PowerShell
simply copying and pasting from here will set a very stupid password and log events (insecurely) to a 3rd party syslog server.
Sample nxlog.conf that sends the Security and RDP/TS events to a syslog server online.
I use PowerShell to automate Windows workflows, one in particular is the set up of the WinDevEval Hyper-V image (from microsoft.com). I need to install TOR and NXLog roughtly every 50 days and then configure NXLog, Remote Access, Timezone and set a password on the default user account for remote access.
I use this setup as a honeypot and for experimentation requiring windows.
.ps script
Invoke-WebRequest -Uri "https://github.com/winauth/winauth/releases/download/3.5.1/WinAuth-3.5.1.zip" -OutFile "~\WinAuth.zip" Expand-Archive -LiteralPath "~\WinAuth.zip" -DestinationPath "~" Invoke-WebRequest -Uri "https://dist.torproject.org/torbrowser/11.0a5/torbrowser-install-11.0a5_en-US.exe" -OutFile "~\torbrowser-install.exe" Start-Process -Filepath "~\torbrowser-install.exe" -Wait Invoke-WebRequest -Uri "https://files.biglybt.com/installer/BiglyBT_Installer64.exe" -OutFile "~\install.exe" Start-Process -Filepath "~\install.exe" -Wait Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "localhost" -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0) Enable-NetFirewallRule -DisplayGroup "Remote Desktop" Invoke-WebRequest -Uri "https://paul.sullivan.za.org/PowerShell/nxlog-ce-3.2.2329.msi" -OutFile "~\nxlog.msi" Start-Process -Filepath "~\nxlog.msi" "/passive" -Wait wget "https://paul.sullivan.za.org/PowerShell/nxlog.conf" -outfile "C:\Program Files\nxlog\conf\nxlog.conf" dism /online /Enable-Feature /FeatureName:TelnetClient Set-LocalUser -Name "User" -Password (ConvertTo-SecureString -AsPlainText "qwer1234" -Force) Set-TimeZone -Id "GMT Standard Time" -PassThru Set-WinSystemLocale en-GB Set-WinHomeLocation -GeoId 0xF2 Set-WinUserLanguageList -LanguageList en-GB -Force
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol="icmpv4:8,any" dir=in action=allow
netsh advfirewall firewall add rule name="ICMP Allow incoming V6 echo request" protocol="icmpv6:8,any" dir=in action=allow Restart-Computer
Happy to work as an Employee, Consultant, Contractor / Self Employed or via Limited Company