bohops

## Deploy-EnforcedWDACScanPolicy.ps1
Write-Host "
==============================================================================================================================
*Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI)

*Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed).
*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy
*System reboots when PowerShell script finishes
*Run as a privileged user in high integrity
*To remove enforcement, comment out enforce line

## Deploy-EnforcedWDACDefaultPolicy.ps1
Write-Host "
==============================================================================================================================
*Quickly Deploy an Enforced Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI)

*Focus: Permit Windows signed applications (e.g. what comes with the OS).
*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with the Default Enforced Rules
*System reboots when PowerShell script finishes
*Run as a privileged user in high integrity
*To remove enforcement, comment out enforce line
==============================================================================================================================

## Dynamic_PInvoke_Shellcode.cs
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs

using System;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;

namespace ShellcodeLoader
{
    class Program

## AccCheckConsole.txt
*Purpose
 - UI Accessibility Checker
 - Verifies UI accessibility requirements

*LOLBIN Functionality/Steps
 1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
 2) Add proper assembly references (e.g. AccCheck.dll)
 3) Insert your C# code under a target method such as Execute()
 4) Compile to a .NET managed library (DLL)
 5) Invoke the code

## ping_monitor.py
# Quick & Dirty Ping Monitor + Email Report
# -----------------------------------------
# Code Credits:
# - Ping Server In Python: https://stackoverflow.com/questions/2953462/pinging-servers-in-python
# - Simple Python Server Monitor: https://github.com/brendancarlson/Simple-Python-Server-Monitor/blob/master/monitor.py
# -----------------------------------------
# Basic Usage: python3 ping_monitor.py
# Cron Usage:
#  - Set for every hour to avoid overwhelming SMTP server thresholds
#  - crontab -i

## Application_Guard_WDAC_Policy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.3.14</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
  <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
  <Rules>
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>

## Unload_DotNet_DLLs.cs
//Unload .NET runtime modules (DLLs) with DInvoke [by @theWover]
//https://github.com/TheWover/DInvoke

/*
// License -> https://github.com/TheWover/DInvoke/blob/main/LICENSE
MIT License

Copyright (c) 2020 TheWover

Permission is hereby granted, free of charge, to any person obtaining a copy

## env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
// I borrowed this great POC from Adam Chester [@_xpn_] to demonstrate spoofing for evading .NET 'Usage Logging'.
// This code will launch the target a suspended PowerShell.exe process, read PEB, update the ptr used to store environment variables, and resume the process

// Adam's original POC and blog for evading ETW with COMPlus_ETWEnabled can be found at these URLs:
// https://gist.github.com/xpn/64e5b6f7ad370c343e3ab7e9f9e22503
// https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
//
// Applicable detection guidance (with a few possible tweaks) can be found here:
// https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3
//

## fsharp.fsscript
#r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll"

open System.Management.Automation
open System.Management.Automation.Runspaces
open System

let runSpace = RunspaceFactory.CreateRunspace()
runSpace.Open()
let pipeline = runSpace.CreatePipeline()

## ETW_Assembly_Load_Monitor.cs
//A Quick POC for monitoring .NET Assembly Load Events with ETW
// References:
//  - Microsoft CLR Provider: https://docs.microsoft.com/en-us/dotnet/framework/performance/clr-etw-providers
//  - ETW Assembly Load Events: https://docs.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events
//  - Source Code Sample: https://github.com/microsoft/perfview/blob/master/src/TraceEvent/Samples/31_KernelAndClrMonitor.cs

using Microsoft.Diagnostics.Tracing;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;
using System;
	Write-Host "
	==============================================================================================================================
	*Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI)

	*Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed).
	*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy
	*System reboots when PowerShell script finishes
	*Run as a privileged user in high integrity
	*To remove enforcement, comment out enforce line
	Write-Host "
	==============================================================================================================================
	*Quickly Deploy an Enforced Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI)

	*Focus: Permit Windows signed applications (e.g. what comes with the OS).
	*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with the Default Enforced Rules
	*System reboots when PowerShell script finishes
	*Run as a privileged user in high integrity
	*To remove enforcement, comment out enforce line
	==============================================================================================================================
	//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs

	using System;
	using System.Runtime.InteropServices;
	using System.Reflection;
	using System.Reflection.Emit;

	namespace ShellcodeLoader
	{
	class Program
	*Purpose
	- UI Accessibility Checker
	- Verifies UI accessibility requirements

	*LOLBIN Functionality/Steps
	1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
	2) Add proper assembly references (e.g. AccCheck.dll)
	3) Insert your C# code under a target method such as Execute()
	4) Compile to a .NET managed library (DLL)
	5) Invoke the code
	# Quick & Dirty Ping Monitor + Email Report
	# -----------------------------------------
	# Code Credits:
	# - Ping Server In Python: https://stackoverflow.com/questions/2953462/pinging-servers-in-python
	# - Simple Python Server Monitor: https://github.com/brendancarlson/Simple-Python-Server-Monitor/blob/master/monitor.py
	# -----------------------------------------
	# Basic Usage: python3 ping_monitor.py
	# Cron Usage:
	# - Set for every hour to avoid overwhelming SMTP server thresholds
	# - crontab -i
	<?xml version="1.0"?>
	<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.3.14</VersionEx>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
	<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
	<Rules>
	<Rule>
	<Option>Enabled:UMCI</Option>
	</Rule>
	//Unload .NET runtime modules (DLLs) with DInvoke [by @theWover]
	//https://github.com/TheWover/DInvoke

	/*
	// License -> https://github.com/TheWover/DInvoke/blob/main/LICENSE
	MIT License

	Copyright (c) 2020 TheWover

	Permission is hereby granted, free of charge, to any person obtaining a copy
	// I borrowed this great POC from Adam Chester [@_xpn_] to demonstrate spoofing for evading .NET 'Usage Logging'.
	// This code will launch the target a suspended PowerShell.exe process, read PEB, update the ptr used to store environment variables, and resume the process

	// Adam's original POC and blog for evading ETW with COMPlus_ETWEnabled can be found at these URLs:
	// https://gist.github.com/xpn/64e5b6f7ad370c343e3ab7e9f9e22503
	// https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
	//
	// Applicable detection guidance (with a few possible tweaks) can be found here:
	// https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3
	//
	#r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll"

	open System.Management.Automation
	open System.Management.Automation.Runspaces
	open System

	let runSpace = RunspaceFactory.CreateRunspace()
	runSpace.Open()
	let pipeline = runSpace.CreatePipeline()
	//A Quick POC for monitoring .NET Assembly Load Events with ETW
	// References:
	// - Microsoft CLR Provider: https://docs.microsoft.com/en-us/dotnet/framework/performance/clr-etw-providers
	// - ETW Assembly Load Events: https://docs.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events
	// - Source Code Sample: https://github.com/microsoft/perfview/blob/master/src/TraceEvent/Samples/31_KernelAndClrMonitor.cs

	using Microsoft.Diagnostics.Tracing;
	using Microsoft.Diagnostics.Tracing.Parsers;
	using Microsoft.Diagnostics.Tracing.Session;
	using System;