AADInternals

0.4.7

KillChain_utils.ps1

                                # Checks whether the domain has MX records pointing to MS cloud

# Jun 16th 2020

function HasCloudMX

{

    [cmdletbinding()]

    Param(

        [Parameter(Mandatory=$True)]

        [String]$Domain

    )

    Process

    {

        $results=Resolve-DnsName -Name $Domain -Type MX -DnsOnly -NoHostsFile -NoIdn -ErrorAction SilentlyContinue | select nameexchange | select -ExpandProperty nameexchange

        return ($results -like "*.mail.protection.outlook.com").Count -gt 0

    }

}

# Checks whether the domain has SPF records allowing sending from cloud

# Jun 16th 2020

function HasCloudSPF

{

    [cmdletbinding()]

    Param(

        [Parameter(Mandatory=$True)]

        [String]$Domain

    )

    Process

    {

        $results=Resolve-DnsName -Name $Domain -Type txt -DnsOnly -NoHostsFile -NoIdn -ErrorAction SilentlyContinue | select strings | select -ExpandProperty strings 

        return ($results -like "*include:spf.protection.outlook.com*").Count -gt 0

    }

}

# Checks whether the domain has SPF records allowing sending from cloud

# Sep 23rd 2020

function HasDMARC

{

    [cmdletbinding()]

    Param(

        [Parameter(Mandatory=$True)]

        [String]$Domain

    )

    Process

    {

        try

        {

            $results=Resolve-DnsName -Name "_dmarc.$Domain" -Type txt -DnsOnly -NoHostsFile -NoIdn -ErrorAction SilentlyContinue | select strings | select -ExpandProperty strings 

        }catch{}

        return ($results -like "v=DMARC1*").Count -gt 0

    }

}

# Checks whether the domain has DesktopSSO enabled

# Jun 16th 2020

function HasDesktopSSO

{

    [cmdletbinding()]

    Param(

        [Parameter(Mandatory=$True)]

        [String]$Domain

    )

    Process

    {

        (Get-CredentialType -UserName "nn@$domain").EstsProperties.DesktopSsoEnabled -eq "True"

    }

}

# Checks whether the user exists in Azure AD or not

# Jun 16th 2020

function DoesUserExists

{

    [cmdletbinding()]

    Param(

        [Parameter(ParameterSetName="External", Mandatory=$True)]

        [Parameter(ParameterSetName="Normal", Mandatory=$True)]

        [String]$User,

        [Parameter(ParameterSetName="External", Mandatory=$True)]

        [Switch]$External,

        [Parameter(ParameterSetName="External",Mandatory=$True)]

        [String]$Domain

    )

    Process

    {

        # If the user is external, change to correct format

        if($External)

        {

            $User="$($User.Replace("@","_"))#EXT#@$domain"

        }

        $exists = $false 

        # Get the credential type information

        $credType=Get-CredentialType -UserName $User 

        # Works only if desktop sso (aka. Seamless SSO) is enabled

        if($credType.EstsProperties.DesktopSsoEnabled -eq "True")

        {

            $exists = $credType.IfExistsResult -eq 0 -or $credType.IfExistsResult -eq 6

        }

        return $exists

    }

}