WINDOWS. PS. SECURITY. Users do not require pre-authentication

Purpose

Here's a PowerShell script that will allow you to get the list of users who do not require pre-authentication in your environment.

Steps

# Importar el módulo de Active Directory

Import-Module ActiveDirectory

# Obtener todos los usuarios que no requieren autenticación previa

$usuariosSinAutenticacionPrevia = Get-ADUser -Filter {UserAccountControl -band 0x20000} -Properties DisplayName, UserPrincipalName

# Mostrar la lista de usuarios

$usuariosSinAutenticacionPrevia | Select-Object DisplayName, UserPrincipalName | Format-Table -AutoSize

by GoN | Published: Jun 2025 | Last Updated:

WINDOWS. PS. SECURITY. SPN. Service Principal Name

Purpose

PowerShell script that will allow you to verify if a SPN (Service Principal Name) exists in the domain that allows you to generate a TGS (Ticket Granting Service) ticket. This script searches Active Directory for registered SPNs and displays those that meet the criteria.

Steps

# Importar el módulo de Active Directory

Import-Module ActiveDirectory

# Definir el SPN que deseas buscar

$spn = "HTTP/*"

# Buscar cuentas de servicio con el SPN especificado

$cuentasConSPN = Get-ADObject -Filter {ServicePrincipalName -like $spn} -Properties ServicePrincipalName, Name

# Verificar si se encontraron cuentas con el SPN

if ($cuentasConSPN) {

    Write-Output "Se encontraron las siguientes cuentas con el SPN '$spn':"

    $cuentasConSPN | Select-Object Name, ServicePrincipalName | Format-Table -AutoSize

} else {

    Write-Output "No se encontraron cuentas con el SPN '$spn'."

}

By GoN | Published: Jun 2025 | Last Updated:

Search my shared resources for the words "contraseña|password|contrasenya" and report it to me in a file.I'm looking for words to ask the user to save their passwords in a secure place like Keepass.Steps

 Purpose

Search my shared resources for the words "contraseña|password|contrasenya" and report it to me in a file.

I'm looking for words to ask the user to save their passwords in a secure place like Keepass.

Steps

# Función para obtener el propietario de un archivo o carpeta
function Get-Owner {
    param (
        [string]$Path
    )
    $acl = Get-Acl -Path $Path
    $owner = $acl.Owner
    return $owner
}
# Función para obtener los permisos de escritura de un archivo o carpeta
function Get-WritePermissions {
    param (
        [string]$Path
    )
    $acl = Get-Acl -Path $Path
    $permissions = @()
    foreach ($access in $acl.Access) {
        if ($access.FileSystemRights -match "Write") {
            $permissions += $access.IdentityReference
        }
    }
    return $permissions -join ", "
}
# Crear el archivo CSV y añadir encabezados
$csvPath = "resultado.csv"
"Nombre,RutaCompleta,RutaRelativa,Propietario,PermisosDeEscritura" | Out-File -FilePath $csvPath -Encoding UTF8
# Función para recorrer la estructura de directorios de una ruta de red
function Search-Path {
    param (
        [string]$NetworkPath
    )
    Get-ChildItem -Path $NetworkPath -Recurse | ForEach-Object {
        if ($_ -match "contraseña|password|contrasenya") {
            $owner = Get-Owner -Path $_.FullName
            $writePermissions = Get-WritePermissions -Path $_.FullName
            $relativePath = $_.FullName.Substring($NetworkPath.Length)  # Obtener la ruta relativa
            $result = "$($_.Name),$($_.FullName),$relativePath,$owner,$writePermissions"
            $result | Out-File -FilePath $csvPath -Append -Encoding UTF8
        }
    }
}
# Recorrer las rutas de red
Search-Path -NetworkPath "\\server1\d$"
Search-Path -NetworkPath "\\server2\r$"
Search-Path -NetworkPath "\\server4\r$"
Write-Host "El archivo resultado.csv ha sido creado con éxito."

 By GoN | Published: Jun 2025 | Last Updated:

ISC2 International Information System Security Certification. Cetified in Cybersecurity

    Adding a new certification to my CV 

by GoN | Published: Jun 2025 | Last Updated:

ADVANCED CYBERSECURITY IN OPERATIONAL TECHNOLOGY ENVIRONMENTS

   Adding a new certification to my CV 

by GoN | Published: May 2025 | Last Updated:

WINDOWS. Host. Performance report

 Purpose

Use a command to get a detailed performance report for a host

Steps

Command: perfmon /report

Command: Some screenshots:

By GoN | Published: Mar 2025 | Last Updated:

WINDOWS. AD. OSINT. Locate privileged users

Purpose

Locate and discover privileged user in Active Directory. Locate privileged users in the AD, either by direct association or by nesting to a group with special privileges.

Steps

[*] AD users have a property that is set to one if you have direct nested privileges in any AD group.

COMMAND: Get-ADUser administrador -properties *

[*] List All users

Command: Get-ADUser -Filter {AdminCount -eq 1} - | Select-Object Name, SamAccountName

[*]  View user information

We already have a way to attack a network and try to make lateral movement.

By GoN | Published: Feb 2025 | Last Updated:

WINDOWS. PS. Users list

 Purpose

List AD users with the most important properties and then work with them in Excel.

Steps

Run te script: 

# Importar el módulo de Active Directory

Import-Module ActiveDirectory

 # Obtener todos los usuarios y seleccionar los campos deseados

Get-ADUser -Filter * -Property SamAccountName, DisplayName, CN, Enabled, LockedOut, AccountExpirationDate, EmailAddress, WhenCreated, LastLogonDate, PasswordLastSet, LogonWorkstations, PasswordNeverExpires, PasswordNotRequired, DistinguishedName, Description |

Select-Object SamAccountName,

              DisplayName,

              CN,

              Enabled,

              LockedOut,

              AccountExpirationDate,

              EmailAddress,

              WhenCreated,

              LastLogonDate,

              PasswordLastSet,

              LogonWorkstations,

              @{Name="La cuenta expira";Expression={$_.AccountExpirationDate}},

              @{Name="la contraseña nunca expira";Expression={$_.PasswordNeverExpires}},

              @{Name="no requiere contraseña";Expression={$_.PasswordNotRequired}},

              DistinguishedName,

              Description |

Export-Csv -Path "C:\tmp\Usuarios30012025.csv" -NoTypeInformation -Encoding UTF8 -Delimiter "#"

We will be left with an output like this 

By GoN | Published: Jan 2025 | Last Updated:

WINDOWS. GPO. Block executables

Purpose

The purpose of this post is to block an executable on a network of PCs.

Steps

Here are the steps to block the VNC.exe program (or any executable) on all domain PCs, even if you don’t know its location:

• Open the Group Policy Management Editor: 
• On the server, open “Server Manager” and select “Tools” > “Group Policy Management”.

• Create a new GPO:

• Right-click on the domain or the organizational unit (OU) where you want to apply the policy and select “Create a GPO in this domain, and Link it here”.
• Name the new GPO, for example, “Block VNC.exe”.

• Configure the GPO:

• Right-click on the new GPO and select “Edit”.
• Navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Software Restriction Policies”.
• Right-click on “Software Restriction Policies” and select “Create New Policies”.

• Add a path-based restriction rule:
• Under “Additional Rules”, right-click and select “New Path Rule”.
• In the path field, enter *\\pp.exe to block any file named vnc.exe regardless of its location.
• Set the rule to “Disallowed”.

• Apply the GPO:
• Close the Group Policy Management Editor.
• In the “Group Policy Management” console, ensure the GPO is linked to the correct domain or OU.

• Update policies on domain PCs:
• On each domain PC, open a command prompt and run gpupdate /force to apply the new policies immediately.

These steps should help you block the vnc.exe program on all domain PCs, regardless of its folder location. 

You only have to modify what is in yellow, the rest of the GPO content will be added by itself.

As a point of improvement, in case someone renames the executable would be to set it by HASH

By GoN | Published: Jan 2025 | Last Updated: