Skip to content

Instantly share code, notes, and snippets.

View nathanmcnulty's full-sized avatar

Nathan McNulty nathanmcnulty

251 followers · 8 following
View GitHub Profile
@nathanmcnulty
nathanmcnulty / mitigate-bluehammer.ps1
Created April 8, 2026 05:53
Mitigate BlueHammer
# =============================================
# HARDEN \BaseNamedObjects\Restricted DACL
# Remove create-object rights for Everyone / Users
# Run as Administrator in a TEST VM only!
# =============================================
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force
Install-Module NtObjectManager -Scope CurrentUser -Force -AllowClobber
Import-Module NtObjectManager -Force
@nathanmcnulty
nathanmcnulty / audit-bluehammer.ps1
Last active April 8, 2026 05:52
BlueHammer audit testing
# =============================================
# Audit OM Symlink Creation in \BaseNamedObjects\Restricted
# Run as Administrator in a test VM
# =============================================
# 1. Set execution policy (safe for testing)
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force
# 2. Install / update the module (from PowerShell Gallery)
Install-Module NtObjectManager -Scope CurrentUser -Force -AllowClobber
@nathanmcnulty
nathanmcnulty / Get-XdrEndpointDeviceTimeline.ps1
Created January 22, 2026 21:20
Get-XdrEndpointDeviceTimeline.ps1
function Get-XdrEndpointDeviceTimeline {
<#
.SYNOPSIS
Retrieves the timeline of events for a specific device from Microsoft Defender XDR.
.DESCRIPTION
Gets the timeline of security events for a device from the Microsoft Defender XDR portal with options to filter by date range and other parameters.
Uses parallel chunked requests (1-hour intervals) to improve performance and support longer date ranges up to 180 days.
.PARAMETER DeviceId
@nathanmcnulty
nathanmcnulty / Get-MTPAPIToken.ps1
Created November 22, 2025 01:16
Get MTP API token using Azure PowerShell
$tenantId = "YOUR-TENANTID"
$fullToken = Get-AzAccessToken -ResourceUrl "https://securitycenter.microsoft.com/mtp" -TenantId $tenantId
$secureToken = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($fullToken.Token)
try {
$token = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($secureToken)
} finally {
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($secureToken)
}
$headers = @{ authorization= "Bearer $token" }
Invoke-Restmethod -Uri "https://mde-dtc-snsexclusions-prd-eus3.securitycenter.windows.com/api/sense-collection/rules" -Headers $headers
@nathanmcnulty
nathanmcnulty / group-use-report.ps1
Created August 4, 2025 21:46
For SuryB
# Connect to Microsoft Graph if not already connected
if (-not (Get-MgContext)) {
Connect-MgGraph -Scopes "Policy.Read.All","Group.Read.All","Application.Read.All","Directory.Read.All"
}
$results = @()
# Conditional Access Policies
$caPolicies = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
foreach ($policy in $caPolicies.value) {
@nathanmcnulty
nathanmcnulty / NRT KQL query
Created July 18, 2025 04:41
Playbook to remove user from CA exclusion group when Sentinel sees user registered passkey
AuditLogs
| where ResultReason == @"User registered Fido2 Authentication Method"
| extend UserId = parse_json(TargetResources)[0]["id"]
@nathanmcnulty
nathanmcnulty / mi-graph-permissions.ps1
Created May 14, 2025 06:16
Add permissions to Managed Identity
$SP_ID = '3b3c5db1-c095-41c7-af10-2a958ccaf91a'
Connect-MgGraph -Scopes appRoleAssignment.ReadWrite.All,Application.Read.All,Group.ReadWrite.All
$GraphSP = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$AppRole = $GraphSP.AppRoles | Where-Object {$_.Value -eq "SecurityEvents.Read.All" -and $_.AllowedMemberTypes -contains "Application"}
New-MgServicePrincipalAppRoleAssignment -AppRoleId $AppRole.Id -ServicePrincipalId $SP_ID -ResourceId $GraphSP.Id -PrincipalId $SP_ID
@nathanmcnulty
nathanmcnulty / graph-api-reports-ca-blocked-sign-ins.txt
Last active May 13, 2025 17:53
Graph API Reports for CA Blocked Sign-Ins
Graph PowerShell:
(Invoke-MgGraphRequest -Uri "/beta/reports/serviceActivity/getMetricsForConditionalAccessBlockedSignIn(inclusiveIntervalStartDateTime=$((Get-Date).AddMinutes(-5).ToString("yyyy-MM-ddTHH:mm:ssZ")),exclusiveIntervalEndDateTime=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")),aggregationIntervalInMinutes=5)").value
Logic App:
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
@nathanmcnulty
nathanmcnulty / propertiesCatalog.json
Created December 8, 2024 00:19
Properties catalog
{
"description": "",
"name": "Properties Catalog",
"roleScopeTagIds": [
"0"
],
"platforms": "windows10",
"technologies": "extensibility",
"settings": [
{
@nathanmcnulty
nathanmcnulty / gist:445aea7d5966a267e904f74525721233
Created November 24, 2024 23:25
For Tony
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"
$session.Cookies.Add((New-Object System.Net.Cookie("MC1", "<redacted>", "/", ".microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("ai_user", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("MicrosoftApplicationsTelemetryDeviceId", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("SSR", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("msresearch", "<redacted>", "/", ".microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("MSFPC", "<redacted>", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("X-PortalEndpoint-RouteKey", "wusprod_westus", "/", "security.microsoft.com")))
$session.Coo