A collection of scripts that extend EventSentry's functionality. For more information: EventSentry Validation Scripts
AD-ListUnlockUsers.ps1: This script is for listing locked users in your AD (if any) and let you unlock them. Great to have it on hand on any machine of your AD instead to need to log in into your DC and search for the user. RSAT need to be installed (from optional features) or you can run Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online or Get-WindowsCapability -Name RSAT* -Online | Where-Object Name -like "*Directory*" | Add-WindowsCapability -Online for Windows 11
antiransom_shutdown.vbs: This script, given a user name as a command line argument, utilizes the "net session" command to find the host with the most recent file access activity associated with the given user name. Attempts to shut down the remote host when given the additional "shutdown" command line parameter. More information and script used on this Blog Article
block_utilman1.cmd Windows bath script to perform a number of tasks to alleviate the threat: Block access to the file (this includes delete, rename, and execution); Change the user password; Turn off the computer. Script used for "Detecting and automatically recovering from bypassing Windows logons with utilman.exe" Video demostration Here link article KB-433.
check_last_file_modify.vbs Checks when a file was last modified
disable_insecure_ciphers.ps1 Powershell script to disable insecure ciphers on Windows Server and Desktop. Info: Validation Script
DomainExpirationCheck.ps1 Powershell script to check if domain registration is about to expire (in less than 30 days or less). using WhoIsXMLApi.com / Will exit errorlevel 0 if no expiration or error / Will exit errorlevel 1 if is about to expire / Will exit errorlevel 998 (warning) if there was an error querying the server or there was no expiration day in API reply (domain not fully supported)
Log4J-Vuln-Scanner.cmd Windows Batch + Powershell script to search for Log4J libraries and check if they contain vulnerable class to CVE-2021-44228/CVE-2021-45046 Validation Script
msdiagtool-CVE-2022-30190.cmd Microsoft Recommended workaroud for CVE-2022-30190 Validation Script - MS CVE-2022-30190
noaccfiles.ps1 PowerShell script that outputs files not accessed or modified in a certain number days. Used in KB 454 "How can I list files that weren't modified in the last X days?" KB-454
postgresql_ram_tuning.ps1 PowerShell script to print recommended ram settings on key settings for tunning PostgreSQL performance. Script can use the machine ram or user input. For more information check EventSentry KB on How can I optimize the performance of the built-in EventSentry (PostgreSQL) database?
powershell-logging.reg Registry file to enable PowerShell logging for validation script "PowerShell: Logging should be enabled". For more information read this EventSentry Blog Post
SMBv3_compression_set_vul-200313_181916.cmd CVE advisory CVE-2020-0796 explains a remote code execution vulnerability that exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests that affect Windows 10 and Windows Server. This script is intended to quickly patch that vulnerability. Script used in article on how to quickly patch vulnerability using EventSentry KB-415
removable_audit_set.cmd This script will help to set the correct registry key to enable Removable Storage Audit. See KB-410
crypto_to_usd.ps1 Outputs the current USD value of a crypto coin, can be integrated with EventSentry's performance monitoring to support charting and alerts. Simply pass the symbol name (e.g. BTC) as an argument.
stix.vbs Transforms STIX file into EventSentry's threat intel format.