tag:blogger.com,1999:blog-299324302024-03-12T20:34:49.981-04:00Torx's MindRandom IT stuff that I have picked up here and there.Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.comBlogger71125tag:blogger.com,1999:blog-29932430.post-21670304880052407792023-12-31T10:33:00.001-05:002023-12-31T10:33:23.532-05:00Windows Firewall rules for Fortinet SSO Collector The Fortinet SSO Collector service will collect login information from all domain controllers, and forward user / machine / IP information to the FortiGate.<div><br /></div><div>I recently installed new Windows 2022 Domain Controllers in core mode (No GUI). For the SSO collector and agent communication firewall ports needed to be installed to allow the incoming communications.</div><div><br /></div><div>References:</div><div><a href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSAE-file-location-and-registry-keys-location/ta-p/198676" target="_blank">Fortinet Community #1</a></div><div><a href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-List-of-TCP-and-UDP-ports-used-by-the-FSSO/ta-p/194130" target="_blank">Fortinet Community #2</a></div><div><a href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FSSO-collector-agent-on-Windows-server/ta-p/190104" target="_blank">Fortinet Community #3</a></div><div><a href="https://www.fortinetguru.com/2019/05/configuring-the-fsso-collector-agent-for-windows-ad-2/" target="_blank">Fortinet Guru #1</a><br /><div><br /></div><div><br /></div>
<script src="https://gist.github.com/Torxsmind/8f96b4afaf36df41fceb327f93069c52.js"></script></div>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-89834824133975435822023-12-28T19:37:00.001-05:002023-12-28T19:37:28.318-05:00Tail Windows Defender Firewall Log<p> </p>
<script src="https://gist.github.com/Torxsmind/86a27b5d3cdebb615e688bb467475794.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-16404441752893328072021-09-15T21:21:00.001-04:002021-09-15T21:21:33.021-04:00Grab a NIC IP information and dynamically create a reset script<p> I had a request to figure out how to record a NIC's IP information and make it easy to put the config back if required. the result us a run-able $outfile PowerShell script to reset the settings.</p><p><br
/><script src="https://gist.github.com/Torxsmind/ed11ce491c7bc86847c2abf70c5ea8f2.js"></script>
</p>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0Columbus, OH, USA39.9611755 -82.99879419999999211.650941663821158 -118.15504419999999 68.271409336178849 -47.842544199999992tag:blogger.com,1999:blog-29932430.post-26223520727890395592021-04-16T08:46:00.001-04:002021-04-16T08:46:51.275-04:00Native Windows 10 packet Sniffer PKTMON<p>I had to troubleshoot connectivity issues from a Window 10 machine, and really did not want to install Wireshark. Then I remember reading this document for the built in sniffer: <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pktmon">pktmon
| Microsoft Docs</a></p><p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p>Basically here are the steps:</p><p class="MsoNormal"><o:p></o:p></p>
<ul style="text-align: left;"><li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;"><span style="mso-fareast-font-family: "Times New Roman";">Change directory to
where you want the results to be saved (I.E. c:\temp)<o:p></o:p></span></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;"><span style="mso-fareast-font-family: "Times New Roman";">Add Filters for the IP
you want to monitor for<o:p></o:p></span></li>
<ul><li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level2 lfo1;"><span style="mso-fareast-font-family: "Times New Roman";"><b>pktmon filter add -i
8.8.8.8</b><o:p></o:p></span></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level2 lfo1;"><span style="mso-fareast-font-family: "Times New Roman";"><b>pktmon filter add -i
9.9.9.9</b></span></li></ul></ul><a href="https://lh3.googleusercontent.com/-ez_asX2zZqc/YHmFyvOJeUI/AAAAAAAAsQo/GYpWVBeU4aM4GSgJg1hZdJnTql5FY5XPQCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="83" data-original-width="371" height="72" src="https://lh3.googleusercontent.com/-ez_asX2zZqc/YHmFyvOJeUI/AAAAAAAAsQo/GYpWVBeU4aM4GSgJg1hZdJnTql5FY5XPQCLcBGAsYHQ/image.png" width="320" /></a><br /><ul style="text-align: left;"><li>Start pktmon</li>
<ul><li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level2 lfo1;"><b>pktmon start –etw</b>
(this will send to PktMon.etl file only)<o:p></o:p></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level2 lfo1;"><b>pktmon start --etw -l
real-time</b> (Will send to PktMon.etl file and the screen)<o:p></o:p></li></ul>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;"><span style="mso-fareast-font-family: "Times New Roman";">Generate the traffic</span></li><li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;"><span style="mso-fareast-font-family: "Times New Roman";"><div class="separator" style="clear: both; text-align: center;"></div></span></li></ul><div class="separator" style="clear: both; display: inline !important; text-align: center;"><a href="https://lh3.googleusercontent.com/-9D43r54kvXc/YHmGHIe7tcI/AAAAAAAAsQw/_vu2b_YRibY_EFv21Na5mRvuT9xksRQ5gCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="105" data-original-width="371" height="91" src="https://lh3.googleusercontent.com/-9D43r54kvXc/YHmGHIe7tcI/AAAAAAAAsQw/_vu2b_YRibY_EFv21Na5mRvuT9xksRQ5gCLcBGAsYHQ/image.png" width="320" /></a></div><br /><ul style="text-align: left;">
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;"><span style="mso-fareast-font-family: "Times New Roman";">Stop pktmon<o:p></o:p></span></li>
<ul><li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level2 lfo1;"><span style="mso-fareast-font-family: "Times New Roman";">pktmon stop<o:p></o:p></span></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level2 lfo1;"><div class="separator" style="clear: both; text-align: center;"></div></li></ul></ul><a href="https://lh3.googleusercontent.com/-TL5kyDVu6FE/YHmGQ376lvI/AAAAAAAAsQ0/rPL_Omp-HkIgVAEl4ExIRzho24azyy1CwCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="45" data-original-width="371" height="39" src="https://lh3.googleusercontent.com/-TL5kyDVu6FE/YHmGQ376lvI/AAAAAAAAsQ0/rPL_Omp-HkIgVAEl4ExIRzho24azyy1CwCLcBGAsYHQ/image.png" width="320" /></a><ol start="1" style="margin-top: 0in; text-align: left;" type="1"><ol start="1" style="margin-top: 0in;" type="a">
</ol>
</ol>
<p class="MsoNormal">The native file PktMon.etl can only be read by Microsoft’s
NetMon. If you have WireShark installed you can run this command to
convert it:<o:p></o:p></p>
<ul style="text-align: left;"><li class="MsoListParagraph" style="margin-left: 0in; mso-list: l1 level1 lfo2;"><span style="font-family: "Courier New"; font-size: 10.0pt;"><b>pktmon pcapng
pktmon.etl -o log.pcapng</b></span></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Also for reference, the on screen verbose (-l real-time) of
opening nslookup and connecting to 8.8.8.8 would look like this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-JYUq9j-30dI/YHmGpVLvAqI/AAAAAAAAsQ8/nIyHwYEZOr4L1GPs8e1uH6zI6O-cm7jawCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="720" data-original-width="1113" height="415" src="https://lh3.googleusercontent.com/-JYUq9j-30dI/YHmGpVLvAqI/AAAAAAAAsQ8/nIyHwYEZOr4L1GPs8e1uH6zI6O-cm7jawCLcBGAsYHQ/w640-h415/image.png" width="640" /></a></div><br /><br />
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There are other options in the linked doc but to get a quick
view of traffic, not bad…. Enjoy!<o:p></o:p></p>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-76349662391218563882021-04-09T09:51:00.005-04:002021-04-09T09:51:48.761-04:00Get all active directory users propertiesNeed to grab all the properties for all your AD users? Here you go!
<script src="https://gist.github.com/Torxsmind/8e845fc2052339aaecd3e21b3449f3ee.js"></script><div><br /></div><div><br /></div>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-49458416891396827272020-08-26T21:28:00.003-04:002020-08-26T21:28:48.841-04:00Rename Files to a random name<p>
I had a bunch of photos that I wanted to randomize on a photo
frame. The frame processes photos alphabetically by file name. Since the
original filename had the date / time the picture was taken, meant there was
no randomness to what was displayed.
</p>
<p><br /></p>
<p>I wrote this to change the filenames to a random number.</p>
<p><br /></p>
<p><br /></p>
<script src="https://gist.github.com/Torxsmind/40962fb6748410c2922e41c04a7d3e64.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-83206006757231446132020-06-18T10:10:00.002-04:002020-06-18T10:10:42.699-04:00Remove WSUS GPO settingsMost companies deploy Windows Software Update Services (WSUS) via a group policy to keep all corporate systems updated. However sometimes nerd in me wants the latest and greatest, before corporate approves them. So run these commands in a Administrative Powershell Session. This will remove the WSUS settings until the next GPO sync.<br />
<br />
<br />
<script src="https://gist.github.com/Torxsmind/6dc8e87b799cdc4af0e31536676f0c65.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-79854674925824657762020-06-16T16:49:00.000-04:002020-06-16T16:49:38.271-04:00PCI Antivirus logsQSA requested proof of Antivirus logging and the retention. Using the LET command I am grabbing the newest and oldest log entries as evidence.
<script src="https://gist.github.com/Torxsmind/6978d24022ddaac73c2fd8130f290ee0.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-65934295183307649482020-06-15T08:52:00.000-04:002020-06-15T08:52:19.454-04:00PCI Requirement 2 - Proof MFA in useI am going through a PCI audit and was requested that I prove that MFA was in use. I used this Azure KQL against my log analytics workspace to show all sign ins and if MFA was checked.
<script src="https://gist.github.com/Torxsmind/b7b4c183fc02bc95f6a4364dafbc307f.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-37218093582142598812020-04-20T15:35:00.001-04:002020-06-15T11:02:52.493-04:00Who's AD password will be expiring?Need to know when user's password will be expiring?
<div>
<br />
</div>
<div>
<br />
</div>
<script src="https://gist.github.com/Torxsmind/4d063d69d022880d7c056ef56c83dd28.js"></script>
Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-44314826678325479382020-04-20T11:08:00.000-04:002020-04-20T11:08:17.209-04:00Get vNET and Subnet informationNeed to dump all vNET and Subnet info for all your subscriptions? Here is a nice little script:
<br />
<br />
<script src="https://gist.github.com/Torxsmind/6468fdce5d74162a61aa2fa7908b23f6.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-76186206943139410462020-04-17T09:22:00.001-04:002020-04-17T09:22:29.162-04:00Bypass Windows Store being blocked by GPOOur company blocks access to the Microsoft Store for downloads of application / updates. However Microsoft is only distributing some apps via the store I.E. "Microsoft To-Do".<br />
<br />
Change these registry values to get access to the store until your next GPO refresh.<br />
<br />
<br />
<script src="https://gist.github.com/Torxsmind/56e73b17b96d8b23fba179a1a94dd6e8.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-73614237329494531082020-04-14T16:17:00.001-04:002020-05-11T10:58:41.310-04:00PingInfoViewPingInfoView by Nirsoft is the ping util I use when pinging multiple devices, or watching systems during a change.<br />
<br />
<img src="https://www.nirsoft.net/utils/pinginfoview.gif" /><br />
<br />
<a href="https://www.nirsoft.net/utils/multiple_ping_tool.html">https://www.nirsoft.net/utils/multiple_ping_tool.html</a><br />
<br />
<br />Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-46656330655605288572020-04-13T13:22:00.001-04:002020-04-13T14:50:28.776-04:00Microsoft Direct Access Client CheckIf you are using Direct Access, any client that has been configured to use it can use this simple netsh cli from the command prompt to see if it thinks it is inside or outside the network.<br />
<br />
<br />
<b>netsh dns show state</b><br />
<br />
During a DNS outage this showed us that the machine location was Outside the corporate network even though we were here in the office. Thus explained DNS lookup issues.<br />
<br />
Name Resolution Policy Table Options<br />
--------------------------------------------------------------------<br />
<br />
Query Failure Behavior : Only use LLMNR and NetBIOS if the name does not exist in DNS<br />
Query Resolution Behavior : Resolve only IPv6 addresses for names<br />
Network Location Behavior : Let Network ID determine when Direct Access settings are to be used<br />
Machine Location : Outside corporate network<br />
Direct Access Settings : Configured and Enabled<br />
DNSSEC Settings : Not Configured<br />
<div>
<br /></div>
Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-37092790625040149262020-04-04T11:23:00.002-04:002020-04-13T14:50:58.732-04:00Azure get all public IPsI needed to ecport all public IPs from my Azure Subscriptions. Wrote this code to get get it in one shot.<br />
<br />
You will have to connect via <b>Connect-AzAccount</b> first.<br />
<br />
<script src="https://gist.github.com/Torxsmind/e5d48fbe2ae05f2508d2ccc6dcddfd41.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-84908614820946988682020-03-09T17:59:00.001-04:002020-03-09T17:59:10.469-04:00Creating a Scheduled task to restart a service via powershellI needed to create a task on many server to automate the restart of a service nightly. I wanted to ensure that I did not miss a step, so I decided to use PowerShell to create the task.<br />
<br />
Enjoy
<script src="https://gist.github.com/Torxsmind/a0d9cc2eb12e328f75cc067adbd966ec.js"></script>
<br />
<br />Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-29801961766736667882020-03-06T12:21:00.000-05:002020-03-06T13:08:22.771-05:00viewing Azure NSG Blocked TrafficNeed to see the bad stuff your NSG is keeping out? Or need to find out if you are blocking good traffic? Well if you have logging to a work space, run this query:<br />
<br />
<script src="https://gist.github.com/Torxsmind/ac4f1f4bc66a753e706b6ec13dd9fe67.js"></script>
<br />
<br />Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-52493231769820938082020-01-24T16:25:00.001-05:002020-01-24T16:25:41.130-05:00Need to export everyone on litigation hold in Office 365?<div>
<br /></div>
<div>
<br /></div>
<script src="https://gist.github.com/Torxsmind/9988f6f33133fbd1ad6ae595fc468eec.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-80075407033239080902019-12-09T11:10:00.000-05:002019-12-09T11:10:57.367-05:00Override WSUS to install RSATNew Laptop = Sweet<br />
Need RSAT deployed and WSUS admins do not have the correct settings = DOOH!
Run this code under elevated powershell to get it installed.
<br />
<script src="https://gist.github.com/Torxsmind/54b1a391f06b7c3b48d934365c448bc0.js"></script><br />Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-53835063701357225922019-12-09T07:25:00.001-05:002019-12-09T07:25:52.316-05:00Notepad++ replace space with a Line feedI was given a text file that needed to be ran through excel for a word count pivot table. The txt file I received was un-formatted and only spaces were the common search I could do.<br />
<br />
In Notepad++ I searched for \s and replaced it with <b>\n</b> to produce a line per word. This allowed me to import into excel for further analysis.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-364hFxPP-Fg/Xe49PRUwlII/AAAAAAAAm5k/nmXOF19RzOQm4Mg3somF8LEALWQ-9XQiACLcBGAsYHQ/s1600/notepad%252B%252B_replace_spaces.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="372" data-original-width="644" height="230" src="https://1.bp.blogspot.com/-364hFxPP-Fg/Xe49PRUwlII/AAAAAAAAm5k/nmXOF19RzOQm4Mg3somF8LEALWQ-9XQiACLcBGAsYHQ/s400/notepad%252B%252B_replace_spaces.png" width="400" /></a></div>
<br />Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-12820755923365271062019-08-21T10:11:00.001-04:002019-08-21T22:07:39.756-04:00Disable LLMNR and Netbios via DSCHere is some DSC code to help prevent some LLMNR vulnerabilities and disable Netbios over TCP
<script src="https://gist.github.com/Torxsmind/b9e77d04f8597c8c1cab77d3a2ea29ce.js"></script>Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-50589657445671046452019-07-03T12:09:00.001-04:002020-03-06T13:12:36.760-05:00Azure Get MFA Default MethodI recently had to audit the MFA methods that users registered for and their default method. Here is the code that helped me.<br />
<br />
<script src="https://gist.github.com/Torxsmind/7261b5c8b339e5214ea4eaf1163d6174.js"></script>
Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-54002830371435114852017-06-12T15:15:00.000-04:002017-06-12T15:15:00.168-04:00Get OS information<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif,serif,"EmojiFont"; font-size: x-small;"><span style="font-size: 11pt;"><span style="color: #1f497d;">Get-CimInstance Win32_OperatingSystem | Select Name,Caption,OS</span></span></span><span style="color: #1f497d; font-family: Calibri, sans-serif, serif, EmojiFont; font-size: 11pt;">Type,Version,BuildNumber,OperatingSystemSKU</span></div>
Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-27877485936424408752016-12-18T08:56:00.001-05:002016-12-18T08:56:16.684-05:00FortiSwitch 3.4.1 MAC to Portdiagnose switch mac-address list<br />
<br />
<br />MAC: ec:b1:d7:38:68:b6 VLAN: 1031 Port: port4(port-id 4)<br /> Flags: 0x00010c40 [ used ]<br />
MAC: 00:15:65:71:e7:77 VLAN: 1031 Port: port17(port-id 17)<br /> Flags: 0x00010c40 [ used ]<br />
MAC: 90:6c:ac:14:3f:1b VLAN: 1028 Trunk: fortilink(trunk-id 0)<br /> Flags: 0x08001080 [ trunk ]<br />
MAC: 00:0e:08:d7:0d:d8 VLAN: 1031 Port: port22(port-id 22)<br /> Flags: 0x00010c40 [ used ]<br />
MAC: 88:51:fb:81:4d:c5 VLAN: 1031 Port: port20(port-id 20)<br /> Flags: 0x00010c40 [ used ]<br />Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0tag:blogger.com,1999:blog-29932430.post-79136587213432180352016-08-28T11:44:00.001-04:002016-08-28T11:44:21.443-04:00Windows installer while in Safe modeEver have a issue where you need to uninstall something while in safe mode?<br />
<br />
Here is how to accomplish this task:<br />
<ol>
<li>Enter Safe mode with Networking</li>
<li>Open a CMD prompt as Administrator</li>
<li>Type
<div style="margin: 0in 0in 0pt;">
<span style="font-family: "Segoe UI",sans-serif; font-size: 10.0pt;"><b>REG
ADD
"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer"
/VE /T REG_SZ /F /D "Service"</b></span></div>
</li>
<li><div style="margin: 0in 0in 0pt;">
<span style="font-family: "Segoe UI",sans-serif; font-size: 10.0pt;">The type </span><span style="font-family: "Segoe UI",sans-serif; font-size: 10.0pt;"><b>net
start msiserver</b></span></div>
</li>
</ol>
Torxhttp://www.blogger.com/profile/16841866576473022329noreply@blogger.com0