directorcia / office365 Goto Github PK

View Code? Open in Web Editor NEW

420.0 67.0 229.0 646 KB

Office 365 scripts and information

PowerShell 100.00%

powershell powershell-script powershell-scripts office365

office365's Introduction

Get started Here

Creator contact:
Twitter - @directorcia
Blog

office365's People

Contributors

Stargazers

Watchers

Forkers

thewatchernode calebreliance dbrosy uptakedigital amarkanta cornholioso mario4272 jeffjerousek drweby ivanwi11iams hundunmuchi dytec-technology dsmall241 virtuousslayer brittadams powerbizau nortecit dawander yeomany mattseeds chrismooregb rojoh28 adminciaops365 bradleyjmorris theusclouds cbresnehan ctmcisco david3195 matkins12 primatech-gp bsssteve princesly yourit-chris needforspeed58 msftjc ncdlloyd deskflix-clam contactbrenton dnitpro ramikan mcpdob philippatelis jay75254 uwannawat go-365 chaos-monkey-island clintvs jdvuyk gallaghercomputing skyblueit esheldon76 stacker1975 paulcnz roderic100 kevincarne theotherjeremy crazyhorse4 lmcdonald100 sousasteve1 emarcais kwonsoonman leotsoy steve9r crazyoz hanzohlo echong00 achimbossler gth20 klamberth27 sdaniel29 planet-365 karthikmakam nexusprojects enots01 aussiecraigf purplegriffin dreadkong zniezelski russgove sassdawe caslek alexw1na gregc00 ckavinda tinwinaung kbutlerpt dsteer80 leeburridge daedae1394 kirus22 nickl-koris mikeyeg tommieklk sequel-data jimbobukii swapnilrathi bunzo90 grant-mitchell85 a1servinem c-az

office365's Issues

Update ASR to catch "Warning" setting for the rule.

Added:

One extra color variable for "warning".
4 extra strings to $enabledvalues for the list to fit from 0-6.
4 extra variables to $displaycolor for the list to fit from 0-6.
Switch 6 to catch that setting.

<# CIAOPS
Script provided as is. Use at own risk. No guarantees or warranty provided.

Source - https://github.com/directorcia/Office365/blob/master/win10-asr-get.ps1

Description - Report Device Attack Surface Reduction (ASR) settings

Prerequisites -

References:

- ASR Overview - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction
- Reduce attack surfaces with attack surface reduction rules - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
- ASR FAQ - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq

More scripts available by joining http://www.ciaopspatron.com

#>

## Variables
$systemmessagecolor = "cyan"
$processmessagecolor = "green"
$errormessagecolor="red"
$auditmessagecolor = "yellow"
$warningmessagecolor = "white"

Clear-Host
write-host -foregroundcolor $systemmessagecolor "Script started`n"

$asrrules = @()
$asrrules += [PSCustomObject]@{ # 0
    Name = "Block executable content from email client and webmail";
    GUID = "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail
}
$asrrules += [PSCustomObject]@{ # 1
    Name = "Block all Office applications from creating child processes";
    GUID = "D4F940AB-401B-4EFC-AADC-AD5F3C50688A"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes
}
$asrrules += [PSCustomObject]@{ # 2
    Name = "Block Office applications from creating executable content";
    GUID = "3B576869-A4EC-4529-8536-B80A7769E899"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content
}
$asrrules += [PSCustomObject]@{ # 3
    Name = "Block Office applications from injecting code into other processes";
    GUID = "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes
}
$asrrules += [PSCustomObject]@{ # 4
    Name = "Block JavaScript or VBScript from launching downloaded executable content";
    GUID = "D3E037E1-3EB8-44C8-A917-57927947596D"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content
}
$asrrules += [PSCustomObject]@{ # 5
    Name = "Block execution of potentially obfuscated scripts";
    GUID = "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts
}
$asrrules += [PSCustomObject]@{ # 6
    Name = "Block Win32 API calls from Office macros";
    GUID = "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-win32-api-calls-from-office-macros
}
$asrrules += [PSCustomObject]@{ # 7
    Name = "Block executable files from running unless they meet a prevalence, age, or trusted list criterion";
    GUID = "01443614-cd74-433a-b99e-2ecdc07bfc25"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion
}
$asrrules += [PSCustomObject]@{ # 8 
    Name = "Use advanced protection against ransomware";
    GUID = "c1db55ab-c21a-4637-bb3f-a12568109d35"
    ## reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#use-advanced-protection-against-ransomware
}
$asrrules += [PSCustomObject]@{ # 9
    Name = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)";
    GUID = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"
    ## https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem
}
$asrrules += [PSCustomObject]@{ # 10
    Name = "Block process creations originating from PSExec and WMI commands";
    GUID = "d1e49aac-8f56-4280-b9ba-993a6d77406c"
    ## https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands
}
$asrrules += [PSCustomObject]@{ # 11
    Name = "Block untrusted and unsigned processes that run from USB";
    GUID = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"
    ## https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-untrusted-and-unsigned-processes-that-run-from-usb
}
$asrrules += [PSCustomObject]@{ # 12
    Name = "Block Office communication application from creating child processes";
    GUID = "26190899-1602-49e8-8b27-eb1d0a1ce869"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-communication-application-from-creating-child-processes
}
$asrrules += [PSCustomObject]@{ # 13
    Name = "Block Adobe Reader from creating child processes";
    GUID = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-adobe-reader-from-creating-child-processes
}
$asrrules += [PSCustomObject]@{ # 14
    Name = "Block persistence through WMI event subscription";
    GUID = "e6db77e5-3df2-4cf1-b95a-636979351e5b"
    ## Reference - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription
}
$asrrules += [PSCustomObject]@{ # 15 
    Name = "Block abuse of exploited vulnerable signed drivers";
    GUID = "56a863a9-875e-4185-98a7-b882c64b5ce5"
    ## Reference - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules?view=o365-worldwide#block-abuse-of-exploited-vulnerable-signed-drivers
}
$enabledvalues = "Not Enabled", "Enabled", "Audit", "NA3", "NA4", "NA5", "Warning" ## $NA3-5 just added for the list to fit from 0-6
$displaycolor = $errormessagecolor, $processmessagecolor, $auditmessagecolor, $NotUsed, $NotUsed, $NotUsed, $warningmessagecolor ## $NotUsed just added for the list to fit from 0-6
## https://docs.microsoft.com/en-us/powershell/module/defender/?view=win10-ps
$results = Get-MpPreference
write-host -ForegroundColor Gray -backgroundcolor blue "Attack Surface Reduction Rules`n"
if ($results.AttackSurfaceReductionRules_ids.count -lt $asrrules.count) {
    $textcolor = $warningmessagecolor
}
else {
    $textcolor = $processmessagecolor
}
write-host -foregroundcolor $textcolor $results.AttackSurfaceReductionRules_ids.count,"of",$asrrules.count,"ASR rules found active`n"
if (-not [string]::isnullorempty($results.AttackSurfaceReductionRules_ids)) {
    foreach ($id in $asrrules.GUID) {      
        switch ($id) {
            "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" {$index=0;break}
            "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" {$index=1;break}
            "3B576869-A4EC-4529-8536-B80A7769E899" {$index=2;break}
            "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84" {$index=3;break}
            "D3E037E1-3EB8-44C8-A917-57927947596D" {$index=4;break}
            "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" {$index=5;break}
            "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B" {$index=6;break}
            "01443614-cd74-433a-b99e-2ecdc07bfc25" {$index=7;break}
            "c1db55ab-c21a-4637-bb3f-a12568109d35" {$index=8;break}
            "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" {$index=9;break}
            "d1e49aac-8f56-4280-b9ba-993a6d77406c" {$index=10;break}
            "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" {$index=11;break}
            "26190899-1602-49e8-8b27-eb1d0a1ce869" {$index=12;break}
            "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" {$index=13;break}
            "e6db77e5-3df2-4cf1-b95a-636979351e5b" {$index=14;break}
            "56a863a9-875e-4185-98a7-b882c64b5ce5" {$index=15;break}
        }
        $count = 0
        $notfound = $true
        foreach ($entry in $results.AttackSurfaceReductionRules_ids) {
            if ($entry -match $id) {
                $enabled = $results.AttackSurfaceReductionRules_actions[$count]             
                switch ($enabled) {
                    0 {write-host -foregroundcolor $displaycolor[$enabled] $asrrules[$index].name"="$enabledvalues[$enabled]; break}
                    1 {write-host -foregroundcolor $displaycolor[$enabled] $asrrules[$index].name"="$enabledvalues[$enabled]; break}
                    2 {write-host -foregroundcolor $displaycolor[$enabled] $asrrules[$index].name"="$enabledvalues[$enabled]; break}
                    6 {write-host -foregroundcolor $displaycolor[$enabled] $asrrules[$index].name"="$enabledvalues[$enabled]; break}
                }
                $notfound = $false
            }
            $count++
        }
        if ($notfound) {
            write-host -foregroundcolor $errormessagecolor $asrrules[$index].name"= Not found"
        }
    }
}
else {
    write-host -foregroundcolor $errormessagecolor $asrrules.count"ASR rules empty"
}

write-host -foregroundcolor $systemmessagecolor "`nScript completed`n"

Specify individual permissions to remove

this code is great for removing all permissions, but since it gives you a list of the permissions it would be nice to specify an individual one as opposed to all them. Be very handy. Not actually an issue but can change to feature request! Thanks

Can you help me on this line?

Office365/o365-spam-policy.ps1

Line 20 in 74f4354

$domains = "M365B555418.onmicrosoft.com"

Thanks for the script, I have based on yours to create my own.

You recommended creating the $domains = "d1.com", "d2.com"
I was struggling to create an automatic way to fill this $domains.
I tried this but didn't work as you recommended:

$Domains = (Get-AcceptedDomain).DomainName -join ", "
or
$Domains = Read-Host "Enter all domains separated by comma e.g. d1.com,d2.com,d3.com"

Can you help me pls?

Incorrect version number reported for some .exe files

graph-adapp-add.exe and graph-adapp-per-add.exe
Version = 0.94 Beta is reported when running the .exe but they are listed in Github as v0.93
https://github.com/directorcia/Office365

Update for Az module for PS7

Simple update can be made to the script to make it work in PS7 with EXO 2 and AZ module

Get/Set AzureAD User can be replaced with Get-AzAdUser and Update-AzADUser -ObjectID $mailbox.userprincipalname -EnableAccount $false

Permission Errors when using Defender365 call

Did you have any problems with the vulnerability API on defender?
I set the same rights, but always ( only with this call, machine info works) run in an 403 error!

Following the blog, it seems correct.
https://blog.ciaops.com/2021/06/15/using-the-defender-for-endpoint-api-and-powershell/

The rights on my token are definitly correct and granted in UI:

File missing

I am trying to run the script c.ps1 but I keep getting an error stating that the file o365-connect-mfa-ctldply.ps1 is missing. I looked in directorcia/Office365 and see that the file is no longer there.

Found some more for your list

MCOPSTN1 = Domestic Calling Plan
MCOPSTNC = Communications Credits
MCOPSTN2 = Domestic and International Calling Plan
MCOMEETACPEA = Audio Conferencing Pay-Per-Minute
POWERAPPS_VIRAL = Microsoft PowerApps Plan 2 Trial

DESKLESSPACK

DESKLESSPACK could also be:
SKU - 4b585984-651b-448a-9e53-3b10f069cf7f / OFFICE 365 F3

Placeholder for API key

Good to also insert the code to allow the API key to be used - may be best to pull the code directly from the updated HIBP script https://gcits.com/knowledge-base/check-office-365-accounts-against-have-i-been-pwned-breaches/

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Connect-MsolService
$HIBPAPIKey = "YOURHIBPAPIKEY"
$headers = @{
"hibp-api-key" = $HIBPAPIKey
}
$baseUri = "https://haveibeenpwned.com/api/v3"
$users = Get-msoluser -All

Color Variable Error during script exec

Issue: Three color variables defined at start of script but $warningmessagecolor is later referenced but not defined

$systemmessagecolor = "cyan"
$processmessagecolor = "green"
$errormessagecolor= "red"

137: $displaycolor = $errormessagecolor, $processmessagecolor, $warningmessagecolor'

If triggered, errors would appear as below:

Write-Host : Cannot bind parameter 'ForegroundColor' to the target. Exception setting "ForegroundColor": "Cannot convert null to type
"System.ConsoleColor" due to enumeration values that are not valid. Specify one of the following enumeration values and try again. The possible
enumeration values are "Black,DarkBlue,DarkGreen,DarkCyan,DarkRed,DarkMagenta,DarkYellow,Gray,DarkGray,Blue,Green,Cyan,Red,Magenta,Yellow,White"."
At C:\GitHub\Office365\win10-asr-get.ps1:137 char:44

... 2 {write-host -foregroundcolor $displaycolor[$enabled] $asrrul ...
```
                                      ~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : WriteError: (:) [Write-Host], ParameterBindingException
- FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Commands.WriteHostCommand

... 2 {write-host -foregroundcolor $displaycolor[$enabled] $asrrul ...
```
                                      ~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : WriteError: (:) [Write-Host], ParameterBindingException
- FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Commands.WriteHostCommand

... 2 {write-host -foregroundcolor $displaycolor[$enabled] $asrrul ...
```
                                      ~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : WriteError: (:) [Write-Host], ParameterBindingException
- FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Commands.WriteHostCommand

win10-asr-get.ps1 - Broken for standard users with Defender version 4.18.23070.1004-0

It looks like this is now broken for standard users as of 14/08/2023. The rule IDs (AttackSurfaceReductionRules_Ids) and exclusions are no longer visible in get-mppreference . Might need a check for admin rights and report error as it currently just shows 0 rules applied

Hi ,

I need a proactive remediation script to update the office 365 channel to semi-annual preview for the users.

Kindly need your help.

Best regards,

Office365 /mggraph-sscore-get.ps1

Love this code. Just a suggestion

Line 43: $scopes = "SecurityEvents.ReadWrite.All"
change to
$scopes = "SecurityEvents.Read.All"

Following Microsoft suggestion of Least privileged permissions
https://learn.microsoft.com/en-us/graph/api/securescore-get?view=graph-rest-1.0&tabs=powershell

ASR Rules, no color for rules set to audit.

The script to check enabled ASR rules (win10-asr-get.ps1) has two variables defined for $warningmessagecolor but and no longer has one for $auditmessagecolor

This causes large chunks of error messages for any rules set to audit. Looking at the commit history this appears to have happened in the most recent commit.

API no longer freely accessible

The Have I Been Pwned API is no longer free to use. You’ll need to purchase an API key from here – right now it’s about $3.50 USD per month. Therefore this script does not run as is, it would be good to add in any pre-requisites or offer an alternative service that would work.

https://gcits.com/knowledge-base/check-office-365-accounts-against-have-i-been-pwned-breaches/

Skus need updating

EMSPREMIUM = ENTERPRISE MOBILITY + SECURITY E5
May be others, I haven't checked.
Very nice work btw.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.