PowerShell

simply copying and pasting from here will set a very stupid password and log events (insecurely) to a 3rd party syslog server.

Sample nxlog.conf that sends the Security and RDP/TS events to a syslog server online.

I use PowerShell to automate Windows workflows, one in particular is the set up of the WinDevEval Hyper-V image (from microsoft.com). I need to install TOR and NXLog roughtly every 50 days and then configure NXLog, Remote Access, Timezone and set a password on the default user account for remote access.

I use this setup as a honeypot and for experimentation requiring windows.

.ps script

Invoke-WebRequest -Uri "https://dist.torproject.org/torbrowser/10.0a7/torbrowser-install-10.0a7_en-US.exe" -OutFile "~\torbrowser-install.exe"
Start-Process -Filepath "~\torbrowser-install.exe" -Wait

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "localhost" -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Invoke-WebRequest -Uri "https://nxlog.co/system/files/products/files/348/nxlog-ce-2.10.2150.msi" -OutFile "~\nxlog-ce-2.10.2150.msi"
Start-Process -Filepath "~\nxlog-ce-2.10.2150.msi" "/passive" -Wait
wget "https://paul.sullivan.za.org/PowerShell/nxlog.conf" -outfile "C:\Program Files (x86)\nxlog\conf\nxlog.conf"

Set-LocalUser -Name "User" -Password (ConvertTo-SecureString -AsPlainText "qwer1234" -Force)

Set-TimeZone -Id "GMT Standard Time" -PassThru
Set-WinUserLanguageList -LanguageList en-GB -Force

Restart-Computer


Happy to work as an Employee, Consultant, Contractor / Self Employed or via Limited Company