN = "Upn-used-to-generate-tokens"
######### Secrets #########
################# IT-Glue Information ######################################
$ITGkey = "YOUR-ITG-APIKEY"
$ITGbaseURI = "https://api.eu.itglue.com"
$FlexAssetName = "Office365 - Portals"
$Description = "Office365 portal documentation."
################# /IT-Glue Information #####################################
write-host "Checking if IT-Glue Module is available, and if not install it." -ForegroundColor Green
#Settings IT-Glue logon information
If (Get-Module -ListAvailable -Name "ITGlueAPI") {
Import-module ITGlueAPI
}
Else {
Install-Module ITGlueAPI -Force
Import-Module ITGlueAPI
}
#Setting IT-Glue logon information
Add-ITGlueBaseURI -base_uri $ITGbaseURI
Add-ITGlueAPIKey $ITGkey
write-host "Getting IT-Glue contact list" -ForegroundColor Green
$i = 0
$AllITGlueContacts = do {
$Contacts = (Get-ITGlueContacts -page_size 1000 -page_number $i).data.attributes
$i++
$Contacts
Write-Host "Retrieved $($Contacts.count) Contacts" -ForegroundColor Yellow
}while ($Contacts.count % 1000 -eq 0 -and $Contacts.count -ne 0)
write-host "Generating unique ID List" -ForegroundColor Green
$DomainList = foreach ($Contact in $AllITGlueContacts) {
$ITGDomain = ($contact.'contact-emails'.value -split "@")[1]
[PSCustomObject]@{
Domain = $ITGDomain
OrgID = $Contact.'organization-id'
Combined = "$($ITGDomain)$($Contact.'organization-id')"
}
}
$DomainList = $DomainList | sort-object -Property Combined -Unique
write-host "Checking if Flexible Asset exists in IT-Glue." -foregroundColor green
$FilterID = (Get-ITGlueFlexibleAssetTypes -filter_name $FlexAssetName).data
if (!$FilterID) {
write-host "Does not exist, creating new." -foregroundColor green
$NewFlexAssetData =
@{
type = 'flexible-asset-types'
attributes = @{
name = $FlexAssetName
icon = 'sitemap'
description = $description
}
relationships = @{
"flexible-asset-fields" = @{
data = @(
@{
type = "flexible_asset_fields"
attributes = @{
order = 1
name = "Tenant name"
kind = "Text"
required = $true
"show-in-list" = $true
"use-for-title" = $true
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 2
name = "Tenant ID"
kind = "Text"
required = $true
"show-in-list" = $false
"use-for-title" = $false
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 3
name = "Verified Domains"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 4
name = "Admin Users"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
} , @{
type = "flexible_asset_fields"
attributes = @{
order = 5
name = "Licenses"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
} , @{
type = "flexible_asset_fields"
attributes = @{
order = 6
name = "Licensed Users"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
} , @{
type = "flexible_asset_fields"
attributes = @{
order = 7
name = "Unlicensed Users"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
}
)
}
}
}
New-ITGlueFlexibleAssetTypes -Data $NewFlexAssetData
$FilterID = (Get-ITGlueFlexibleAssetTypes -filter_name $FlexAssetName).data
}
#Account SKUs to transform to normal name.
$AccountSkuIdDecodeData = @{
"O365_BUSINESS_ESSENTIALS" = "Office 365 Business Essentials"
"O365_BUSINESS_PREMIUM" = "Office 365 Business Premium"
"DESKLESSPACK" = "Office 365 (Plan K1)"
"DESKLESSWOFFPACK" = "Office 365 (Plan K2)"
"LITEPACK" = "Office 365 (Plan P1)"
"EXCHANGESTANDARD" = "Office 365 Exchange Online"
"STANDARDPACK" = "Enterprise Plan E1"
"STANDARDWOFFPACK" = "Office 365 (Plan E2)"
"ENTERPRISEPACK" = "Enterprise Plan E3"
"ENTERPRISEPACKLRG" = "Enterprise Plan E3"
"ENTERPRISEWITHSCAL" = "Enterprise Plan E4"
"STANDARDPACK_STUDENT" = "Office 365 (Plan A1) for Students"
"STANDARDWOFFPACKPACK_STUDENT" = "Office 365 (Plan A2) for Students"
"ENTERPRISEPACK_STUDENT" = "Office 365 (Plan A3) for Students"
"ENTERPRISEWITHSCAL_STUDENT" = "Office 365 (Plan A4) for Students"
"STANDARDPACK_FACULTY" = "Office 365 (Plan A1) for Faculty"
"STANDARDWOFFPACKPACK_FACULTY" = "Office 365 (Plan A2) for Faculty"
"ENTERPRISEPACK_FACULTY" = "Office 365 (Plan A3) for Faculty"
"ENTERPRISEWITHSCAL_FACULTY" = "Office 365 (Plan A4) for Faculty"
"ENTERPRISEPACK_B_PILOT" = "Office 365 (Enterprise Preview)"
"STANDARD_B_PILOT" = "Office 365 (Small Business Preview)"
"VISIOCLIENT" = "Visio Pro Online"
"POWER_BI_ADDON" = "Office 365 Power BI Addon"
"POWER_BI_INDIVIDUAL_USE" = "Power BI Individual User"
"POWER_BI_STANDALONE" = "Power BI Stand Alone"
"POWER_BI_STANDARD" = "Power-BI Standard"
"PROJECTESSENTIALS" = "Project Lite"
"PROJECTCLIENT" = "Project Professional"
"PROJECTONLINE_PLAN_1" = "Project Online"
"PROJECTONLINE_PLAN_2" = "Project Online and PRO"
"ProjectPremium" = "Project Online Premium"
"ECAL_SERVICES" = "ECAL"
"EMS" = "Enterprise Mobility Suite"
"RIGHTSMANAGEMENT_ADHOC" = "Windows Azure Rights Management"
"MCOMEETADV" = "PSTN conferencing"
"SHAREPOINTSTORAGE" = "SharePoint storage"
"PLANNERSTANDALONE" = "Planner Standalone"
"CRMIUR" = "CMRIUR"
"BI_AZURE_P1" = "Power BI Reporting and Analytics"
"INTUNE_A" = "Windows Intune Plan A"
"PROJECTWORKMANAGEMENT" = "Office 365 Planner Preview"
"ATP_ENTERPRISE" = "Exchange Online Advanced Threat Protection"
"EQUIVIO_ANALYTICS" = "Office 365 Advanced eDiscovery"
"AAD_BASIC" = "Azure Active Directory Basic"
"RMS_S_ENTERPRISE" = "Azure Active Directory Rights Management"
"AAD_PREMIUM" = "Azure Active Directory Premium"
"MFA_PREMIUM" = "Azure Multi-Factor Authentication"
"STANDARDPACK_GOV" = "Microsoft Office 365 (Plan G1) for Government"
"STANDARDWOFFPACK_GOV" = "Microsoft Office 365 (Plan G2) for Government"
"ENTERPRISEPACK_GOV" = "Microsoft Office 365 (Plan G3) for Government"
"ENTERPRISEWITHSCAL_GOV" = "Microsoft Office 365 (Plan G4) for Government"
"DESKLESSPACK_GOV" = "Microsoft Office 365 (Plan K1) for Government"
"ESKLESSWOFFPACK_GOV" = "Microsoft Office 365 (Plan K2) for Government"
"EXCHANGESTANDARD_GOV" = "Microsoft Office 365 Exchange Online (Plan 1) only for Government"
"EXCHANGEENTERPRISE_GOV" = "Microsoft Office 365 Exchange Online (Plan 2) only for Government"
"SHAREPOINTDESKLESS_GOV" = "SharePoint Online Kiosk"
"EXCHANGE_S_DESKLESS_GOV" = "Exchange Kiosk"
"RMS_S_ENTERPRISE_GOV" = "Windows Azure Active Directory Rights Management"
"OFFICESUBSCRIPTION_GOV" = "Office ProPlus"
"MCOSTANDARD_GOV" = "Lync Plan 2G"
"SHAREPOINTWAC_GOV" = "Office Online for Government"
"SHAREPOINTENTERPRISE_GOV" = "SharePoint Plan 2G"
"EXCHANGE_S_ENTERPRISE_GOV" = "Exchange Plan 2G"
"EXCHANGE_S_ARCHIVE_ADDON_GOV" = "Exchange Online Archiving"
"EXCHANGE_S_DESKLESS" = "Exchange Online Kiosk"
"SHAREPOINTDESKLESS" = "SharePoint Online Kiosk"
"SHAREPOINTWAC" = "Office Online"
"YAMMER_ENTERPRISE" = "Yammer for the Starship Enterprise"
"EXCHANGE_L_STANDARD" = "Exchange Online (Plan 1)"
"MCOLITE" = "Lync Online (Plan 1)"
"SHAREPOINTLITE" = "SharePoint Online (Plan 1)"
"OFFICE_PRO_PLUS_SUBSCRIPTION_SMBIZ" = "Office ProPlus"
"EXCHANGE_S_STANDARD_MIDMARKET" = "Exchange Online (Plan 1)"
"MCOSTANDARD_MIDMARKET" = "Lync Online (Plan 1)"
"SHAREPOINTENTERPRISE_MIDMARKET" = "SharePoint Online (Plan 1)"
"OFFICESUBSCRIPTION" = "Office ProPlus"
"YAMMER_MIDSIZE" = "Yammer"
"DYN365_ENTERPRISE_PLAN1" = "Dynamics 365 Customer Engagement Plan Enterprise Edition"
"ENTERPRISEPREMIUM_NOPSTNCONF" = "Enterprise E5 (without Audio Conferencing)"
"ENTERPRISEPREMIUM" = "Enterprise E5 (with Audio Conferencing)"
"MCOSTANDARD" = "Skype for Business Online Standalone Plan 2"
"PROJECT_MADEIRA_PREVIEW_IW_SKU" = "Dynamics 365 for Financials for IWs"
"STANDARDWOFFPACK_IW_STUDENT" = "Office 365 Education for Students"
"STANDARDWOFFPACK_IW_FACULTY" = "Office 365 Education for Faculty"
"EOP_ENTERPRISE_FACULTY" = "Exchange Online Protection for Faculty"
"EXCHANGESTANDARD_STUDENT" = "Exchange Online (Plan 1) for Students"
"OFFICESUBSCRIPTION_STUDENT" = "Office ProPlus Student Benefit"
"STANDARDWOFFPACK_FACULTY" = "Office 365 Education E1 for Faculty"
"STANDARDWOFFPACK_STUDENT" = "Microsoft Office 365 (Plan A2) for Students"
"DYN365_FINANCIALS_BUSINESS_SKU" = "Dynamics 365 for Financials Business Edition"
"DYN365_FINANCIALS_TEAM_MEMBERS_SKU" = "Dynamics 365 for Team Members Business Edition"
"FLOW_FREE" = "Microsoft Flow Free"
"POWER_BI_PRO" = "Power BI Pro"
"O365_BUSINESS" = "Office 365 Business"
"DYN365_ENTERPRISE_SALES" = "Dynamics Office 365 Enterprise Sales"
"RIGHTSMANAGEMENT" = "Rights Management"
"PROJECTPROFESSIONAL" = "Project Professional"
"VISIOONLINE_PLAN1" = "Visio Online Plan 1"
"EXCHANGEENTERPRISE" = "Exchange Online Plan 2"
"DYN365_ENTERPRISE_P1_IW" = "Dynamics 365 P1 Trial for Information Workers"
"DYN365_ENTERPRISE_TEAM_MEMBERS" = "Dynamics 365 For Team Members Enterprise Edition"
"CRMSTANDARD" = "Microsoft Dynamics CRM Online Professional"
"EXCHANGEARCHIVE_ADDON" = "Exchange Online Archiving For Exchange Online"
"EXCHANGEDESKLESS" = "Exchange Online Kiosk"
"SPZA_IW" = "App Connect"
"WINDOWS_STORE" = "Windows Store for Business"
"MCOEV" = "Microsoft Phone System"
"VIDEO_INTEROP" = "Polycom Skype Meeting Video Interop for Skype for Business"
"SPE_E5" = "Microsoft 365 E5"
"SPE_E3" = "Microsoft 365 E3"
"ATA" = "Advanced Threat Analytics"
"MCOPSTN2" = "Domestic and International Calling Plan"
"FLOW_P1" = "Microsoft Flow Plan 1"
"FLOW_P2" = "Microsoft Flow Plan 2"
"CRMSTORAGE" = "Microsoft Dynamics CRM Online Additional Storage"
"SMB_APPS" = "Microsoft Business Apps"
"MICROSOFT_BUSINESS_CENTER" = "Microsoft Business Center"
"DYN365_TEAM_MEMBERS" = "Dynamics 365 Team Members"
"STREAM" = "Microsoft Stream Trial"
"EMSPREMIUM" = "ENTERPRISE MOBILITY + SECURITY E5"
}
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default'
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$customers = Get-MsolPartnerContract -All
foreach ($customer in $customers) {
write-host "Creating body to request Graph access for each client." -ForegroundColor Green
$CustomerToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -Tenant $customer.TenantID
$headers = @{ "Authorization" = "Bearer $($CustomerToken.AccessToken)" }
write-host "Collecting data for $($Customer.defaultdomainname)" -ForegroundColor Green
$domains = Get-MsolDomain -TenantId $customer.TenantId | Where-Object { $_.status -contains "Verified" }
$Licenselist = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/subscribedSkus" -Headers $Headers -Method Get -ContentType "application/json").value
$Licenselist | ForEach-Object { $_.skupartnumber = "$($AccountSkuIdDecodeData.$($_.skupartnumber))" }
$AdminRole = (Invoke-RestMethod -Uri 'https://graph.microsoft.com/beta/DirectoryRoles' -Headers $Headers -Method Get -ContentType "application/json").value | Where-Object { $_.displayname -eq 'Company Administrator' }
$Admins = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/DirectoryRoles/$($AdminRole.id)/members" -Headers $Headers -Method Get -ContentType "application/json").value | Select-Object DisplayName, userprincipalname
$Users = (Invoke-RestMethod -Uri 'https://graph.microsoft.com/beta/users?$top=999' -Headers $Headers -Method Get -ContentType "application/json").value | Select-Object DisplayName, proxyaddresses, AssignedLicenses, userprincipalname
$MFAStatus = Get-MsolUser -all -TenantId $customer.TenantId | Select-Object DisplayName, UserPrincipalName, @{N = "MFA Status"; E = { if ( $_.StrongAuthenticationRequirements.State -ne $null) { $_.StrongAuthenticationRequirements.State } else { "Disabled" } } }
$UserObj = foreach ($user in $users) {
$Addresses = ($user.proxyaddresses | Sort-Object -Descending) -join "`n" -creplace "SMTP:", "Primary:" -creplace "smtp:", "Alias:"
[PSCustomObject]@{
'Display name' = $user.displayname
'Addresses' = [System.Web.HttpUtility]::HtmlDecode($Addresses)
"Licenses Assigned" = ($Licenselist | Where-Object { $_.skuid -in $User.assignedLicenses.skuid }).skupartnumber -join "`n"
"MFA Enabled" = ($MFAStatus | Where-Object { $_.UserPrincipalName -eq $user.userPrincipalName }).'MFA Status'
}
}
$licenseObj = foreach ($License in $Licenselist) {
[PSCustomObject]@{
'License Name' = $license.skupartnumber
'Active Licenses' = $license.prepaidUnits.enabled - $license.prepaidUnits.suspended
'Consumed Licenses' = $license.consumedunits
'unused licenses' = $license.prepaidUnits.enabled - $license.prepaidUnits.suspended - $license.consumedunits
}
}
$FlexAssetBody =
@{
type = "flexible-assets"
attributes = @{
traits = @{
"tenant-name" = $customer.Name
"tenant-id" = $customer.TenantId
"verified-domains" = ($domains | select-object Name, Status, IsDefault | convertto-html -Fragment | out-string)
"admin-users" = ($admins | select-object DisplayName, UserPrincipalName | convertto-html -Fragment | out-string)
"licenses" = ($licenseObj | select-object 'License Name', 'active licenses', 'consumed licenses', 'unused licenses' | convertto-html -Fragment | out-string)
"licensed-users" = (($UserObj | Where-Object { $_.'Licenses Assigned' -ne "" }) | convertto-html -Fragment | out-string)
"unlicensed-users" = (($UserObj | Where-Object { $_.'Licenses Assigned' -eq "" }) | convertto-html -Fragment | out-string)
}
}
}
write-output " Finding $($customer.name) in IT-Glue"
$DomainList = foreach ($Contact in $AllITGlueContacts) {
$ITGDomain = ($contact.'contact-emails'.value -split "@")[1]
[PSCustomObject]@{
Domain = $ITGDomain
OrgID = $Contact.'organization-id'
Combined = "$($ITGDomain)$($Contact.'organization-id')"
}
}
$domainList = $DomainList | sort-object -Property Combined -Unique
$orgid = foreach ($customerDomain in $domains) {
($domainList | Where-Object { $_.domain -eq $customerDomain.name }).'OrgID' | Select-Object -Unique
}
write-output " Uploading Office Portal $($customer.name) into IT-Glue"
foreach ($org in $orgID) {
$ExistingFlexAsset = (Get-ITGlueFlexibleAssets -filter_flexible_asset_type_id $FilterID.id -filter_organization_id $org).data | Where-Object { $_.attributes.traits.'tenant-id' -eq $customer.tenantid.guid }
#If the Asset does not exist, we edit the body to be in the form of a new asset, if not, we just upload.
if (!$ExistingFlexAsset) {
if ($FlexAssetBody.attributes.'organization-id') {
$FlexAssetBody.attributes.'organization-id' = $org
}
else {
$FlexAssetBody.attributes.add('organization-id', $org)
$FlexAssetBody.attributes.add('flexible-asset-type-id', $FilterID.id)
}
write-output " Creating new Office Portal $($customer.name) into IT-Glue organisation $org"
New-ITGlueFlexibleAssets -data $FlexAssetBody
}
else {
write-output " Updating Office Portal $($customer.name) into IT-Glue organisation $org"
$ExistingFlexAsset = $ExistingFlexAsset | select-object -Last 1
Set-ITGlueFlexibleAssets -id $ExistingFlexAsset.id -data $FlexAssetBody
}
}
}
So 2 weeks ago we talked about PowerShell canaries and using them as an early warning system. I got a couple of questions about the follow up, especially the host isolation. There’s a lot of tricks that you can use to isolate a host from others.
The version below allows you to isolate, and de-isolate, or re-integrate the OS into normal operation. To isolate the machine, we use the Windows Firewall, we block all outbound traffic, and we stop both the ‘workstation’ and ‘server’ service. This means the machine can no longer use shares or access network resources.
We also disable DNS by forwarding it to a fake server and clear the DNS cache. To make sure we can still remotely access the machine via our RMM or other tools, we add those to the host file and create an allow rule in the firewall.
All of these tasks can be reverted by changing the $isolation variable to $false. Don’t forget to add your own tooling to the list of allowed hosts.
The Script
$AllowedHosts = "google.com", "YourSuperDuperTurboRMM.com", '1.2.3.4'
$isolation = $false
write-host "Checking all IPs for hosts"
$ConvertedHosts = foreach ($Remotehost in $AllowedHosts) {
$IsIp = ($RemoteHost -as [ipaddress]) -as [bool]
if ($IsIp) {
$ipList = $Remotehost
}
else {
$IPList = (Resolve-DnsName $Remotehost).ip4address
}
Foreach ($IP in $IPList) {
[PSCustomObject]@{
Hostname = $Remotehost
IP = $IP
}
}
}
if ($isolation) {
write-host "Checking if Windows firewall is enabled" -ForegroundColor Green
$WindowsFirewall = Get-NetFirewallProfile | Where-Object { $_.Enabled -ne $false }
if (!$WindowsFirewall) {
write-host "Windows firewall is enabled. Moving onto next task" -ForegroundColor Green
}
else {
Write-Host "Windows Firewall is not enabled. Enabling for extra isolation" -ForegroundColor Yellow
$WindowsFirewall | Set-NetFirewallProfile -Enabled:True
}
write-host "Preparing Windows Firewall isolation rule" -ForegroundColor Green
$ExistingRule = Get-NetFirewallRule -DisplayName "ISOLATION: Allowed Hosts" -ErrorAction SilentlyContinue
if ($ExistingRule) {
write-host "Setting existing Windows Firewall isolation rule" -ForegroundColor Green
Get-NetFirewallRule -Direction Outbound | Set-NetFirewallRule -Enabled:False
set-NetFirewallRule -Direction Outbound -Enabled:True -Action Allow -RemoteAddress $ConvertedHosts.IP -DisplayName "ISOLATION: Allowed Hosts"
get-netfirewallprofile | Set-NetFirewallProfile -DefaultOutboundAction Block
}
else {
write-host "Creating Firewall isolation rule" -ForegroundColor Green
Get-NetFirewallRule -Direction Outbound | Set-NetFirewallRule -Enabled:False
New-NetFirewallRule -Direction Outbound -Enabled:True -Action Allow -RemoteAddress $ConvertedHosts.IP -DisplayName "ISOLATION: Allowed Hosts"
get-netfirewallprofile | Set-NetFirewallProfile -DefaultOutboundAction Block
}
write-host "Adding list of hostnames to host file" -ForegroundColor Green
foreach ($HostEntry in $ConvertedHosts) {
Add-Content -Path "$($ENV:windir)/system32/drivers/etc/hosts" -Value "`n$($HostEntry.IP)`t`t$($HostEntry.Hostname)"
start-sleep -Milliseconds 200
}
write-host 'Setting DNS to a static server that does not exist' -ForegroundColor Green
Get-dnsclientserveraddress | Set-DnsClientServerAddress -ServerAddresses 127.0.0.127
write-host "Clearing DNS cache" -ForegroundColor Green
Clear-DnsClientCache
write-host "Stopping 'client' and 'server' service. and setting to disabled" -ForegroundColor Green
stop-service -name 'Workstation' -Force
get-service -name 'Workstation' | Set-Service -StartupType Disabled
stop-service -name 'Server' -Force
get-service -name 'server' | Set-Service -StartupType Disabled
write-host 'Isolation performed. To undo these actions, please run the script with $Isolation set to false' -ForegroundColor Green
}
else {
write-host "Undoing isolation process." -ForegroundColor Green
write-host "Setting existing Windows Firewall isolation rule to allow traffic" -ForegroundColor Green
Get-NetFirewallRule -Direction Outbound | Set-NetFirewallRule -Enabled:True
Remove-NetFirewallRule -DisplayName "ISOLATION: Allowed Hosts" -ErrorAction SilentlyContinue
get-netfirewallprofile | Set-NetFirewallProfile -DefaultOutboundAction Allow
write-host "Removing list of hostnames from host file" -ForegroundColor Green
foreach ($HostEntry in $ConvertedHosts) {
$HostFile = Get-Content "$($ENV:windir)/system32/drivers/etc/hosts"
$NewHostFile = $HostFile -replace "`n$($HostEntry.IP)`t`t$($HostEntry.Hostname)", ''
Set-Content -Path "$($ENV:windir)/system32/drivers/etc/hosts" -Value $NewHostFile
start-sleep -Milliseconds 200
}
write-host "Clearing DNS cache" -ForegroundColor Green
Clear-DnsClientCache
write-host "Setting DNS back to DHCP" -ForegroundColor Green
Get-dnsclientserveraddress | Set-DnsClientServerAddress -ResetServerAddresses
write-host "Starting 'Workstation' and 'server' service. and setting to disabled" -ForegroundColor Green
get-service -name 'Workstation' | Set-Service -StartupType Automatic
start-service 'Workstation'
get-service -name 'server' | Set-Service -StartupType Automatic
start-service 'Server'
write-host 'Undo Isolation performed. To re-isolate, run the script with the $Isolation parameter set to true.' -ForegroundColor Green
}
And that’s it! This is of course just an example on how to isolate a host from others in case you want to, you should modify it to fir your environment.
With my recently released RunAsUser module there’s been an influx of questions on what it could be used for. I’ve tried to describe as much as possible on the github page and the previous blog about it. But one I wanted to talk about real quick is the ability to create Toast notifications.
Toast notifications are those little OS native notifications you side in the bottom right of your screen when receiving an e-mail. Our RMM system has the ability to create a notification using an application, but to be honest that notification looks like it came straight out of 1990.
To have a bit better user experience, and to also get the ability to do specific things with user-input I’ve decided to use Burnt Toast. Burnt Toast is a module that give you the ability to generate pretty toast messages with just a couple lines of code. Brilliant really!
Combining my RunAsUser module, and Burnt Toast we’re able to send a script to the currently logged on user’s session and get full functionality in there. One example is to reboot the computer after updates. So lets get going!
The script
The following script can be used to create a toast for reboots. It creates a ‘protocol handler’. It then toasts with a nice Gif of my logo to get the users attention. The script assumes you have trusted the PSGallery before hand.
I’ve demonstrated in a couple of blogs like the OneDrive Sync Monitoring and the OneDrive File Monitoring that it’s possible to impersonate the current user when a script is actually started by the NT AUTHORITY\SYSTEM account.
My friends asked me if it would not be possible for other scripts to use the same approach. In the previous blogs I’ve shown that by loading the component by MurrayJu we got the ability to impersonate. I converted this into a module which you can find on https://github.com/KelvinTegelaar/RunAsUser.
This module allows you to run any script that is initiated by SYSTEM and execute it as the currently logged on user. This gives us a lot of freedom. Most RMM systems(and intune!) don’t allow monitoring under the currently logged on user. This often means that you have to work around accessing resources directly in their profile.
Some examples would be accessing installers that run in the users AppData folder, or registry items created under HKCU. Another could be scripts that require accessing shared drives or printers that are only mapped in user-space.
This is also super useful for intune scripts, because you just need to present things to the user or install things using their credentials directly.
Using the module
So, using the module is very straight forward. To install the module execute the following command:
install-module RunAsUser
After you’ve installed the module you can jump straight into scripting. There are some things to account for; The script requires SYSTEM credentials or the SeDelegateSessionUserImpersonatePrivilege privilege.
The second thing is that the output can’t be directly captured. If you want to get output from the script you’ll have to write it to a file and pick that up again in the SYSTEM session. This might sound a little confusing so I have an example below.
In the script, we’re executing the Script Block using Invoke-AsCurrentUser command. This runs that entire block of code as the currently logged on user. We then sleep for 2 seconds allowing the script block to finish writing to disk. After this finishes, we pick up the file again under the system account and process the results.
So in short; using this module opens up a lot of user-based monitoring for systems that normally only allow executing under the SYSTEM account. Hopefully this helps people solve some challenges.
As a closing remark I’d like to thank Ben Reader (@Powers_hell) for his help on the module. He assisted in cleaning up the code right after release, making it all look and feel a lot smoother and he assisted in better error handling. Thanks Buddy! 🙂
I wrote about monitoring the Onedrive sync status some time ago. That blog gained a lot of popularity. Implementing it allows you to monitor Onedrive, which runs in user mode while using your RMM that often runs under system.
So after a while we’ve noticed that we bumped into issues that weren’t getting captured by monitoring just the sync state. Onedrive tends to get performance issues when syncing more than 300k files. This also counts for files on demand. There are some other limitations but the best write-up about this is here. Large libraries just tend to make things a little screwy.
To tackle this you can use the following script. This gets all the synced sites, lists the Item count, checks if the sum is higher than 280k and alerts if that is true. This helped us tackle performance problems and nip them in the bud pretty early on 🙂
Running this script directly often doesn’t work, because we’ll bump into the same issue we have with the OneDrive monitoring script. To fix that, use the version below. This impersonates the current user. Remember that this should run as NT AUTHORITY\SYSTEM.
$Source = @"
using System;
using System.Runtime.InteropServices;
namespace murrayju.ProcessExtensions
{
public static class ProcessExtensions
{
#region Win32 Constants
private const int CREATE_UNICODE_ENVIRONMENT = 0x00000400;
private const int CREATE_NO_WINDOW = 0x08000000;
private const int CREATE_NEW_CONSOLE = 0x00000010;
private const uint INVALID_SESSION_ID = 0xFFFFFFFF;
private static readonly IntPtr WTS_CURRENT_SERVER_HANDLE = IntPtr.Zero;
#endregion
#region DllImports
[DllImport("advapi32.dll", EntryPoint = "CreateProcessAsUser", SetLastError = true, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.StdCall)]
private static extern bool CreateProcessAsUser(
IntPtr hToken,
String lpApplicationName,
String lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
bool bInheritHandle,
uint dwCreationFlags,
IntPtr lpEnvironment,
String lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
[DllImport("advapi32.dll", EntryPoint = "DuplicateTokenEx")]
private static extern bool DuplicateTokenEx(
IntPtr ExistingTokenHandle,
uint dwDesiredAccess,
IntPtr lpThreadAttributes,
int TokenType,
int ImpersonationLevel,
ref IntPtr DuplicateTokenHandle);
[DllImport("userenv.dll", SetLastError = true)]
private static extern bool CreateEnvironmentBlock(ref IntPtr lpEnvironment, IntPtr hToken, bool bInherit);
[DllImport("userenv.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool DestroyEnvironmentBlock(IntPtr lpEnvironment);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool CloseHandle(IntPtr hSnapshot);
[DllImport("kernel32.dll")]
private static extern uint WTSGetActiveConsoleSessionId();
[DllImport("Wtsapi32.dll")]
private static extern uint WTSQueryUserToken(uint SessionId, ref IntPtr phToken);
[DllImport("wtsapi32.dll", SetLastError = true)]
private static extern int WTSEnumerateSessions(
IntPtr hServer,
int Reserved,
int Version,
ref IntPtr ppSessionInfo,
ref int pCount);
#endregion
#region Win32 Structs
private enum SW
{
SW_HIDE = 0,
SW_SHOWNORMAL = 1,
SW_NORMAL = 1,
SW_SHOWMINIMIZED = 2,
SW_SHOWMAXIMIZED = 3,
SW_MAXIMIZE = 3,
SW_SHOWNOACTIVATE = 4,
SW_SHOW = 5,
SW_MINIMIZE = 6,
SW_SHOWMINNOACTIVE = 7,
SW_SHOWNA = 8,
SW_RESTORE = 9,
SW_SHOWDEFAULT = 10,
SW_MAX = 10
}
private enum WTS_CONNECTSTATE_CLASS
{
WTSActive,
WTSConnected,
WTSConnectQuery,
WTSShadow,
WTSDisconnected,
WTSIdle,
WTSListen,
WTSReset,
WTSDown,
WTSInit
}
[StructLayout(LayoutKind.Sequential)]
private struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
private enum SECURITY_IMPERSONATION_LEVEL
{
SecurityAnonymous = 0,
SecurityIdentification = 1,
SecurityImpersonation = 2,
SecurityDelegation = 3,
}
[StructLayout(LayoutKind.Sequential)]
private struct STARTUPINFO
{
public int cb;
public String lpReserved;
public String lpDesktop;
public String lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
private enum TOKEN_TYPE
{
TokenPrimary = 1,
TokenImpersonation = 2
}
[StructLayout(LayoutKind.Sequential)]
private struct WTS_SESSION_INFO
{
public readonly UInt32 SessionID;
[MarshalAs(UnmanagedType.LPStr)]
public readonly String pWinStationName;
public readonly WTS_CONNECTSTATE_CLASS State;
}
#endregion
// Gets the user token from the currently active session
private static bool GetSessionUserToken(ref IntPtr phUserToken)
{
var bResult = false;
var hImpersonationToken = IntPtr.Zero;
var activeSessionId = INVALID_SESSION_ID;
var pSessionInfo = IntPtr.Zero;
var sessionCount = 0;
// Get a handle to the user access token for the current active session.
if (WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, ref pSessionInfo, ref sessionCount) != 0)
{
var arrayElementSize = Marshal.SizeOf(typeof(WTS_SESSION_INFO));
var current = pSessionInfo;
for (var i = 0; i < sessionCount; i++)
{
var si = (WTS_SESSION_INFO)Marshal.PtrToStructure((IntPtr)current, typeof(WTS_SESSION_INFO));
current += arrayElementSize;
if (si.State == WTS_CONNECTSTATE_CLASS.WTSActive)
{
activeSessionId = si.SessionID;
}
}
}
// If enumerating did not work, fall back to the old method
if (activeSessionId == INVALID_SESSION_ID)
{
activeSessionId = WTSGetActiveConsoleSessionId();
}
if (WTSQueryUserToken(activeSessionId, ref hImpersonationToken) != 0)
{
// Convert the impersonation token to a primary token
bResult = DuplicateTokenEx(hImpersonationToken, 0, IntPtr.Zero,
(int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, (int)TOKEN_TYPE.TokenPrimary,
ref phUserToken);
CloseHandle(hImpersonationToken);
}
return bResult;
}
public static bool StartProcessAsCurrentUser(string appPath, string cmdLine = null, string workDir = null, bool visible = true)
{
var hUserToken = IntPtr.Zero;
var startInfo = new STARTUPINFO();
var procInfo = new PROCESS_INFORMATION();
var pEnv = IntPtr.Zero;
int iResultOfCreateProcessAsUser;
startInfo.cb = Marshal.SizeOf(typeof(STARTUPINFO));
try
{
if (!GetSessionUserToken(ref hUserToken))
{
throw new Exception("StartProcessAsCurrentUser: GetSessionUserToken failed.");
}
uint dwCreationFlags = CREATE_UNICODE_ENVIRONMENT | (uint)(visible ? CREATE_NEW_CONSOLE : CREATE_NO_WINDOW);
startInfo.wShowWindow = (short)(visible ? SW.SW_SHOW : SW.SW_HIDE);
startInfo.lpDesktop = "winsta0\\default";
if (!CreateEnvironmentBlock(ref pEnv, hUserToken, false))
{
throw new Exception("StartProcessAsCurrentUser: CreateEnvironmentBlock failed.");
}
if (!CreateProcessAsUser(hUserToken,
appPath, // Application Name
cmdLine, // Command Line
IntPtr.Zero,
IntPtr.Zero,
false,
dwCreationFlags,
pEnv,
workDir, // Working directory
ref startInfo,
out procInfo))
{
throw new Exception("StartProcessAsCurrentUser: CreateProcessAsUser failed.\n");
}
iResultOfCreateProcessAsUser = Marshal.GetLastWin32Error();
}
finally
{
CloseHandle(hUserToken);
if (pEnv != IntPtr.Zero)
{
DestroyEnvironmentBlock(pEnv);
}
CloseHandle(procInfo.hThread);
CloseHandle(procInfo.hProcess);
}
return true;
}
}
}
"@
Add-Type -ReferencedAssemblies 'System', 'System.Runtime.InteropServices' -TypeDefinition $Source -Language CSharp
$scriptblock = {
$IniFiles = Get-ChildItem "$ENV:LOCALAPPDATA\Microsoft\OneDrive\settings\Business1" -Filter 'ClientPolicy*' -ErrorAction SilentlyContinue
if (!$IniFiles) {
write-host 'No Onedrive configuration files found. Stopping script.'
exit 1
}
$SyncedLibraries = foreach ($inifile in $IniFiles) {
$IniContent = get-content $inifile.fullname -Encoding Unicode
[PSCustomObject]@{
'Item Count' = ($IniContent | Where-Object { $_ -like 'ItemCount*' }) -split '= ' | Select-Object -last 1
'Site Name' = ($IniContent | Where-Object { $_ -like 'SiteTitle*' }) -split '= ' | Select-Object -last 1
'Site URL' = ($IniContent | Where-Object { $_ -like 'DavUrlNamespace*' }) -split '= ' | Select-Object -last 1
}
}
$SyncedLibraries | ConvertTo-Json | Out-File 'C:\programdata\Microsoft OneDrive\OneDriveLibraries.txt'
}
[murrayju.ProcessExtensions.ProcessExtensions]::StartProcessAsCurrentUser("C:\Windows\System32\WindowsPowershell\v1.0\Powershell.exe", "-command $($scriptblock)", "C:\Windows\System32\WindowsPowershell\v1.0", $false)
start-sleep 5
$SyncedLibraries = (get-content "C:\programdata\Microsoft OneDrive\OneDriveLibraries.txt" | convertfrom-json)
if (($SyncedLibraries.'Item count' | Measure-Object -Sum).sum -gt '280000') {
write-host "Unhealthy - Currently syncing more than 280k files. Please investigate."
$SyncedLibraries
}
else {
write-host "Healthy - Syncing less than 280k files."
}
Something like 3 years ago I wrote a blog about using PowerShell to configure Onedrive sites using the odopen protocol. This was pretty much the only method to configure Onedrive to automatically map sites and have a zero-touch configuration.
Of course over the years the management side has improved and OneDrive usage has exploded. Unfortunately the onedrive automatic mapping structure isn’t where it should be yet. For example the GPO/intune method for automatic mapping configuration can take up to 8 hours to apply on any client.
During migrations and new deployment this is pretty much unacceptable. To make sure that mapping would be instant I’ve decided to create two scripts; One Azure Function which I’ve called AzMapper, and another client based script.
AzMapper requires you to create an Azure Function. To do that follow this manual and replace the script with the one below. This script is compatible with the Secure Application Model, and as such it can check all of your partner tenants too. Meaning you’ll only need to host a single version.
Replace $ApplicationID and $ApplicationSecret with your own from the Secure App Model.
You’ll also need to give your Secure Application Model a little more permissions, specifically to read the groups:
If you want sites to be skipped, you can add “no-auto-map” in the description in Teams. this will cause the script to skip that site.
Now we can browse to the AzMapper URL to check if our function is working. To test the AzMapper click on “Get Function URL” in the Azure Portal and copy the URL required. You’ll end up with something like:
This should return all sites for that specific user, it will contain exactly the information you need to create a odopen:// URL.
Client script
So you can schedule the client script using whatever method you prefer – as a startup script, using your RMM, or just a one-off during migrations. When a site is already configured to be synced it will skip this site. We do assume that OneDrive is already configured and just waiting to sync sites. 😉
#########################
$AutoMapURL = "https://azmapper.azurewebsites.net/api/AzOneMap"
$AutomapAPIKey = "TheAPIKeyFromTheAppAlsoKnownAsTheCode"
#########################
write-host "Grabbing OneDrive info from registry" -ForegroundColor Green
$TenantID = (get-itemproperty "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1").ConfiguredTenantId
$TenantDisplayName = (get-itemproperty "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1").Displayname
$username = (get-itemproperty "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1").userEmail
$CurrentlySynced = (get-itemproperty "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1\Tenants\$($tenantdisplayname)" -ErrorAction SilentlyContinue)
Write-Host "Retrieving all possible teams." -ForegroundColor Green
$ListOfTeams = Invoke-RestMethod -Method get -uri "$($AutoMapURL)?Tenantid=$($TenantID)&Username=$($Username)&code=$($AutomapAPIKey)" -UseBasicParsing
$Upn = [System.Web.HttpUtility]::Urldecode($username)
foreach ($Team in $ListOfTeams) {
write-host "Checking if site is not already synced" -ForegroundColor Green
$sitename = [System.Web.HttpUtility]::Urldecode($Team.Webtitle)
if ($CurrentlySynced.psobject.Properties.name -like "*$($sitename) -*") {
write-host "Site $Sitename is already being synced. Skipping." -ForegroundColor Green
continue
}
else {
write-host "Mapping Team: $Sitename" -ForegroundColor Green
Start-Process "odopen://sync/?siteId=$($team.SiteID)&webId=$($team.webid)&listId=$($team.ListID)&userEmail=$upn&webUrl=$($team.Weburl)&webtitle=$($team.Webtitle)"
start-sleep 5
}
}
And that’s it! running this script will map all the sites this specific user has access to, it won’t give weird pop-ups for users that do not have access and this should help you ease all Teams deployments by a lot. As always, Happy PowerShelling!
I decided this time I’m gonna be combining two small blogs, because they’re both pretty small and easy. Both are somewhat security oriented. The first part of the blog we will tackle monitoring the KRBTGT password. This needs to be reset on a regular schedule to ensure bad actors can’t abuse it.
The second part we’ll focus on creating our own ‘Canary’ files. These files can be used for a lot of things but the most common is to detect if ransomware has touched them in someway or the other. So, lets get started!
Monitoring KRBTGT Password age
So it’s actually straight forward to monitor the KRBTGT account, as it’s just a AD account. We’ll monitor this by grabbing the PasswordLastSet Attributes from the Active Directory. If you want to automatically resolve this, I’d strongly suggest to look at the script in this Github.
$Days = (Get-Date).AddDays(-31)
$Account = Get-AdUser krbtgt -property passwordlastset
$Setdate = if($Account.PasswordLastSet -gt $Days){ "Healthy - Password set date $($Account.Passwordlastset)" } else {" Unhealthy - Password set date $($Account.Passwordlastset)" }
You can change the amount of days to what you are comfortable with. I believe the documentation doesn’t have a strong suggestion in how much you should, but as this is a completely automated solution we perform this on a monthly basis.
Creating and monitoring file canaries
So, canaries are files that you place on strategic locations on a machine to check if the files aren’t being touched, corrupted, or encrypted in any way. Primarily they are used to prevent a full encryption of a computer and minimize data loss and lateral movement.
So with this script, we create canaries in a couple of locations;
The My Documents folder of each user
The Desktop Folder of each user
The root of each drive on the machine
You’ll also be able to create them in locations you want by adding to the $CreateLocations variable. We create the files as hidden, so users should not see the file, the file name will be canaryfile.pdf, even though it’s just a simple text file.
So the script creates a file in each location, and immediately starts alerting on two properties; If the file has been edited in the past hour, and if the file contains the correct string. I’d advice to apply the monitoring to the device, wait an hour, and then actually start alerting on it or reacting.
$CreateLocations = @('AllDesktops', 'AllDocuments', 'AllDrives', 'C:\temp')
$FileContent = "This file is a special file created by your managed services provider. For more information contact the IT Support desk."
foreach ($Locations in $CreateLocations) {
$AllLocations = switch ($Locations) {
"AllDesktops" { (Get-ChildItem "C:\Users" -Recurse -Force -filter 'Desktop' -Depth 3).FullName }
"AllDocuments" { (Get-ChildItem "C:\Users" -Recurse -Force -Filter 'Documents' -Depth 3).fullname }
"AllDrives" { ([System.IO.DriveInfo]::getdrives() | Where-Object { $_.DriveType -eq 'Fixed' }).Name }
default { $Locations }
}
$CanaryStatus = foreach ($Location in $AllLocations) {
if ((test-path "$Location\CanaryFile.pdf") -eq $false) {
$File = New-Item $Location -Name "CanaryFile.pdf" -Value $FileContent
$file.Attributes = 'hidden'
}
else {
$ExistingFile = get-item "$Location\CanaryFile.pdf" -Force
if ($ExistingFile.LastWriteTime -gt (get-date).AddHours(-1)) { "$Location\CanaryFile.pdf is unhealthy. The LastWriteTime was $($ExistingFile.LastWriteTime)" }
$ExistingFileContents = get-content $ExistingFile -Force
if ($ExistingFileContents -ne $FileContent) { "$Location\CanaryFile.pdf is unhealthy. The contents do not match. This is a sign the file has most likely been encrypted" }
}
}
}
if(!$CanaryStatus){
$CanaryStatus = "Healthy"
}
$CanaryStatus
If you feel confident enough about this, you could set up some self-healing like disabling network access, or shutting the device down before the machine is completely encrypted. And that’s it. As always, Happy PowerShelling!
So I was thinking of this idea for a bit. My sales team got approached by a product that gives you information about what breaches you are in. There were a couple of issues we had with this product. The first part is that 90% of its data comes from the public “Have I been Pwned” database, while they claimed it was their own. The second was that the tool did not integrate with our documentation system directly. There were some weird limits like a maximum of one domain per client, so I figured I’d try to build something myself instead.
After some testing I’ve decided to make 3 versions of this script. One that directly uploads the breach information to IT-Glue. Another to create generic HTML files which you could easily send to clients. Lastly I also wanted to help our sales team out a little with a dynamic version. With this one you could enter emails and IP and get a nice looking report back.
So let’s get started! For all three scripts you’ll need 2 API keys. One for Have I been Pwned which will cost you €3,50 a month. You’ll need another for Shodan which can be free, premium, or bought in discount for 1 dollar once in a while.
IT-Glue version
The IT-Glue version creates a flexible asset for you, uploads the data per client. It looks up each e-mail address in the O365 tenant, and does a Shodan search for the registered domain names.
################### Secure Application Model Information ###################
$ApplicationId = 'ApplicationID'
$ApplicationSecret = 'ApplicationSecret' | Convertto-SecureString -AsPlainText -Force
$RefreshToken = 'ExtremelyLongRefreshToken'
################# /Secure Application Model Information ####################
################# API Keys #################################################
$ShodanAPIKey = 'YourShodanAPIKEy'
$HaveIBeenPwnedKey = 'HIBPAPIKey'
################# /API Keys ################################################
################# IT-Glue Information ######################################
$ITGkey = "ITGluekey"
$ITGbaseURI = "https://api.eu.itglue.com"
$FlexAssetName = "Breach v1 - Autodoc"
$Description = "Automatic Documentation for known breaches."
$TableStyling = "<th>", "<th style=`"background-color:#4CAF50`">"
################# /IT-Glue Information #####################################
write-host "Checking if IT-Glue Module is available, and if not install it." -ForegroundColor Green
#Settings IT-Glue logon information
If (Get-Module -ListAvailable -Name "ITGlueAPI") {
Import-module ITGlueAPI
}
Else {
Install-Module ITGlueAPI -Force
Import-Module ITGlueAPI
}
#Setting IT-Glue logon information
Add-ITGlueBaseURI -base_uri $ITGbaseURI
Add-ITGlueAPIKey $ITGkey
write-host "Getting IT-Glue contact list" -ForegroundColor Green
$i = 0
do {
$AllITGlueContacts += (Get-ITGlueContacts -page_size 1000 -page_number $i).data.attributes
$i++
Write-Host "Retrieved $($AllITGlueContacts.count) Contacts" -ForegroundColor Yellow
}while ($AllITGlueContacts.count % 1000 -eq 0 -and $AllITGlueContacts.count -ne 0)
write-host "Generating unique ID List" -ForegroundColor Green
$DomainList = foreach ($Contact in $AllITGlueContacts) {
$ITGDomain = ($contact.'contact-emails'.value -split "@")[1]
[PSCustomObject]@{
Domain = $ITGDomain
OrgID = $Contact.'organization-id'
Combined = "$($ITGDomain)$($Contact.'organization-id')"
}
}
$DomainList = $DomainList | sort-object -Property Combined -Unique
write-host "Checking if Flexible Asset exists in IT-Glue." -foregroundColor green
$FilterID = (Get-ITGlueFlexibleAssetTypes -filter_name $FlexAssetName).data
if (!$FilterID) {
write-host "Does not exist, creating new." -foregroundColor green
$NewFlexAssetData =
@{
type = 'flexible-asset-types'
attributes = @{
name = $FlexAssetName
icon = 'sitemap'
description = $description
}
relationships = @{
"flexible-asset-fields" = @{
data = @(
@{
type = "flexible_asset_fields"
attributes = @{
order = 1
name = "Tenant name"
kind = "Text"
required = $true
"show-in-list" = $true
"use-for-title" = $true
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 2
name = "Breaches"
kind = "Textbox"
required = $true
"show-in-list" = $false
"use-for-title" = $false
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 3
name = "Shodan Info"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
}
)
}
}
}
New-ITGlueFlexibleAssetTypes -Data $NewFlexAssetData
$FilterID = (Get-ITGlueFlexibleAssetTypes -filter_name $FlexAssetName).data
}
write-host "Creating credentials and tokens." -ForegroundColor Green
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal
$HIBPHeader = @{'hibp-api-key' = $HaveIBeenPwnedKey }
write-host "Connecting to Office365 to get all tenants." -ForegroundColor Green
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$customers = Get-MsolPartnerContract -All
foreach ($Customer in $Customers) {
$CustomerDomains = Get-MsolDomain -TenantId $Customer.TenantId
write-host "Finding possible organisation IDs for $($customer.name)" -ForegroundColor Green
$orgid = foreach ($customerDomain in $customerdomains) {
($domainList | Where-Object { $_.domain -eq $customerDomain.name }).'OrgID' | Select-Object -Unique
}
write-host " Retrieving Breach Info for $($customer.name)" -ForegroundColor Green
$UserList = get-msoluser -all -TenantId $Customer.TenantId
$HIBPList = foreach ($User in $UserList) {
try {
$Breaches = $null
$Breaches = Invoke-RestMethod -Uri "https://haveibeenpwned.com/api/v3/breachedaccount/$($user.UserPrincipalName)?truncateResponse=false" -Headers $HIBPHeader -UserAgent 'CyberDrain.com PowerShell Breach Script'
}
catch {
if ($_.Exception.Response.StatusCode.value__ -eq '404') { } else { write-error "$($_.Exception.message)" }
}
start-sleep 1.5
foreach ($Breach in $Breaches) {
[PSCustomObject]@{
Username = $user.UserPrincipalName
'Name' = $Breach.name
'Domain name' = $breach.Domain
'Date' = $Breach.Breachdate
'Verified by experts' = if ($Breach.isverified) { 'Yes' } else { 'No' }
'Leaked data' = $Breach.DataClasses -join ', '
'Description' = $Breach.Description
}
}
}
$BreachListHTML = $HIBPList | ConvertTo-Html -Fragment -PreContent '<h2>Breaches</h2><br> A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. HIBP aggregates breaches and enables people to assess where their personal data has been exposed.<br>' | Out-String
write-host "Getting Shodan information for $($Customer.name)'s domains."
$SHodanInfo = foreach ($Domain in $CustomerDomains.Name) {
$ShodanQuery = (Invoke-RestMethod -Uri "https://api.shodan.io/shodan/host/search?key=$($ShodanAPIKey)&query=$Domain" -UserAgent 'CyberDrain.com PowerShell Breach Script').matches
foreach ($FoundItem in $ShodanQuery) {
[PSCustomObject]@{
'Searched for' = $Domain
'Found Product' = $FoundItem.product
'Found open port' = $FoundItem.port
'Found IP' = $FoundItem.ip_str
'Found Domain' = $FoundItem.domain
}
}
}
if (!$ShodanInfo -or $SHodanInfo) { $ShodanInfo = @{'Detection' = "No information found for domains on Shodan"} }
$ShodanHTML = $SHodanInfo | ConvertTo-Html -Fragment -PreContent "<h2>Shodan Information</h2><br>Shodan is a search engine, but one designed specifically for internet connected devices. It scours the invisible parts of the Internet most people won’t ever see. Any internet exposed connected device can show up in a search.<br>" | Out-String
$FlexAssetBody =
@{
type = 'flexible-assets'
attributes = @{
traits = @{
'tenant-name' = $customer.DefaultDomainName
'breaches' = [System.Web.HttpUtility]::HtmlDecode($BreachListHTML -replace $TableStyling)
'shodan-info' = ($ShodanHTML -replace $TableStyling)
}
}
}
write-host " Uploading Breach Info $($customer.name) into IT-Glue" -foregroundColor green
foreach ($org in $orgID | Select-Object -Unique) {
$ExistingFlexAsset = (Get-ITGlueFlexibleAssets -filter_flexible_asset_type_id $FilterID.id -filter_organization_id $org).data | Where-Object { $_.attributes.traits.'tenant-name' -eq $($Customer.DefaultDomainName) } | Select-Object -last 1
#If the Asset does not exist, we edit the body to be in the form of a new asset, if not, we just upload.
if (!$ExistingFlexAsset) {
if ($FlexAssetBody.attributes.'organization-id') {
$FlexAssetBody.attributes.'organization-id' = $org
}
else {
$FlexAssetBody.attributes.add('organization-id', $org)
$FlexAssetBody.attributes.add('flexible-asset-type-id', $FilterID.id)
}
write-output " Creating new Breach Info for $($Customer.name) into IT-Glue organisation $org"
New-ITGlueFlexibleAssets -data $FlexAssetBody
}
else {
write-output " Updating Breach Info for $($Customer.name) into IT-Glue organisation $org"
$ExistingFlexAsset = $ExistingFlexAsset | select-object -Last 1
Set-ITGlueFlexibleAssets -id $ExistingFlexAsset.id -data $FlexAssetBody
}
}
}
Generic version
So the generic version works the same as the IT-Glue version. The only difference is that it will create a file per tenant in C:\Temp. You can distribute this file or add it to your own documentation system manually or via an API I don’t know about. 🙂 I’ve added a screenshot for how this would look as requested.
################### Secure Application Model Information ###################
$ApplicationId = 'ApplicationID'
$ApplicationSecret = 'ApplicationSecret' | Convertto-SecureString -AsPlainText -Force
$RefreshToken = 'ExtremelyLongRefreshToken'
################# /Secure Application Model Information ####################
################# API Keys #################################################
$ShodanAPIKey = 'YourShodanAPIKEy'
$HaveIBeenPwnedKey = 'HIBPAPIKey'
################# /API Keys ################################################
$head = @"
<script>
function myFunction() {
const filter = document.querySelector('#myInput').value.toUpperCase();
const trs = document.querySelectorAll('table tr:not(.header)');
trs.forEach(tr => tr.style.display = [...tr.children].find(td => td.innerHTML.toUpperCase().includes(filter)) ? '' : 'none');
}</script>
<Title>LNPP - Lime Networks Partner Portal</Title>
<style>
body { background-color:#E5E4E2;
font-family:Monospace;
font-size:10pt; }
td, th { border:0px solid black;
border-collapse:collapse;
white-space:pre; }
th { color:white;
background-color:black; }
table, tr, td, th {
padding: 2px;
margin: 0px;
white-space:pre; }
tr:nth-child(odd) {background-color: lightgray}
table { width:95%;margin-left:5px; margin-bottom:20px; }
h2 {
font-family:Tahoma;
color:#6D7B8D;
}
.footer
{ color:green;
margin-left:10px;
font-family:Tahoma;
font-size:8pt;
font-style:italic;
}
#myInput {
background-image: url('https://www.w3schools.com/css/searchicon.png'); /* Add a search icon to input */
background-position: 10px 12px; /* Position the search icon */
background-repeat: no-repeat; /* Do not repeat the icon image */
width: 50%; /* Full-width */
font-size: 16px; /* Increase font-size */
padding: 12px 20px 12px 40px; /* Add some padding */
border: 1px solid #ddd; /* Add a grey border */
margin-bottom: 12px; /* Add some space below the input */
}
</style>
"@
$PreContent = @"
<H1> Breach logbook</H1> <br>
This log contains all breaches found for the e-mail addresses in your Microsoft tenant. You can use the search to find specific e-mail addresses.
<br/>
<br/>
<input type="text" id="myInput" onkeyup="myFunction()" placeholder="Search...">
"@
write-host "Creating credentials and tokens." -ForegroundColor Green
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal
$HIBPHeader = @{'hibp-api-key' = $HaveIBeenPwnedKey }
write-host "Connecting to Office365 to get all tenants." -ForegroundColor Green
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$customers = Get-MsolPartnerContract -All
foreach ($Customer in $Customers) {
$CustomerDomains = Get-MsolDomain -TenantId $Customer.TenantId
write-host " Retrieving Breach Info for $($customer.name)" -ForegroundColor Green
$UserList = get-msoluser -all -TenantId $Customer.TenantId
$HIBPList = foreach ($User in $UserList) {
try {
$Breaches = $null
$Breaches = Invoke-RestMethod -Uri "https://haveibeenpwned.com/api/v3/breachedaccount/$($user.UserPrincipalName)?truncateResponse=false" -Headers $HIBPHeader -UserAgent 'CyberDrain.com PowerShell Breach Script'
}
catch {
if ($_.Exception.Response.StatusCode.value__ -eq '404') { } else { write-error "$($_.Exception.message)" }
}
start-sleep 1.5
foreach ($Breach in $Breaches) {
[PSCustomObject]@{
Username = $user.UserPrincipalName
'Name' = $Breach.name
'Domain name' = $breach.Domain
'Date' = $Breach.Breachdate
'Verified by experts' = if ($Breach.isverified) { 'Yes' } else { 'No' }
'Leaked data' = $Breach.DataClasses -join ', '
'Description' = $Breach.Description
}
}
}
$BreachListHTML = $HIBPList | ConvertTo-Html -Fragment -PreContent '<h2>Breaches</h2><br> A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. HIBP aggregates breaches and enables people to assess where their personal data has been exposed.<br>' | Out-String
write-host "Getting Shodan information for $($Customer.name)'s domains."
$SHodanInfo = foreach ($Domain in $CustomerDomains.Name) {
$ShodanQuery = (Invoke-RestMethod -Uri "https://api.shodan.io/shodan/host/search?key=$($ShodanAPIKey)&query=$Domain" -UserAgent 'CyberDrain.com PowerShell Breach Script').matches
foreach ($FoundItem in $ShodanQuery) {
[PSCustomObject]@{
'Searched for' = $Domain
'Found Product' = $FoundItem.product
'Found open port' = $FoundItem.port
'Found IP' = $FoundItem.ip_str
'Found Domain' = $FoundItem.domain
}
}
}
if (!$ShodanInfo) { $ShodanInfo = @{ 'Detection' = "No information found for domains on Shodan" } }
$ShodanHTML = $SHodanInfo | ConvertTo-Html -Fragment -PreContent "<h2>Shodan Information</h2><br>Shodan is a search engine, but one designed specifically for internet connected devices. It scours the invisible parts of the Internet most people won’t ever see. Any internet exposed connected device can show up in a search.<br>" | Out-String
$head,$PreContent,[System.Web.HttpUtility]::HtmlDecode($BreachListHTML),$ShodanHTML | Out-File "C:\temp\$($customer.name).html"
}
On-Demand version
So the on-demand version is transformed into a function. This allows you to enter the e-mail addresses as a list, and any IP addresses you also want to add to the report. An example query could be:
We’re hosting this version on a Azure Function that our sales engineers can query whenever they need to. It makes it easy for them to create a report for a client on-demand.
function Get-BreachInfo {
[CmdletBinding()]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]$EmailAddress,
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]$IPs,
[Parameter(Mandatory = $true)]$ShodanAPIKey,
[Parameter(Mandatory = $true)]$HaveIBeenPwnedKey,
[Parameter(Mandatory = $true)]$Outputfile
)
$head = @"
<script>
function myFunction() {
const filter = document.querySelector('#myInput').value.toUpperCase();
const trs = document.querySelectorAll('table tr:not(.header)');
trs.forEach(tr => tr.style.display = [...tr.children].find(td => td.innerHTML.toUpperCase().includes(filter)) ? '' : 'none');
}</script>
<Title>LNPP - Lime Networks Partner Portal</Title>
<style>
body { background-color:#E5E4E2;
font-family:Monospace;
font-size:10pt; }
td, th { border:0px solid black;
border-collapse:collapse;
white-space:pre; }
th { color:white;
background-color:black; }
table, tr, td, th {
padding: 2px;
margin: 0px;
white-space:pre; }
tr:nth-child(odd) {background-color: lightgray}
table { width:95%;margin-left:5px; margin-bottom:20px; }
h2 {
font-family:Tahoma;
color:#6D7B8D;
}
.footer
{ color:green;
margin-left:10px;
font-family:Tahoma;
font-size:8pt;
font-style:italic;
}
#myInput {
background-image: url('https://www.w3schools.com/css/searchicon.png'); /* Add a search icon to input */
background-position: 10px 12px; /* Position the search icon */
background-repeat: no-repeat; /* Do not repeat the icon image */
width: 50%; /* Full-width */
font-size: 16px; /* Increase font-size */
padding: 12px 20px 12px 40px; /* Add some padding */
border: 1px solid #ddd; /* Add a grey border */
margin-bottom: 12px; /* Add some space below the input */
}
</style>
"@
$PreContent = @"
<H1> Breach logbook</H1> <br>
This log contains all breaches found for the e-mail addresses in your Microsoft tenant. You can use the search to find specific e-mail addresses.
<br/>
<br/>
<input type="text" id="myInput" onkeyup="myFunction()" placeholder="Search...">
"@
$HIBPHeader = @{'hibp-api-key' = $HaveIBeenPwnedKey }
write-host " Retrieving Breach Info" -ForegroundColor Green
$UserList = $EmailAddress
$HIBPList = foreach ($User in $UserList) {
try {
$Breaches = $null
$Breaches = Invoke-RestMethod -Uri "https://haveibeenpwned.com/api/v3/breachedaccount/$($user)?truncateResponse=false" -Headers $HIBPHeader -UserAgent 'CyberDrain.com PowerShell Breach Script'
}
catch {
if ($_.Exception.Response.StatusCode.value__ -eq '404') { } else { write-error "$($_.Exception.message)" }
}
start-sleep 1.5
foreach ($Breach in $Breaches) {
[PSCustomObject]@{
Username = $user
'Name' = $Breach.name
'Domain name' = $breach.Domain
'Date' = $Breach.Breachdate
'Verified by experts' = if ($Breach.isverified) { 'Yes' } else { 'No' }
'Leaked data' = $Breach.DataClasses -join ', '
'Description' = $Breach.Description
}
}
}
$BreachListHTML = $HIBPList | ConvertTo-Html -Fragment -PreContent '<h2>Breaches</h2><br> A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. HIBP aggregates breaches and enables people to assess where their personal data has been exposed.<br>' | Out-String
write-host " Getting Shodan information." -ForegroundColor Green
$SHodanInfo = foreach ($Domain in $IPs) {
$ShodanQuery = (Invoke-RestMethod -Uri "https://api.shodan.io/shodan/host/search?key=$($ShodanAPIKey)&query=$Domain" -UserAgent 'CyberDrain.com PowerShell Breach Script').matches
foreach ($FoundItem in $ShodanQuery) {
[PSCustomObject]@{
'Searched for' = $Domain
'Found Product' = $FoundItem.product
'Found open port' = $FoundItem.port
'Found IP' = $FoundItem.ip_str
'Found Domain' = $FoundItem.domain
}
}
}
if (!$ShodanInfo) { $ShodanInfo = @{ 'Detection' = "No information found for domains on Shodan" } }
$ShodanHTML = $SHodanInfo | ConvertTo-Html -Fragment -PreContent "<h2>Shodan Information</h2><br>Shodan is a search engine, but one designed specifically for internet connected devices. It scours the invisible parts of the Internet most people won’t ever see. Any internet exposed connected device can show up in a search.<br>" | Out-String
$head, $PreContent, [System.Web.HttpUtility]::HtmlDecode($BreachListHTML), $ShodanHTML | Out-File $Outputfile
}
So that’s it! With this, I hope you can document your breaches a little a better and help clients understand the risks involved. As always, Happy PowerShelling!
Sometime ago I made a blog about monitoring your environments by using PowerShell and the Shodan API. This blog was well received but I felt like it could use a lot of improvements. The data returned wasn’t all that useful for some, and sometimes you want to exclude specific ports in case of an actual webserver for example.
So I’ve made an updated version that is able to return more info, This version allows you to add both exclusions, and get more information like who the ISP is, and if known vulnerabilities have been found. It also keeps a history of the previous result and runs a compare against this, to check if something has been changed.
As always these scripts are designed to run with your RMM, on environments where you’d expect no open ports or a very limited subset. Monitoring this on all your devices probably aint the best plan 🙂
$PortExclusions = @('80', '443')
$CurrentIP = (Invoke-WebRequest -uri "http://ifconfig.me/ip" -UseBasicParsing ).Content
$ListIPs = @($CurrentIP)
$Shodan = foreach ($ip in $ListIPs) {
try {
$ReqFull = Invoke-RestMethod -uri "https://api.shodan.io/shodan/host/$($ip)?key=$APIKEY"
}
catch {
write-host "Could not get information for host $IP. Error was: $($_.Exception.Message)"
continue
}
foreach ($req in $ReqFull.data | Where-Object { $_.port -notin $PortExclusions }) {
[PSCustomObject]@{
'IP' = $req.ip_str
'Detected OS' = $Req.data.OS
'Detected Port' = $req.port
'Detected ISP' = $req.isp
'Detected Data' = $req.data
'Found vulnerabilities' = $req.opts.vulns
}
}
}
$previousResult = get-content "$($Env:Programdata)\ShodanScan\LastScan.txt" -ErrorAction SilentlyContinue | ConvertFrom-Json
if($previousResult) {$CompareObject = Compare-Object $previousresult $Shodan}
if ($CompareObject) { Write-Host "There is a different between the previous result and the current result. Please investigate" }
new-item "$($Env:Programdata)\ShodanScan" -ItemType Directory -Force
ConvertTo-Json $Shodan | Out-File "$($Env:Programdata)\ShodanScan\LastScan.txt"
if (!$Shodan) { write-host "Healthy - Hosts are not found in Shodan." } else { write-host "Hosts are found in Shodan. Information: $($Shodan | out-string)" }
This script was requested by a friend of mine. She had trouble keeping her IP address management under control. A lot of changes on super and subscopes within networks caused her to lose oversight and she was wondering if there wasn’t a clean and automated way of generating documentation for this.
But before we dive into that script, I want to let you all know that the AzGlue function to protect, and help circumvent rate limitations for IT-Glue has been updated. Angus Warren made an amazing update. He added loads of functionality and security measures. If you are using AzGlue right now, I’d suggest to update to the latest version.
Angus his changes have updated the function entirely, and it’s practically a new product all together. I’ll be updating the documentation for this in the coming weeks.
The scripts
So, now let’s get to the scripts, I am sharing two versions again. One for IT-Glue, and one generic HTML version. The IT-Glue version creates the flexible asset for you at first run, and then documents the DHCP settings.
IT-Glue version
You can run this version by hand, using your RMM, or from a scheduled task.
###############
$ITGkey = "YOURIGLUEKEY"
$ITGbaseURI = "https://api.eu.itglue.com"
$FlexAssetName = "DHCP Server - Autodoc"
$ITGlueOrgID = "ITGLUEORGID"
$Description = "A logbook for DHCP server witha ll information about scopes, superscopes, etc.."
##############
#Settings IT-Glue logon information
If (Get-Module -ListAvailable -Name "ITGlueAPI") {
Import-module ITGlueAPI
}
Else {
Install-Module ITGlueAPI -Force
Import-Module ITGlueAPI
}
#Settings IT-Glue logon information
Add-ITGlueBaseURI -base_uri $ITGbaseURI
Add-ITGlueAPIKey $ITGkey
write-host "Checking if Flexible Asset exists in IT-Glue." -foregroundColor green
$FilterID = (Get-ITGlueFlexibleAssetTypes -filter_name $FlexAssetName).data
if (!$FilterID) {
write-host "Does not exist, creating new." -foregroundColor green
$NewFlexAssetData =
@{
type = 'flexible-asset-types'
attributes = @{
name = $FlexAssetName
icon = 'sitemap'
description = $description
}
relationships = @{
"flexible-asset-fields" = @{
data = @(
@{
type = "flexible_asset_fields"
attributes = @{
order = 1
name = "DHCP Server Name"
kind = "Text"
required = $true
"show-in-list" = $true
"use-for-title" = $true
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 2
name = "DHCP Server Settings"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 3
name = "DHCP Server Database Information"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 4
name = "DHCP Domain Authorisation"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 5
name = "DHCP Scopes"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 6
name = "DHCP Scope Information"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
},
@{
type = "flexible_asset_fields"
attributes = @{
order = 7
name = "DHCP Statistics"
kind = "Textbox"
required = $false
"show-in-list" = $false
}
}
)
}
}
}
New-ITGlueFlexibleAssetTypes -Data $NewFlexAssetData
$FilterID = (Get-ITGlueFlexibleAssetTypes -filter_name $FlexAssetName).data
}
write-host "Starting documentation process." -foregroundColor green
$DCHPServerSettings = Get-DhcpServerSetting | select-object ActivatePolicies, ConflictDetectionAttempts, DynamicBootp, IsAuthorized, IsDomainJoined, NapEnabled, NpsUnreachableAction, RestoreStatus | ConvertTo-Html -Fragment -PreContent "<h1>DHCP Server Settings</h1>" | Out-String
$databaseinfo = Get-DhcpServerDatabase | Select-Object BackupInterval, BackupPath, CleanupInterval, FileName, LoggingEnabled, RestoreFromBackup | ConvertTo-Html -Fragment -PreContent "<h1>DHCP Database information</h1>" | Out-String
$DHCPDCAuth = Get-DhcpServerInDC | select-object IPAddress, DnsName | ConvertTo-Html -Fragment -PreContent "<h1>DHCP Domain Controller Authorisations</h1>" | Out-String
$Scopes = Get-DhcpServerv4Scope
$ScopesAvailable = $Scopes | Select-Object ScopeId, SubnetMask, StartRange, EndRange, ActivatePolicies, Delay, Description, LeaseDuration, MaxBootpClients, Name, NapEnable, NapProfile, State, SuperscopeName, Type | ConvertTo-Html -Fragment -PreContent "<h1>DHCP Server scopes</h1>" | Out-String
$ScopeInfo = foreach ($Scope in $scopes) {
$scope | Get-DhcpServerv4Lease | select-object ScopeId, IPAddress, AddressState, ClientId, ClientType, Description, DnsRegistration, DnsRR, HostName, LeaseExpiryTime | ConvertTo-Html -Fragment -PreContent "<h1>Scope Information: $($Scope.name) - $($scope.ScopeID) </h1>" | Out-String
}
$DHCPServerStats = Get-DhcpServerv4Statistics | Select-Object InUse, Available, Acks, AddressesAvailable, AddressesInUse, Declines, DelayedOffers, Discovers, Naks, Offers, PendingOffers, PercentageAvailable, PercentageInUse, PercentagePendingOffers, Releases, Requests, ScopesWithDelayConfigured, ServerStartTime, TotalAddresses, TotalScope | ConvertTo-Html -Fragment -PreContent "<h1>DHCP Server statistics</h1>" -As List | Out-String
write-host "Uploading to IT-Glue." -foregroundColor green
$FlexAssetBody = @{
type = 'flexible-assets'
attributes = @{
traits = @{
'dhcp-server-name' = $env:computername
'dhcp-server-settings' = $DCHPServerSettings
'dhcp-server-database-information' = $databaseinfo
'dhcp-domain-authorisation' = $DHCPDCAuth
'dhcp-scopes' = $ScopesAvailable
'dhcp-scope-information' = $ScopeInfo
'dhcp-statistics' = $DHCPServerStats
}
}
}
write-host "Documenting to IT-Glue" -ForegroundColor Green
$ExistingFlexAsset = (Get-ITGlueFlexibleAssets -filter_flexible_asset_type_id $($filterID.ID) -filter_organization_id $ITGlueOrgID).data | Where-Object { $_.attributes.traits.'dhcp-server-name' -eq $env:computername }
#If the Asset does not exist, we edit the body to be in the form of a new asset, if not, we just upload.
if (!$ExistingFlexAsset) {
$FlexAssetBody.attributes.add('organization-id', $ITGlueOrgID)
$FlexAssetBody.attributes.add('flexible-asset-type-id', $($filterID.ID))
write-host " Creating DHCP Server Log into IT-Glue organisation $ITGlueOrgID" -ForegroundColor Green
New-ITGlueFlexibleAssets -data $FlexAssetBody
}
else {
write-host " Editing DHCP Server Log into IT-Glue organisation $ITGlueOrgID" -ForegroundColor Green
$ExistingFlexAsset = $ExistingFlexAsset | select-object -last 1
Set-ITGlueFlexibleAssets -id $ExistingFlexAsset.id -data $FlexAssetBody
}
Generic version
As requested for the generic version I’ve included a screenshot of the end results:
So we’re managing more and more cloud only clients. This is fantastic because you don’t have to worry about all the old worries like keeping a server online and updated. Another cool thing is that it becomes a lot easier to manage devices and endpoints.
The thing is, even with Azure AD you still have maintenance tasks that never seem to disappear. This time, we’re picking up the age old issue of keeping your Active Directory cleaned up. In this case; The Azure Active Directory.
With the following script we detect a couple of things; any user that has not logged in for 90 days, but also any device that has not logged into the Azure AD for 90 days. Finding these older devices gives you the ability to see if your off-boarding procedures are running well and you’re not having a total mess.
A good real life example came to me recently; one of our employees had a device stolen and I logged into the intune portal to start a remote wipe. The problem was that this user had around 10 devices in the portal and I could not be sure which was the current one. If I had maintained the portal and ran this script more often, finding the device would’ve been much easier.
Lets get to the script! As always I’ll publish two versions
Single tenant script
########################## Secure App Model Settings ############################
$ApplicationId = 'YourApplicationID'
$ApplicationSecret = 'YourApplicationSecret' | Convertto-SecureString -AsPlainText -Force
$TenantID = 'YourTenantID'
$RefreshToken = 'YourRefreshToken'
$UPN = "YourUPN"
$CustomerTenant = "Customer.onmicrosoft.com"
########################## Script Settings ############################
$Date = (get-date).AddDays(-90)
$Baseuri = "https://graph.microsoft.com/beta"
write-host "Generating token to log into Azure AD. Grabbing all tenants" -ForegroundColor Green
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
$CustGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes "https://graph.microsoft.com/.default" -ServicePrincipal -Tenant $CustomerTenant
write-host "$($Tenant.Displayname): Starting process." -ForegroundColor Green
$Header = @{
Authorization = "Bearer $($CustGraphToken.AccessToken)"
}
write-host " $($Tenant.Displayname): Grabbing all Users that have not logged in for 90 days." -ForegroundColor Green
$UserList = (Invoke-RestMethod -Uri "$baseuri/users/?`$select=displayName,UserPrincipalName,signInActivity" -Headers $Header -Method get -ContentType "application/json").value | select-object DisplayName, UserPrincipalName, @{Name = 'LastLogon'; Expression = { [datetime]::Parse($_.SignInActivity.lastSignInDateTime) } } | Where-Object { $_.LastLogon -lt $Date }
$devicesList = (Invoke-RestMethod -Uri "$baseuri/devices" -Headers $Header -Method get -ContentType "application/json").value | select-object Displayname, @{Name = 'LastLogon'; Expression = { [datetime]::Parse($_.approximateLastSignInDateTime) } }
$OldObjects = [PSCustomObject]@{
Users = $UserList | where-object { $_.LastLogon -ne $null }
Devices = $devicesList | Where-Object { $_.LastLogon -lt $Date }
}
if (!$OldObjects) { write-host "No old objects found in any tenant" } else { write-host "Old objects found."; $Oldobjects }
Some time ago I wrote a blog about monitoring Active Directory replication. A couple of days ago a friend in Slack asked me if I have anything for monitoring the entire general health of a domain controller, and not just replication.
So I researched some options, I found this blog by Adam, which was 90% of what I needed. I just wanted a script that was slightly more complete – Not just the health is important but also specific settings are.
For example; we want the replication time to be under 30 minutes, we want the recycle bin to always be active, and password complexity should be enabled everywhere. To monitor all of this, I’ve built the script below.
The Script
$DiagInfo = dcdiag
$DCDiagResult = $Diaginfo | select-string -pattern '\. (.*) \b(passed|failed)\b test (.*)' | foreach {
$obj = @{
TestName = $_.Matches.Groups[3].Value
TestResult = $_.Matches.Groups[2].Value
Entity = $_.Matches.Groups[1].Value
}
[pscustomobject]$obj
}
$DCDiagStatus = foreach ($FailedResult in $DCDiagResult | Where-Object { $_.Testresult -ne "passed" }) {
"DC diag test not succesfull on entity $($FailedResult.entity) - $($FailedResult.testname)"
}
if(!$DCDiagStatus){ $DCDiagStatus = "Healthy. No DCDiag Tests failed" }
$ReplicationSchedule = Get-ADReplicationSiteLink -filter *
$ReplicationSchedStatus = foreach ($Replication in $ReplicationSchedule) {
if ($replication.ReplicationFrequencyInMinutes -gt 30) { "Potentional replication schedulde issue. $($Replication.name) has a replication schedulde of $($replication.ReplicationFrequencyInMinutes)" }
}
if (!$ReplicationSchedStatus) { $ReplicationSchedStatus = "Healthy - Replication Schedulde for all sites is lower than 30 minutes" }
$PasswordPolcy = Get-ADDefaultDomainPasswordPolicy
if ($PasswordPolcy.complexityEnabled -ne $true) { $PasswordComplexityHealthy = "Unhealthy - Password Complexity is disabled" }else {
$PasswordComplexityHealthy = "Healthy - Password Complxity is enabled"
}
$ADRecycler = Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"'
if (!$ADRecycler.enabledscopes) { $ADRecyclerHealth = "Unhealthy. AD Recycle Bin Feature is disabled" } else { $ADRecyclerHealth = "Healthy - Recycle bin is enabled." }
$DCDiagStatus
$ReplicationSchedStatus
$PasswordComplexityHealthy
$ADRecyclerHealth
So load this up in your RMM, check the values of the bottom 4 variables and done. 🙂 Active Directory Monitoring made easy.
