Skip to content

Helper‐Scripts

Jump to bottom
evild3ad edited this page Mar 25, 2024 · 9 revisions

Create-Certificate.ps1

TL;DR
Automated Creation of Self-Signed Certificate for using Microsoft-Extractor-Suite via Graph API.

1.) Register an application with Microsoft Entra ID (e.g. Invictus_IR-App)
2.) Create self-signed certificate

.\Create-Certificate.ps1

Case-Number
Fig 1: Enter Case Number (or Company Name)

Create-Certificate
Fig 2: Generating Self-Signed Certificate for Microsoft Graph API

3.) Upload public certificate (e.g. Invictus_IR-App.cer)
4.) Add API permissions (e.g. IdentityRiskEvent.Read.All, AuditLogsQuery.Read.All, etc.)
5.) Request permissions → Grant admin consent for your application
6.) Specify App-only access for authentication and authorization when using Microsoft-Extractor-Suite functions

Get-RiskyDetections -Application

Helpful Commands

List Certificate(s) for 'Invictus_IR-App'

Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object {$_.Subject -match "CN=Invictus_IR-App"} | Select-Object Thumbprint,Subject,NotBefore,NotAfter,FriendlyName | Sort-Object NotBefore

Delete Self-Signed Certificate from Current User Certificate Store

Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object {$_.Subject -match "CN=Invictus_IR-App"} | Where-Object {$_.Thumbprint -match "<Thumbprint>"} | Remove-Item

Authenticate w/ Certificate

Connect-MgGraph -TenantId "<TenantId>" -AppId "<AppId>" -CertificateThumbprint "<CertificateThumbprint>"`

Export the generated certificate with a private key to a password protected PFX file

$CertPassword = ConvertTo-SecureString -String "<CertPassword>" -Force -AsPlainText  
Export-PfxCertificate -Cert "Cert:\CurrentUser\My\<CertificateThumbprint>" -FilePath "$env:USERPROFILE\Desktop\Invictus_IR-App.pfx" -Password $CertPassword | Out-Null

Add PFX file to the Certificate Store on a different computer

$CertPassword = ConvertTo-SecureString -String "<CertPassword>" -Force -AsPlainText  
Import-PfxCertificate -FilePath "$env:USERPROFILE\Desktop\Invictus_IR-App.pfx" -CertStoreLocation Cert:\CurrentUser\My -Password $CertPassword

Updater.ps1

TL;DR
Automated Installer/Updater for the Microsoft-Analyzer-Suite.

.\Updater.ps1

Updater
Fig 3: Update all dependencies for Microsoft-Extractor-Suite and Microsoft-Analyzer-Suite 💪

Clone this wiki locally