You're looking at the Yellow Pages for Community Worklets... find Worklets and share your own here!
Recently active
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f I push this if I need to enable RDP for some reason.
Evaluation: if (Test-Path -Path "C:\Windows\System32\SNMP.exe") { Exit 0 } else { Exit 1 } Remediation Code: Install-WindowsFeature SNMP-Service Start-Sleep -s 10 Restart-Service -name SNMP Note: The Start-Sleep and Restart-Service seem to help in making sure the snmp service has enough time to install and make sure the service gets started after the install. The snmp service will only be added if it is not already on the system.
One way to minimize the number of policies was to build a worklet that I’m using to apply security baseline changes to workstations. More importantly I’m using multiple PowerShell functions to control output to obtain a cleaner looking activity details when a host runs the worklet. Each configuration change was a result of either a vulnerability scanner or baseline requirement. I’ve attempted to remember to put links in where applicable in the code. Evaluation Code # Security Team Workstation Configuration Baseline Evaluation Code #region Rapid7 Vulnerability: Weak LAN Manager hashing permitted Function Test-LMCompatibilityLevel { # Network security: LAN Manager authentication level # https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852207(v=ws.11) $path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" $ntlm = Get-ItemProperty -Path $path -Name LmCompatibilityLevel -ErrorAction SilentlyContinue $compliant = switch ($
I’m glad you guys do things like this it’s awesome. At my company we like to do a weekly restart for all machines on Friday at midnight besides our Police Department for the obvious reasons just so things continue to run smoothly and how we’ve set that up is through SCHTASKS. schtasks /create /sc weekly /d FRI /tn "auto reboot computer weekly" /st 24:00 /tr "shutdown -r -f -t 10"
This worklet can be used to remediate vulnerability found by Rapid7 -Weak LAN Manager hashing permitted. We do it by adding a value in registry. Evaluation Code: Exit 1 Remediation Code $path = ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’ $key = try { Get-Item -Path $path -ErrorAction Stop } catch { New-Item -Path $path -Force } New-ItemProperty -Path $key.PSPath -Name LMCompatibilityLevel -Value 5
Hey Y’all! Disabling root login is a super easy trick to increase security on Linux devices. In a lot of cases, IT admins set the root password as something simple so they remember it easily as they use it often to access a device via SSH . Furthermore, attackers typically use the root credential when trying to gain access to your device. For this reason and more disabling root login and create root privilege users is a good security practice. The Worklet below is designed to evaluate your device to ensure Root Login is disabled. Note: you need to make sure the users you’ve created on this device have sudo privileges. This Worklet currently only support devices running CentOS. Check later as this script will be modified to support other linux distros Evaluation: #!/bin/bash # create alias to the desired root login value for evaluation. this is the value you are looking for. ssh_value="^PermitRootLogin yes" # check the current conf file on the device to compare to desired value fo
This is a very basic method of setting up an L2TP VPN using a worklet. Change the values: vpnName, serverAddress, yourPsk, authMethod Evaluation Code: Get-VpnConnection -Name "vpnName" Remediation Code: Add-VpnConnection -AllUserConnection -Name "vpnName" -ServerAddress "serverAddress" -TunnelType L2tp -EncryptionLevel Optional -L2tpPsk "yourPsk" -AuthenticationMethod authMethod -Force
Simple worklet to remove all java versions and write back in activity log. Worklet is maintained on our github page: https://github.com/Dutch-Technology-eXperts/Automox/blob/main/remove_java.ps1 Evaluation code: Exit 1 Remediation code: IF (gwmi Win32_Product -filter "name like 'Java%'") { [void](gwmi Win32_Product -filter "name like 'Java%'" | % { $_.Uninstall() }) if ($? -eq "True") { Write-Output "Java succesfully removed." } else {Write-Output "Failed to remove Java!" } } ELSE {Write-Output "Java not installed."}
This worklet downloads the latest version of the Malwarebytes Support Tool and runs it on the system to uninstall Malwarebytes. If you want to save the tool to a directory other than C:\Temp, modify $uninstallFile on line 1 of the remediation code. From Malwarebytes: The Malwarebytes Support Tool command line version is used to cleanup and remove Malwarebytes products. The Support Tool removes Malwarebytes Endpoint Security and Malwarebytes Endpoint Protection, including their files, settings, and license information. Note : The Malwarebytes Support Tool cannot uninstall Malwarebytes software if the Tamper Protection feature is enabled in your environment. Disable Tamper Protection before running this tool. Evaluation: <# .SYNOPSIS Check for presence of specified application on the target device .DESCRIPTION Read 32-bit and 64-bit registry to find matching applications Exits with 0 for compliance, 1 for Non-Compliance. Non-Compliant devices will run Remediation Code at t
Is it necessary to have an “evaluation” on the worklet? I just want to use the remediation portion to push a Powershell script to uninstall an application. Something like this. $application1 = Get-WmiObject -Class Win32_Product -Filter “Name = ‘RingCentral Phone’” $application1.Uninstall()
Since the beginning of time we see java being installed by default. With the changing license structure of Oracle and the monthly increase in java vulnerabilities it is time to reduce the java footprint to the bare minimum. this worklet does a simple check if Oracle Java or Amazon Corretto is installed and if so checks if there is a running JAVA process to help determine if JAVA is needed on that system or if it can be removed. Evaluation Code EXIT 1 Remediation Code $installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where { $_.DisplayName -Match "Java" -or $_.DisplayName -match "Corretto" }) $version = "(Vendor: " + $installed.Publisher + " " + "Version: " + $installed.DisplayName + ")" If(-Not $installed) { Write-Output "Java is not installed" EXIT 0 } else { IF (Get-Process -Name "java" -ErrorAction SilentlyContinue) { Write-Output "$version is installed and currently running." } else { Write-Output "$version installe
The insight agent from Rapid7 insightIDR and InsightOPS supports advanced configuration features which can be configured by placing a logging.json file in the config folder of the agent. Distribution of this config file is not handled by Rapid7 therefore Automox can be used to place the file on all applicable systems. The content of the logging.json file can be tweaked based on your own preferences. Documentation can be found here: https://docs.rapid7.com/insight-agent/insightops#windows Don’t forget to add your API key before using the worklet. if ($configcheck -eq "True") {Write-Output "logging.json already exists" exit 0} New-Item "C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common\config\logging.json" Set-Content -Path "C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common\config\logging.json" -Value '{ "config": { "name": "insight agent windows", "endpoint": "eu.data.logs.insight.rapid7.com", "region": "eu", "api-key": "PL
Displays a balloon tip from the task tray for about 8 seconds for currently logged in user. Would invite anyone to help me get this code further! Worklet does use a custom icon file that I include as a file in the worklet. #message $msg = 'Hello world.' $title = 'Company' $icon = 'C:\Users\Public\Pictures\company.ico' IF(!(Test-Path "$icon")){Copy-Item company.ico "$icon"} # Build script that will send message. VBS is used to hide the PowerShell Script from popping up $vbs = @" command = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -File C:\ProgramData\Amagent\message.ps1 -Force" set shell = CreateObject("WScript.Shell") shell.Run command,0 "@ New-Item -Path "c:\ProgramData\Amagent" -Name "message.vbs" -ItemType "file" -Value $vbs -force $script = @" `$BalloonTipText = ("$msg") `$BalloonTipTitle = "$title" `$BalloonTipTime = 1000 `$BalloonTipIcon = 'None' Add-Type -AssemblyName System.Windows.Forms Add-Type -AssemblyName Sy
This worklet takes two configurations that you upload to the worklet - eventlogs.yaml & default_agent_config.yaml - and copies them to the Datadog folders they belong to as conf.yaml and datadog.yaml respectively. It also takes an existing conf.yaml.default configuration and makes a copy of it as the conf.yaml file in its’ same directory. A log is created in the Automox activity log, but it also creates a log locally on the machine in C:\vSOC_Tools. Evaluation: Exit 0 Remediation: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $datadogConfDir = 'C:\ProgramData\Datadog\' $win32ConfDir = 'C:\ProgramData\Datadog\conf.d\win32_event_log.d\' $diskConfDir = 'C:\ProgramData\Datadog\conf.d\disk.d' $eventLogs = 'eventlogs.yaml' #Uploaded File $defaultAgent = 'default_agent_config.yaml' #Uploaded File $service = Get-Service -Name "Datadog Agent" -ErrorAction SilentlyContinue Start-Transcript -Path C:\vSOC_Tools\test.log # Create directories if they don'
As you probably have already heard endlessly, Adobe Flash Player will reach end of life on December 31 2020. https://www.adobe.com/products/flashplayer/end-of-life.html Adobe has provided an uninstaller that works fairly well to remove stand-alone installations of Flash Player. https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html Please note the information in RED at the top of the uninstall directions: These instructions are NOT applicable to Flash Player included with Microsoft Edge or Internet Explorer on Windows 8 and later or with Google Chrome on all supported operating systems. Please visit the Flash Player Help page for instructions on enabling (or disabling) Flash Player in various browsers. “Most” modern browsers have built-in Flash support. Managing that integration is not in scope for this Worklet (as that topic would better be covered on how to manage Flash per browser. It is disabled by default in most of these browsers, and can be managed with
Installing the Arctic Wolf Agent Recently we had to go about deploying an agent from a managed SOC called “Arctic Wolf” to all of our server endpoints. The trouble is, the MSI file had to be in the same directory as a “customer.json” file in order to work. This was an issue because Automox only allows you to upload the MSI. Luckily, with PowerShell your imagination is the limit. This is how we got around the limitation as the “customer.json” file is a rather small (one line) file and can be created at runtime with PowerShell. Create a Required Software policy for Windows Upload the MSI to Automox Set the Package Name and Package Version to how it appears in the Win32_Product WMI class when installed on a machine. This is how Automox determines if the package is installed and if a machine is compliant. Currently as of writing this, the name is Arctic Wolf Agent 2020-05_01 and the version is 20.20.0501. Use the following PowerShell syntax to install the software, replacing the customerU
Download the version of Notepad++ you want to install, upload it to the worklet, and set $saveFile in the remediation to match the name of the file you upload. Evaluation: <# .SYNOPSIS This Test script checks to see if an application is installed .DESCRIPTION This script queries the installed files for 64bit software and returns a 0 if product is installed or 1 if not .Notes File Name :App_Install_Test.ps1 Author :Automox Prerequisite :PowerShell V2 over Win7 and later #> #Handle Exit Codes: trap { $host.ui.WriteErrorLine($_.Exception); exit 90 } function App_Install_Test { <# .SYNOPSIS This function Checks to see if app is installed on system or not . .DESCRIPTION After checking the app availability, based on the exit code tool will decide to call remediation code or not. #> ## Name of the desired application ## $appName = 'Notepad' ## You must also hard-code the app name in the $scriptblock be
Hi Ya’ll Big Shoutout and thanks to @rich for getting the information needed in order for this script to work successfully! This is a one-click automatic upgrade without needing to pre-deploy the 1909 .iso image to your devices. This Worklet will automatically build out the download link for 1909 based on your OS’s architecture, download the .iso image to you local system, mount the .iso to a disk drive, and then automatically run the download setup all silently without any user interaction. It will remove the iso after the installation completes. The Evaluation and Remediation code for the Worklet is as follows: Evaluation: $iso = "C:\programdata\Windows1909OSUpgrade.iso" if ((Test-Path $iso) -eq $true) {Remove-Item $iso } $osversion = (Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion").GetValue('ReleaseID') if (($osversion -lt "1909")) {exit 1 } else {exit 0 } Remediation: $lang = "English" $locID = "en-US" $verID = "Windows10ISO" $skuID = "9029" $prodID =
So i was looking for a quick way to retrieve a log file of an automox enabled system without physical or netwerk access. It had to be lean mean and fast so i came up with this solution to upload the logfile to a azure blob storage container using a sas-token. only fill out the url variable before the slash and sas token variable and you are good to go! Evaluation code exit 1 Remediation Code if ($PSVersionTable.PSVersion -eq "2.0") { Write-Output "This worklet requires PowerShell version 3.0 or higher!" exit 0 } else { $Policy = "RemoteSigned" If ((Get-ExecutionPolicy) -ne $Policy) { Set-ExecutionPolicy $Policy -Force Write-Output "Changed execution policy to 'RemoteSigned'. "} #SAS Token $sas = "" #Automox Log File Location $filesource = "C:\Programdata\amagent\amagent.log" #Copy Log File Copy-Item $filesource -Destination "C:\Programdata\amagent\amagent_upload.log" $file = "C:\Programdata\amagent\amagent_upload.log" #Get the File-Name without path + add computername +
Hi all Are you guys seeing a sudden spike of Emotet related spam mails arriving? The org I’m working in is seeing this. They arrive from compromised email accounts. The email messages are hijacked from original email conversations so the content looks 100% legit. The email has a password encrypted ZIP file, which has macros, which decrypts some obfuscated Powershell, which then runs to download the actual Emotet payload. I would like to share a worklet I’ve developed based on: https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/. The necessary registry settings can be found here: https://www.slipstick.com/outlook/block-macros-office-20132016/ Here’s the worklet. The registry settings are under HKCU, so the powershell code to do this is a bit more convoluted. The nice thing about the code below is it will work whether there is a current user logged in or not (since Automox’s agent runs in the SYSTEM context, accessing
There a various topics on this community about resetting windows updates to its default settings. The attached worklet is similair to others posted but it can be run without a reboot. So far we have very good results with this worklet in production environments and because the reboot is not necessary it can be used without user impact. This worklet will me maintained on Github: github.com Dutch-Technology-eXperts/Automox/blob/main/windows_updates_settings_reset.ps1 #Evaluation Code Exit 1 #Remediation Code $arch = Get-WMIObject -Class Win32_Processor -ComputerName LocalHost | Select-Object AddressWidth #1. Stopping Windows Update Services... Stop-Service -Name BITS Stop-Service -Name wuauserv Stop-Service -Name appidsvc Stop-Service -Name cryptsvc #2. Remove QMGR Data file... Remove-Item "$env:allusersprofile\Microsoft\Network\Downloader\qmgr*.dat" -ErrorAction SilentlyContinue #3. Renaming the Software Distribution and CatRoot Folder... Remove-Item $env:system
In this worklet we check if a host is possibly vulnerable for CVE-2020-16898 based on the OS version and the installation status of the patch. If the patch is not installed the workaround is implemented. For more info check: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC The only manual task is to later revert this change when the patch is applied. Evaluation code: #define osversion number $osversion = (get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId #define KB Number and check for presence $1709 = 'KB4580328' $1803 = 'KB4580330' $1809 = 'KB4577668' $1903 = 'KB4577671' $2004 = 'KB4579311' #Check applicable OS version and installation of patch if ($osversion -eq '1709'){ $patched1 = Get-Hotfix -Id $1709 -ErrorAction SilentlyContinue } elseif ($osversion -eq '1803'){ $patched2 = Get-Hotfix -Id $1803 -ErrorAction SilentlyContinue } elseif ($osversion -eq '1809'){ $patched3 = Get-Ho
This worklet as written adds a Chrome shortcut to the user’s desktop and start menu named “TSheets” which points to a web app. You can choose to only create the shortcut in one place or the other if you want. If you wish your app to be opened with a different browser, specify $BrowserPath to point to the installed browser you wish to use. The parameters in the remediation below describe how to set the variables. Evaluation: Exit 1 Remediation: <# .PARAMETER BrowserPath Location of the Google Chrome browser executable. Google Chrome needs to already be installed for this script to work. If you wish for a different browser to execute the Web App, alter $BrowserPath .PARAMETER ShortcutName Display Name of the shortcut. .PARAMETER ShortcutUrl URL associated with the shortcut. .PARAMETER ShortcutIconLocation Optional: Path to an icon to associate with the shortcut. .PARAMETER ShortcutOnDesktop Set to $true if the Shortcut n
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR” -Name “start” -Value 4
Disclaimer: This uses a 3rd party Powershell addon called “PolicyFileEditor”. The addon is trusted and has around 29M downloads. Another addon named “NuGet” is installed as PolicyFileEditor doesnt seem to work without it. More detail on the addon can be found here: https://www.powershellgallery.com/packages/PolicyFileEditor/3.0.1 Hello All! Just made this worklet and thought I’d share incase anyone else finds it useful. Use case: For remote employees that are off domain network and cannot have GPO’s applied to them and need to have password policies applied to their machines for compliance reasons. The worklet is pretty straight forward and labeled. You can feel free to remove the “Write-Host” lines as they are just for reporting purposes. Code: #Set Execution policy to allow for 3rd party modules Set-ExecutionPolicy Unrestricted -Force #Instal NuGet which is needed for PolicyFileEditor Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force #Install PolicyFileEditor Inst
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.