PowerShell

simply copying and pasting from here will set a very stupid password and log events (insecurely) to a 3rd party syslog server.

Sample nxlog.conf that sends the Security and RDP/TS events to a syslog server online.

I use PowerShell to automate Windows workflows, one in particular is the set up of the WinDevEval Hyper-V image (from microsoft.com). I need to install TOR and NXLog roughtly every 50 days and then configure NXLog, Remote Access, Timezone and set a password on the default user account for remote access.

I use this setup as a honeypot and for experimentation requiring windows.

.ps script

Invoke-WebRequest -Uri "https://github.com/winauth/winauth/releases/download/3.5.1/WinAuth-3.5.1.zip" -OutFile "~\WinAuth.zip"
Expand-Archive -LiteralPath "~\WinAuth.zip" -DestinationPath "~"

Invoke-WebRequest -Uri "https://dist.torproject.org/torbrowser/11.0a5/torbrowser-install-11.0a5_en-US.exe" -OutFile "~\torbrowser-install.exe"
Start-Process -Filepath "~\torbrowser-install.exe" -Wait

Invoke-WebRequest -Uri "https://files.biglybt.com/installer/BiglyBT_Installer64.exe" -OutFile "~\install.exe"
Start-Process -Filepath "~\install.exe" -Wait

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "localhost" -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Invoke-WebRequest -Uri "https://nxlog.co/system/files/products/files/348/nxlog-ce-3.0.2284.msi" -OutFile "~\nxlog.msi"
Start-Process -Filepath "~\nxlog.msi" "/passive" -Wait
wget "https://paul.sullivan.za.org/PowerShell/nxlog.conf" -outfile "C:\Program Files\nxlog\conf\nxlog.conf"

dism /online /Enable-Feature /FeatureName:TelnetClient

Set-LocalUser -Name "User" -Password (ConvertTo-SecureString -AsPlainText "qwer1234" -Force)

Set-TimeZone -Id "GMT Standard Time" -PassThru
Set-WinSystemLocale en-GB
Set-WinHomeLocation -GeoId 0xF2
Set-WinUserLanguageList -LanguageList en-GB -Force

netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol="icmpv4:8,any" dir=in action=allow
netsh advfirewall firewall add rule name="ICMP Allow incoming V6 echo request" protocol="icmpv6:8,any" dir=in action=allow Restart-Computer


Happy to work as an Employee, Consultant, Contractor / Self Employed or via Limited Company