Converts an Nmap XML scan output file to a CSV file.
The Convert-NmapXMLToCSV function takes an Nmap XML scan output
file as input and converts it into a CSV file. The function
extracts information about IP addresses, hostnames, open and
closed ports, services, service versions, and operating systems.
The output CSV file is saved to the specified folder or to
C:\temp\NmapXMLToCSV by default.
Convert-NmapXMLToCSV [-InputXml] <String> [[-AttachmentFolderPath] <String>] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| A string containing the full path to the Nmap XML file that needs to be converted. | true | true (ByPropertyName) | |||
| The output folder path where the converted CSV file will be saved. Default location is "C:\temp\NmapXMLToCSV". |
false | true (ByPropertyName) | C:\temp\NmapXMLToCSV |
Convert-NmapXMLToCSV -InputXml "C:\path\to\nmap.xml" -AttachmentFolderPath "C:\path\to\output" This example will convert the contents of "C:\path\to\nmap.xml" into a CSV file and save it in "C:\path\to\output".
Gets active but stale AD User accounts that haven't logged in within the last 90 days by default.
Audit's Active Directory taking "days" as the input for how far back to check for a user's last sign in.
Output can be piped to a csv manually, or automatically to C:\temp\ADActiveUserAudit or a specified path
in "AttachmentFolderPath" using the -Report Switch.
Any user account that is enabled and not signed in over 90 days is a candidate for removal.
Get-ADActiveUserAudit [[-Enabled] <Boolean>] [[-DaysInactive] <Int32>] [[-AttachmentFolderPath] <String>] [[-Report]] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| If "$false", will also search disabled users. | false | true (ByPropertyName) | True | ||
| How far back in days to look for sign ins. Outside of this window, users are considered "Inactive" | false | true (ByPropertyName) | 90 | ||
| Default path is C:\temp\ADActiveUserAudit. This is the folder where attachments are going to be saved. |
false | true (ByValue) | C:\temp\ADActiveUserAudit | ||
| Add report output as csv to DirPath directory. | false | true (ByPropertyName) | False |
The output type is the type of the objects that the cmdlet emits.
Get-ADActiveUserAuditEXAMPLE 2
Get-ADActiveUserAudit -Report -VerboseEXAMPLE 3
Get-ADActiveUserAudit -Enabled $false -DaysInactive 30 -AttachmentFolderPath "C:\temp\MyNewFolderName" -Report -Verbose
Active Directory Server and Workstation Audit with Report export option (Can also be piped to CSV if Report isn't specified).
Audits Active Directory for hosts that haven't signed in for a specified number of days. Output can be piped to a CSV manually, or automatically saved to C:\temp\ADHostAudit or a specified directory using the -Report switch.
Use the Tab key to cycle through the -HostType parameter.
Get-ADHostAudit [-HostType] <String> [[-DaystoConsiderAHostInactive] <Int32>] [[-Report]] [[-AttachmentFolderPath] <String>] [-Enabled <Boolean>] [<CommonParameters>] Get-ADHostAudit [-OSType] <String> [[-DaystoConsiderAHostInactive] <Int32>] [[-Report]] [[-AttachmentFolderPath] <String>] [-Enabled <Boolean>] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| Specifies the type of hosts to search for. Valid values are WindowsServers, WindowsWorkstations, and Non-Windows. | true | true (ByValue) | |||
| Specifies the operating system to search for. There is no need to add wildcards. | true | true (ByValue) | |||
| Specifies the number of days to consider a host as inactive. | false | true (ByPropertyName) | 90 | ||
| Saves a CSV report to the specified directory. | false | true (ByPropertyName) | False | ||
| Specifies the directory where attachments will be saved. | false | false | C:\temp\ADHostAudit | ||
| If set to $false, the function will also search for disabled computers. | false | true (ByPropertyName) | True |
The output type is the type of the objects that the cmdlet emits.
Get-ADHostAudit -HostType WindowsServers -Report -VerboseEXAMPLE 2
Get-ADHostAudit -HostType WindowsWorkstations -Report -VerboseEXAMPLE 3
Get-ADHostAudit -HostType "Non-Windows" -Report -VerboseEXAMPLE 4
Get-ADHostAudit -OSType "2008" -DirPath "C:\Temp\" -Report -Verbose
Retrieves the most recent LastLogon timestamp for a specified Active Directory user account from all domain controllers and outputs it as a DateTime object.
This function takes a SamAccountName input parameter for a specific user account and
retrieves the most recent LastLogon timestamp for that user from all domain controllers
in the Active Directory environment. It then returns the LastLogon timestamp as a DateTime
object. The function also checks the availability of each domain controller before querying
it, and writes an audit log with a list of available and unavailable domain controllers.
Get-ADUserLogonAudit [-SamAccountName] <Object> [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| Identity, UserName, Account | Specifies the SamAccountName of the user account to be checked for the most recent LastLogon timestamp. | true | true (ByValue) |
The input type is the type of the objects that you can pipe to the cmdlet.
The output type is the type of the objects that the cmdlet emits.
Get-ADUserLogonAudit -SamAccountName "jdoe" Retrieves the most recent LastLogon timestamp for the user account with the SamAccountName "jdoe" from all domain controllers in the Active Directory environment.
Produces three object outputs: PrivilegedGroups, AdExtendedRights, and possible service accounts.
The Get-ADUserPrivilegeAudit function produces reports on privileged groups, AD extended rights, and possible service accounts. If the -Report switch is used, the reports will be created in the specified folder. To instantiate variables with the objects, provide three objects on the left side of the assignment:
Example: $a,$b,$c = Get-ADUserPrivilegeAudit -Verbose
The objects will be populated with privileged groups, AD extended rights, and possible service accounts, respectively.
Get-ADUserPrivilegeAudit [[-AttachmentFolderPath] <String>] [[-Report]] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| Specifies the path of the folder where you want to save attachments. The default path is C:\temp\ADUserPrivilegeAudit. | false | true (ByValue) | C:\temp\ADUserPrivilegeAudit | ||
| Adds report output as CSV to the directory specified by AttachmentFolderPath. | false | true (ByPropertyName) | False |
The output type is the type of the objects that the cmdlet emits.
Get-ADUserPrivilegeAudit -Verbose Gets the reports as three separate objects. To instantiate variables with the objects, provide three objects on the left side of the assignment: Example: $a,$b,$c = Get-ADUserPrivilegeAudit -Verbose The objects will be populated with privileged groups, AD extended rights, and possible service accounts, respectively.EXAMPLE 2
Get-ADUserPrivilegeAudit -Report -Verbose Returns three reports to the default folder, C:\temp\ADUserPrivilegeAudit, in a single zip file.
Takes a search string to find commonly named accounts.
Takes a search string to find commonly named accounts. For example, if you
commonly name service accounts with the prefix "svc", use "svc" for the
WildCardIdentifier to search for names that contain "svc".
Get-ADUserWildCardAudit [[-Enabled] <Boolean>] [[-DaysInactive] <Int32>] -WildCardIdentifier <String> [[-AttachmentFolderPath] <String>] [[-Report]] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| If "$false", will also search disabled users. | false | true (ByPropertyName) | True | ||
| How far back in days to look for sign ins. Outside of this window, users are considered "Inactive" | false | true (ByPropertyName) | 90 | ||
| The search string to look for in the name of the account. Case does not matter. Do not add a wildcard (*) as it will do this automatically. |
true | true (ByPropertyName) | |||
| Default path is C:\temp\ADUserWildCardAudit. This is the folder where attachments are going to be saved. | false | true (ByValue) | C:\temp\ADUserWildCardAudit | ||
| Add report output as csv to AttachmentFolderPath directory. | false | true (ByPropertyName) | False |
The output type is the type of the objects that the cmdlet emits.
Get-ADUserWildCardAudit -WildCardIdentifier "svc" -Report -Verbose
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| None | Enter the date format string. | false | true (ByValue) |
Creates a host name or tag based on predetermined criteria for as many as 999 hosts at a time.
A longer description of the function, its purpose, common use cases, etc.
Get-HostTag [-PhysicalOrVirtual] <String> [-Prefix] <String> [-SystemOS] <String> [-DeviceFunction] <String> [[-HostCount] <Int32>] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| Tab through selections to add 'P' or 'V' for physical or virtual to host tag. | true | true (ByPropertyName) | |||
| Enter the 2-3 letter prefix. Good for prefixing company initials, locations, or other. | true | true (ByPropertyName) | |||
| Use tab to cycle through the following options: "Cisco ASA", "Android", "Apple IOS", "Dell Storage Center", "MACOSX", "Dell Power Edge", "Embedded", "Embedded Firmware", "Cisco IOS", "Linux", "Qualys", "Citrix ADC (Netscaler)", "Windows Thin Client", "VMWare", "Nutanix", "TrueNas", "FreeNas", "ProxMox", "Windows Workstation", "Windows Server", "Windows Server Core", "Generic OS", "Generic HyperVisor" |
true | true (ByPropertyName) | |||
| Use tab to cycle through the following options: "Application Server", "Backup Server", "Directory Server", "Email Server", "Firewall", "FTP Server", "Hypervisor", "File Server", "NAS File Server", "Power Distribution Unit", "Redundant Power Supply", "SAN Appliance", "SQL Server", "Uninteruptable Power Supply", "Web Server", "Management", "Blade Enclosure", "Blade Enclosure Switch", "SAN specific switch", "General server/Network switch", "Generic Function Device" |
true | true (ByPropertyName) | |||
| Enter a number from 1 to 999 for how many hostnames you'd like to create. | false | true (ByPropertyName) | 1 |
The output type is the type of the objects that the cmdlet emits.
Get-HostTag -PhysicalOrVirtual Physical -Prefix "CSN" -SystemOS 'Windows Server' -DeviceFunction 'Application Server' -HostCount 5
CSN-PWSVAPP001
CSN-PWSVAPP002
CSN-PWSVAPP003
CSN-PWSVAPP004
CSN-PWSVAPP005
Discovers the local network and runs port scans on all hosts found for specific or default sets of ports, displaying MAC ID vendor info.
Scans the network for open ports specified by the user or default ports if no ports are specified. Creates reports if the report switch is active and adds MAC ID vendor info if found.
NOTES:
- This function requires the PSnmap module. If not found, it will be installed automatically.
- The throttle limit determines the number of concurrent threads during scanning.
- The scan rate is limited to 32 hosts per second to ensure network stability.
- The total scan time and data transferred depend on the number of hosts.
- The average network bandwidth is approximately 32 kilobits per second.
Get-NetworkAudit [[-Ports] <Int32[]>] [-LocalSubnets] [[-ThrottleLimit] <Int32>] [-NoHops] [-AddService] [-Report] [-ScanOnPingFail] [-WhatIf] [-Confirm] [<CommonParameters>] Get-NetworkAudit [[-Ports] <Int32[]>] [-Computers] <String[]> [[-ThrottleLimit] <Int32>] [-NoHops] [-AddService] [-Report] [-ScanOnPingFail] [-WhatIf] [-Confirm] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| Specifies the ports to scan. If not provided, the function uses default ports: "21", "22", "23", "25", "53", "67", "68", "80", "443", "88", "464", "123", "135", "137", "138", "139", "445", "389", "636", "514", "587", "1701", "3268", "3269", "3389", "5985", "5986" To specify ports, provide an integer or an array of integers. Example: "22", "80", "443" |
false | true (ByPropertyName) | |||
| Scans subnets connected to the local device. It will not scan outside of the hosting device's subnet. | true | true (ByPropertyName) | False | ||
| Scans a single host or an array of hosts using subnet ID in CIDR notation, IP address, NETBIOS name, or FQDN in double quotes. Example: "10.11.1.0/24", "10.11.2.0/24" |
true | true (ByPropertyName) | |||
| Specifies the number of concurrent threads. Default: 32. | false | true (ByPropertyName) | 32 | ||
| Prevents scans across a gateway. | false | true (ByPropertyName) | False | ||
| Includes the service name associated with each port in the output. | false | true (ByPropertyName) | False | ||
| Generates a report in the C:\temp folder if specified. | false | true (ByPropertyName) | False | ||
| Scans a host even if ping fails. | false | true (ByPropertyName) | False | ||
| wi | false | false | |||
| cf | false | false |
The output type is the type of the objects that the cmdlet emits.
Get-NetworkAudit -Report Generates a report of the network audit results in the C:\temp folder.
Performs a quick ping on a range of IP addresses and returns an array of IP addresses that responded to the ping and an array of IP addresses that failed to respond.
This function performs a quick ping on a range of IP addresses specified by the IPRange parameter.
The ping is done with a Time-to-Live (TTL) value of 128 (by default). The function returns an array
of IP addresses that responded to the ping and an array of IP addresses that failed to respond.
This function has specific behaviors depending on the PowerShell version. For PowerShell 7 and
above, it uses the 'Test-Connection' cmdlet's '-OutVariable' parameter.
Get-QuickPing [-IPRange] <Array> [[-TTL] <Int32>] [[-BufferSize] <Int32>] [[-Count] <Int32>] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| Specifies a range of IP addresses to ping. Can be a string with a single IP address. | true | false | |||
| Specifies the Time-to-Live (TTL) value to use for the ping. The default value is 128. | false | false | 128 | ||
| Specifies the size of the buffer to use for the ping. The default value is 16. | false | false | 16 | ||
| Specifies the number of times to send the ping request. The default value is 1. | false | false | 1 |
Get-QuickPing -IPRange 192.168.1.1 Performs a quick ping on the IP address 192.168.1.1 with a TTL of 128 and returns an array of IP addresses that responded to the ping and an array of IP addresses that failed to respond.EXAMPLE 2
Get-QuickPing -IPRange "192.168.1.1", "192.168.1.2", "192.168.1.3" Performs a quick ping on the IP addresses 192.168.1.1, 192.168.1.2, and 192.168.1.3 with a TTL of 128 and returns an array of IP addresses that responded to the ping and an array of IP addresses that failed to respond.
Retrieves the certificate information for a web server.
The Get-WebCert function retrieves the certificate information for
a web server by creating a TCP connection and using SSL to retrieve
the certificate information.
Get-WebCertAudit [-Url] <String[]> [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| The URL of the web server. | true | true (ByPropertyName) |
The output type is the type of the objects that the cmdlet emits.
Get-WebCert -Url "https://www.example.com" This example retrieves the certificate information for the web server at https://www.example.com.
Joins multiple CSV files with the same headers into a single CSV file.
The Join-CSVFiles function takes an array of CSV file paths, reads their
contents, and merges them into a single CSV file. The output file is saved
to the specified folder. All input CSV files must have the same headers
for the function to work correctly.
Join-CSVFile [-CSVFilePaths] <String[]> [[-AttachmentFolderPath] <String>] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| An array of strings containing the file paths of the CSV files to be merged. | true | true (ByPropertyName) | |||
| The output folder path where the merged CSV file will be saved. Default location is "C:\temp\MergedCSV". | false | true (ByPropertyName) | C:\temp\MergedCSV |
The output type is the type of the objects that the cmdlet emits.
Join-CSVFiles -CSVFilePaths @("C:\path\to\csv1.csv", "C:\path\to\csv2.csv") -AttachmentFolderPath "C:\path\to\output.csv"
Combines multiple audit report files into a single compressed ZIP file.
The Merge-ADAuditZip function combines multiple audit report files into a single
compressed ZIP file. The function takes an array of file paths, a maximum file
size for the output ZIP file, an output folder for the merged file, and an optional
switch to open the directory of the merged file after creation.
Merge-ADAuditZip [[-FilePaths] <String[]>] [[-MaxFileSize] <Int32>] [[-OutputFolder] <String>] [-OpenDirectory] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| Specifies an array of file paths to be merged into a single compressed ZIP file. | false | false | |||
| Specifies the maximum file size (in bytes) for the output ZIP file. The default value is 24 MB. |
false | false | 25165824 | ||
| Specifies the output folder for the merged compressed ZIP file. The default folder is C:\temp. |
false | false | C:\temp | ||
| Specifies an optional switch to open the directory of the merged compressed ZIP file after creation. |
false | false | False |
$workstations = Get-ADHostAudit -HostType WindowsWorkstations -Report $servers = Get-ADHostAudit -HostType WindowsServers -Report $nonWindows = Get-ADHostAudit -HostType "Non-Windows" -Report Merge-ADAuditZip -FilePaths $workstations, $servers, $nonWindows
Merge-ADAuditZip -FilePaths C:\AuditReports\Report1.csv,C:\AuditReports\Report2.csv -MaxFileSize 50MB -OutputFolder C:\MergedReports -OpenDirectory
Merges Nmap network audit data with Active Directory host audit data.
The Merge-NmapToADHostAudit function takes in two CSV files, one containing Nmap network
audit data and the other containing Active Directory host audit data. It merges the data
based on matching IP addresses and hostnames, and exports the merged data to a new CSV file.
Additionally, it exports any unmatched Nmap data to a separate CSV file.
Merge-NmapToADHostAudit -ADAuditCsv <String> -NmapCsv <String> [[-AttachmentFolderPath] <String>] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| The path to the Active Directory host audit CSV file. | true | true (ByPropertyName) | |||
| The path to the Nmap network audit CSV file. | true | true (ByPropertyName) | |||
| The output folder path where the merged CSV file and unmatched Nmap data CSV file will be saved. Default location is "C:\temp\NmapToADHostAudit". |
false | true (ByPropertyName) | C:\temp\NmapToADHostAudit |
Merge-NmapToADHostAudit -ADAuditCsv "C:\path\to\ADAudit.csv" -NmapCsv "C:\path\to\NmapAudit.csv" -AttachmentFolderPath "C:\path\to\output"
This is a wrapper function for Send-MailKitMessage and takes string arrays as input.
Other Audit tasks can be used as the -AttachmentFiles parameter when used with the report switch.
Send-AuditEmail -AttachmentFiles <String[]> [-SMTPServer <String>] [-Port <Int32>] [-UserName <String>] [-SSL] [-From <String>] [-To <String>] [-Subject <String>] [-Body <String>] [-Pass <SecureString>] [<CommonParameters>] Send-AuditEmail -AttachmentFiles <String[]> [-SMTPServer <String>] [-Port <Int32>] [-UserName <String>] [-SSL] [-From <String>] [-To <String>] [-Subject <String>] [-Body <String>] -Function <String> -FunctionApp <String> -Token <String> -CertificateThumbprint <String> [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| The full filepath to the zip you are sending: -AttachmentFiles "C:\temp\ADHostAudit\2023-01-04_03.45.14_Get-ADHostAudit_AD.CONTOSO.COM.Servers.zip" The Audit reports output this filename if the "-Report" switch is used allowing it to be nested in this parameter for ease of automation. |
true | true (ByPropertyName) | |||
| The SMTP Server address. For example: "smtp.office365.com" | false | false | |||
| The following ports can be used to send email: "993", "995", "587", "25" |
false | true (ByPropertyName) | 0 | ||
| The Account authorized to send email via SMTP. From parameter is usually the same. | false | false | |||
| Switch to ensure SSL is used during transport. | false | false | False | ||
| This is who the email will appear to originate from. This is either the same as the UserName, or, if delegated, access to an email account the Username account has delegated permissions to send for. Link: https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide |
false | false | |||
| This is the mailbox who will be the recipient of the communication. | false | false | |||
| The subject is automatically populated with the name of the function that ran the script, as well as the domain and hostname. If you specify subject in the parameters, it will override the default with your subject. |
false | false | "$($script:MyInvocation.MyCommand.Name -replace '\..*') report ran for $($env:USERDOMAIN) on host $($env:COMPUTERNAME)." | ||
| The body of the message, pre-populates with the same data as the subject line. Specify body text in the function parameters to override. |
false | false | "$($script:MyInvocation.MyCommand.Name -replace '\..*') report ran for $($env:USERDOMAIN) on host $($env:COMPUTERNAME)." | ||
| Takes a SecureString as input. The password must be added to the command by using: -Pass (Read-Host -AsSecureString) You will be promted to enter the password for the UserName parameter. |
false | false | |||
| If you are using the optional function feature and created a password retrieval function, this is the name of the function in Azure AD that accesses the vault. |
true | false | |||
| If you are using the optional function feature, this is the name of the function app in Azure AD. | true | false | |||
| If you are using the optional function feature, this is the api token for the specific function. Ensure you are using the "Function Key" and NOT the "Host Key" to ensure access is only to the specific funtion. |
true | false | |||
| API key for the Azure Function App | true | false |
Send-AuditEmail -SMTPServer "smtp.office365.com" -Port 587 -UserName "Username@contoso.com" ` -From "Username@contoso.com" -To "user@anothercompany.com" -Pass (Read-Host -AsSecureString) -AttachmentFiles "$(Get-ADActiveUserAudit -Report)" -SSL
Send-AuditEmail -SMTPServer "smtp.office365.com" -Port 587 -UserName "Username@contoso.com" ` -From "Username@contoso.com" -To "user@anothercompany.com" -AttachmentFiles "$(Get-ADActiveUserAudit -Report)" -FunctionApp "MyVaultFunctionApp" ` -Function "MyClientSpecificFunction" -Token "ABCDEF123456" -SSL
Uploads a file to an FTP server using the WinSCP module.
The Submit-FTPUpload function uploads a file to an FTP server using the WinSCP module.
The function takes several parameters, including the FTP server name, the username and
password of the account to use, the protocol to use, and the file to upload.
Submit-FTPUpload [[-FTPUserName] <String>] [[-Password] <SecureString>] [[-FTPHostName] <String>] [[-Protocol] <String>] [[-FTPSecure] <String>] [[-SshHostKeyFingerprint] <String[]>] [[-LocalFilePath] <String[]>] [[-RemoteFTPPath] <String>] [<CommonParameters>]
| Name | Alias | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|---|
| Specifies the username to use when connecting to the FTP server. | false | false | |||
| Specifies the password to use when connecting to the FTP server. | false | false | |||
| Specifies the name of the FTP server to connect to. | false | false | |||
| Specifies the protocol to use when connecting to the FTP server. The default value is SFTP. | false | false | Sftp | ||
| Specifies the level of security to use when connecting to the FTP server. The default value is None. | false | false | None | ||
| Specifies the fingerprint of the SSH host key to use when connecting to the FTP server. This parameter is mandatory with SFTP and SCP. | false | false | |||
| Specifies the local path to the file to upload to the FTP server. | false | false | |||
| Specifies the remote path to upload the file to on the FTP server. | false | false |
The output type is the type of the objects that the cmdlet emits.
Submit-FTPUpload -FTPUserName "username" -Password $Password -FTPHostName "ftp.example.com" -Protocol "Sftp" -FTPSecure "None" -SshHostKeyFingerprint "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff" -LocalFilePath "C:\temp\file.txt" -RemoteFTPPath "/folder"