JM Conway jmconway
jmconway
/ Set-WinVerifyTrustMitigations.ps1
Created
March 31, 2023 20:07
Hardening Changes for WinVerifyTrust Signature Validation Vuln (CVE-2013-3900)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# Hardening Changes for WinVerifyTrust Signature Validation Vuln (CVE-2013-3900) | |
| ## 10+ year old "Opt In" Mitigation Still Exploited to This Day | |
| ## https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 | |
| ## https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3900 | |
| ## Inspired by: https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/ | |
| #> | |
| <# Helper Function | |
| ## For the purposes of this script, assume DWORD values | |
| #> |
jmconway
/ Set-Win10Baseline21H2.ps1
Created
May 29, 2022 21:51
PowerShell module/helper script with custom functions for imaging Windows 10 build 21H2 with MDT/WDS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # For the purposes of this script, assume DWORD values | |
| function Set-RegistryItem { | |
| param ( | |
| [CmdletBinding()] | |
| [string]$Path | |
| ) | |
| param ( | |
| [CmdletBinding()] | |
| [string]$Name | |
| ) |
jmconway
/ symantec_trojankilldisk.json
Created
February 24, 2022 20:36
Custom IOCs for CrowdStrike of Wiper Malware detailed by Symantec: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{"id":"200074e5620e35537d603e650752542ab291caa0dd7fe454505153b8108c1fb6","cid":"dc674dd858a84b689924ad92032d57be","type":"sha256","value":"4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382","action":"prevent","mobile_action":"no_action","severity":"critical","severity_number":"90","description":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia","metadata":{"filename":"Trojan.Killdisk","signed":false,"av_hits":5},"platforms":["windows"],"expired":false,"applied_globally":true,"deleted":false,"created_on":"2022-02-24T20:25:32.052764249Z","modified_on":"2022-02-24T20:27:31.151955481Z"},{"id":"8a86f9ab6cdf26120b3040f75c2a31ee5ac3680b79ae8e1147daab198bca473c","cid":"dc674dd858a84b689924ad92032d57be","type":"sha256","value":"a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e","action":"prevent","mobile_action":"no_action","severity":"critical","severity_number":"90","description":"https://symantec-enterprise-blogs.security.com/blogs/ |
jmconway
/ BlackByteIOCs.csv
Last active
February 15, 2022 19:10
CISA/FBI Indicators of Compromise for the BlackByte Ransomeware as reported in https://www.ic3.gov/Media/News/2022/220211.pdf on 2/15/2022; I took the MD5 hashes listed in the PDF for import as Custom IoCs in CrowdStrike.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 4d2da36174633565f3dd5ed6dc5033c4 | cd7034692d8f29f9146deb3641de7986 | d63a7756bfdcd2be6c755bf288a92c8b | eed7357ab8d2fe31ea3dbcf3f9b7ec74 | 695e343b81a7b0208cbae33e11f7044c | 296c51eb03e70808304b5f0e050f4f94 | 0c7b8da133799dd72d0dbe3ea012031e | a77899602387665cddb6a0f021184a2b | 1473c91e9c0588f92928bed0ebf5e0f4 | 28b791746c97c0c04dcbfe0954e7173b | 52b8ae74406e2f52fd81c8458647acd8 | 1785f4058c78ae3dd030808212ae3b04 | b8e24e6436f6bed17757d011780e87b9 | 8dfa48e56fc3a6a2272771e708cdb4d2 | 4ce0bdd2d4303bf77611b8b34c7d2883 | c010d1326689b95a3d8106f75003427c | ae6fbc60ba9c0f3a0fef72aeffcd3dc7 | 405cb8b1e55bb2a50f2ef3e7c2b28496 | 11e35160fc4efabd0a3bd7a7c6afc91b | 659b77f88288b4874b5abe41ed36380d | 151c6f04aeff0e00c54929f25328f6f7 | 959a7df5c465fcd963a641d87c18a565 | 5f40e1859053b70df9c0753d327f2cee | df7befc8cdc3c5434ef27cc669fb1e4b | 51f2cf541f004d3c1fa8b0f94c89914a | d9e94f076d175ace80f211ea298fa46e | 8320d9ec2eab7f5ff49186b2e630a15f | cea6be26d81a8ff3db0d9da666cd0f8f | 31f818372fa07d1fd158c91510b6a077 | d9e94f076d175ace80f211ea298fa46e | a9cf6dce244ad9afd8ca92820b9c11b9 | 7 |
|---|
jmconway
/ Set-21H2Baseline.ps1
Created
January 27, 2022 19:27
Two functions I wrote for our Windows 10 21H2 Enterprise imaging process: Set-OptionalFeatures with the features I like disabled and enabled; Remove-AppxPackages for removing first individual AppxPackages that aren't necessary to Windows 10 for all users, and then removing the Provisioned AppxPackages associated from the live Windows image.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Set-OptionalFeatures { | |
| # Features we want to disable by default | |
| $toDisable = "Internet-Explorer-Optional-amd64","MicrosoftWindowsPowerShellV2","MicrosoftWindowsPowerShellV2Root","Printing-XPSServices-Features","WCF-Services45","WCF-TCP-PortSharing45","WindowsMediaPlayer","WorkFolders-Client" | |
| foreach ($feature in $toDisable) { | |
| Get-WindowsOptionalFeature -Online -FeatureName $feature | Disable-WindowsOptionalFeature -Online -NoRestart -Remove -Verbose | |
| } | |
| # Features we want to enable by default | |
| $toEnable = "Containers", "Containers-DisposableClientVM","Windows-Defender-ApplicationGuard", "Microsoft-Windows-Subsystem-Linux" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PS C:\Windows\system32> $PSVersionTable | |
| Name Value | |
| ---- ----- | |
| PSVersion 5.1.19041.1320 | |
| PSEdition Desktop | |
| PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} | |
| BuildVersion 10.0.19041.1320 | |
| CLRVersion 4.0.30319.42000 | |
| WSManStackVersion 3.0 |
jmconway
/ Compare-ADFromFile.ps1
Created
June 19, 2021 14:32
Function to take a given txt or csv file and compare it against your Active Directory.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Function to take a given txt or csv file and compare it against Active Directory | |
| # Requires the Active Directory PowerShell Module | |
| # EXAMPLE: Compare-ADFromFile -File .\affected_user_accounts.txt | |
| function Compare-ADFromFile { | |
| # Path to the file of names to compare against AD | |
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Position=0, Mandatory, ValueFromPipeline)] | |
| [System.String[]] | |
| $File |
jmconway
/ Invoke-IEKiosk.ps1
Created
June 10, 2021 13:49
A loopy sign-on script I had a lot of fun writing for Internet Explorer (RIP). This was originally written for Windows-based "digital signage" displays that would show a printer's queue from its webpage via IE, refresh the page every 60 seconds via method, and handle relaunching were the browser to crash.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $URL = "" | |
| $targetprocess = "iexplore" | |
| $process = Get-Process -Name $targetprocess -ErrorAction SilentlyContinue | |
| # Infinite loop | |
| while ($true){ | |
| # Initial launch of the application | |
| # While the process is not running | |
| while (!($process)){ | |
| $process = Get-Process -Name $targetprocess -ErrorAction SilentlyContinue |
jmconway
/ Disable-Cortana.ps1
Created
May 12, 2021 17:03
Basic script to disable Cortana via the Registry during WDS/MDT deployments of Windows 10.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Disable Cortana | |
| $regPath = "HKLM:\\SOFTWARE\Policies\Microsoft\Windows\Windows Search" | |
| $regName = "AllowCortana" | |
| $regValue = "0" | |
| # If $regPath doesn't exist (which it likely doesn't by default), create it | |
| if (!(Test-Path -Path $regPath)) { | |
| New-Item -Path $regPath |
jmconway
/ Remove-20H2Appx.ps1
Created
May 12, 2021 17:02
A basic script for removing Windows 10 AppX Packages and Provisioned Packages run during my WDS/MDT deployment, of build 20H2 specifically in this gist. While I don't recommend sysprep anymore, note that in order to avoid issues with it or other operations, both related AppX packages and AppX provisioned packages need to be removed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $provisioned = "Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe","Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe","Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe","Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe","Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe","Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe","Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe","microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe","Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe","Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe","Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe","Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe" | |
| $appx = "Microsoft.Windows.PeopleExperienceHost","Microsoft.GetHelp","Microsoft.Getstarted","Microsoft.MicrosoftOfficeHub","Microsoft.MicrosoftSolitaireCollection","Microsoft.Office.OneNote","Microsoft.Wallet","mi |
NewerOlder