Drew Robinson's Blog

Azure, Powershell and Security things

Azure AD Reporting API, Download foreach user – sign-in status as CSV

#Draft, will be updating this with more text and images.   The following script will locate all users, then for each user it will dump out Azure AD reporting sign-in status in C:\temp\reporting\[thismonth[thisday]] Example from lab, ehzure.com, I only have two users active, I’ll execute some user login activity at later time to provide a… Read more

Azure Rest API, GET AzureRM Virtual Machine status

#Draft, will be updating this with more text and images. The following script will quickly execute REST calls to Azure APIs to build the following output, works across subscriptions Code: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25… Read more

WDAGUtilityAccount

If you see an alert in your log solution for a new local account created for username: WDAGUtilityAccount (event id 4720 or 4722). This account is part of Windows Defender Application Guard which is included with RS3 (aka windows 10 fall update). The account is disabled also WDAG is not enabled. Basically you have user… Read more

Change the default RDP port (3389) on a Azure Windows ARM VM to a high range port

I recommend leveraging site to site VPN or point to site VPN for admin port access (RDP, SQL, etc). If VPN is not option, next method is to secure the exposed inbound port/source ip to only known ip addresses (ACL). Last method is to change the default port to higher range port – making it more… Read more

Listing IP Addresses from Azure Subscription

Following examples shows how to use Azure REST API to confirm assigned/active IP Addresses: Create SP and allow rights into your Azure Subscription (IAM) Update the below script with the following variables (tenant, client id, clientsecret, subscriptionid guid) IP Address Output for Azure RM VMs, Azure WebSites using REST API lookup. Reference: https://docs.microsoft.com/en-us/rest/api/appservice/webapps https://docs.microsoft.com/en-us/rest/api/network/public-ip-addresses 1… Read more

Setting Google DNS with powershell

My local ISP’s router won’t let me modify dns settings in it’s dhcp table. (no drew Joy), now I’m going to have to add a separate router.. while I waiting for my router, I created the following powershell code to point my boxes to google dns. The  following PS code will: look for a nic with… Read more

Installing Remote Server Admin Tools (RSAT) via Powershell

I reload my boxes frequently, also I have a few installations that are enrolled in Windows Insider, which installs new builds frequently. The insider build update cycle will reset existing updates including Remote Server Tools (Active Directory Powershell, Active Directory Users and Computer, etc) .. Drew is not one to download and install things over… Read more

Accesing Azure Security Center API with Powershell Invoke-RestMethod

Accessing Azure Security Center API with Powershell Invoke-RestMethod Listing missing patches on Azure VMs with Collection Results API Listing Alerts using the Alert API, such as RDP brute force attempts showing failed and successful logons:   The following will allow you monitor or set your Azure Security Center settings via Powershell/REST Getting started: You will first… Read more

Powershell script to update Azure VM Agent, can be used with script extension

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 #Download link for the latest Azure Guest Agent (windows) $Link="http://go.microsoft.com/fwlink/?LinkID=394789" # Set download path D:\temp, if it doesn't exist – create it $AzAgtPath="D:\temp" if(!(Test-Path -Path $AzAgtPath )){ New-Item -ItemType directory -Path $AzAgtPath } # Download and install Start-BitsTransfer -Source $Link… Read more

Azure ARM Templates, Azure Antimalware

For deploying Azure Antimalware in Azure Virtual Machine ARM templates, I recommend you use one of the following json settings to ensure you’re deploying the latest version of our Antimalware client. “autoUpgradeMinorVersion”: true or hardcode the version using “typeHandlerVersion”: “1.5” Otherwise extension autoupdate is disabled, and your deployment will be stuck with Azure Antimalware 1.1.0.0… Read more