paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-11-02 04:43:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create disableuseraccount.ps1

Browse Source
This commit is contained in:
taylor_socfortress
2022-09-20 10:11:11 -05:00
committed by GitHub
parent 26236db7db
commit 3bf72f1deb
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
Active Response/Windows/disableuseraccount.ps1 Normal file
View File

@@ -0,0 +1,25 @@
################################
##Script to disable local user account
################################
##########
##info@socfortress.co
##########
# Read the Alert that triggered the Active Response in manager and convert to Array
$INPUT_JSON = Read-Host
$INPUT_ARRAY = $INPUT_JSON | ConvertFrom-Json
$ErrorActionPreference = "SilentlyContinue"
$user = ($INPUT_ARRAY."parameters"."alert"."cmd").ToString()
if ((Net user $user))
{
try{
Net user $user /active:no
echo "$user was disabled" | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
}
catch {
throw $_.Exception.Message
}
}
else {
echo "$user was not found" | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
}