Mark Burnett m8urnett

## gist:4cdf2632eb74def5cbd383d85a136b76
Here is the list of keywords monitored for the BlueSky feed https://bsky.app/profile/did:plc:naoxihcpn44esoyun7xj56kc/feed/winsec
created using blueskyfeedcreator.com. Because of the limitation of only being able to do a straight keyword match, this list is
tuned for fewer false matches over more comprehensive matches.

Please make any suggestions in the comments.
#LOLBAS
#LOLBIN
#WindowsForensics
#WindowsHardening
#WindowsSecurity

## ChatGPT prompt for analyzing random numbers
You are a bot that determines whether a number is randomly generated by a
computer or if a human tried typing a random number.

Humans have a hard time typing random numbers because they sometimes switch
between left hand and right hand on the keyboard. The alternating between hands
is a good indicator that a number was generated by a human, but the absence of
that does not indicate it was generated by a computer. Another flaw is that
humans too often type numbers that are close to each other on the top row of an
English keyboard (taking into consideration alternating hands). Sometimes, in
an attempt to be more random, the human will alternate between these techniques

## r-AzureSecurity bookmarklet
javascript:location.href='http://www.reddit.com/r/AzureSecurity/submit?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)

## gist:6d9a392b90d2149402ed85d636ef012c
c:\netsh
netsh>rpc
netsh rpc>filter
netsh rpc filter add rule layer=um actiontype=block
netsh rpc filter add condition field=if_uuid matchtype=equal data=12345678-1234-abcd-ef00-0123456789ab
netsh rpc filter>add filter
netsh rpc filter>quit

## Windows Firewall Wishlist
1.  More interactivity
    a.	Better prompts for blocking new outbound connections
    b.	Rules-based alerting
2.  Advanced rules
    a.	Access to stuff like this: https://docs.microsoft.com/en-us/windows/win32/fwp/filtering-conditions-available-at-each-filtering-layer
    b.	Regex or at least wildcard rules
    c.	Rules based on executable signer
    d.	Rules based on executable parameters (for java, python, etc.)
    e.  Rules based on time of day/day of week
3.  Custom, switchable local profiles

## new-rules.ps1
Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall';ID='2004';StartTime=(Get-Date).AddDays(-1);} |
select-object TimeCreated,
@{Name='Name'; Expression={$_.Properties[1].Value}},
@{Name='Application'; Expression={$_.Properties[4].Value}},
@{Name='Path'; Expression={$_.Properties[8].Value}},
@{Name='Created By'; Expression={$_.Properties[22].Value}},
@{Name='Direction'; Expression={$_.Properties[5].Value}},
@{Name='Action'; Expression={$_.Properties[7].Value}},
@{Name='Protocol'; Expression={$_.Properties[6].Value}},
@{Name='Local Port'; Expression={$_.Properties[11].Value}},

## autosave.vb
'-----------------------------------------------------------------------------
' Auto save because Microsoft forces you to use OneDrive for autosave now
' Instructions:
' 1. Show the Developer ribbon
' 2. Go into Visual Basic
' 3. Add a new module in Normal
' 4. Paste this code there


Const MINUTES_INTERVAL = 5 'Set the desired interval, in minutes

## filters.xml
<filters numItems="4">
				<item>
					<filterKey>{bbae6a9c-e041-4941-afc9-0c93a84b84e0}</filterKey>
					<displayData>
						<name>Port Scanning Prevention Filter</name>
						<description>This filter prevents port scanning. This many times means there are no listeners. If debugging ensure your scenario has one.</description>
					</displayData>
					<flags/>
					<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
					<providerData>

## fwpmu.h
/*
   Copyright (c) Microsoft Corporation

   SYNOPSIS

     Declares the management portion of the FWP API.
*/
#include <winapifamily.h>

#pragma region Desktop Family or AppRuntime Package

## filter.xml
				<item>
					<filterKey>{96809035-6827-4d6f-a6b8-980ac33511ac}</filterKey>
					<displayData>
						<name>Query User</name>
						<description>Prompt the User for a decision corresponding this Inbound Traffic</description>
					</displayData>
					<flags/>
					<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
					<providerData>
						<data>1e27010000000000</data>
	Here is the list of keywords monitored for the BlueSky feed https://bsky.app/profile/did:plc:naoxihcpn44esoyun7xj56kc/feed/winsec
	created using blueskyfeedcreator.com. Because of the limitation of only being able to do a straight keyword match, this list is
	tuned for fewer false matches over more comprehensive matches.

	Please make any suggestions in the comments.
	#LOLBAS
	#LOLBIN
	#WindowsForensics
	#WindowsHardening
	#WindowsSecurity
	You are a bot that determines whether a number is randomly generated by a
	computer or if a human tried typing a random number.

	Humans have a hard time typing random numbers because they sometimes switch
	between left hand and right hand on the keyboard. The alternating between hands
	is a good indicator that a number was generated by a human, but the absence of
	that does not indicate it was generated by a computer. Another flaw is that
	humans too often type numbers that are close to each other on the top row of an
	English keyboard (taking into consideration alternating hands). Sometimes, in
	an attempt to be more random, the human will alternate between these techniques
	c:\netsh
	netsh>rpc
	netsh rpc>filter
	netsh rpc filter add rule layer=um actiontype=block
	netsh rpc filter add condition field=if_uuid matchtype=equal data=12345678-1234-abcd-ef00-0123456789ab
	netsh rpc filter>add filter
	netsh rpc filter>quit
	1. More interactivity
	a. Better prompts for blocking new outbound connections
	b. Rules-based alerting
	2. Advanced rules
	a. Access to stuff like this: https://docs.microsoft.com/en-us/windows/win32/fwp/filtering-conditions-available-at-each-filtering-layer
	b. Regex or at least wildcard rules
	c. Rules based on executable signer
	d. Rules based on executable parameters (for java, python, etc.)
	e. Rules based on time of day/day of week
	3. Custom, switchable local profiles
	Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall';ID='2004';StartTime=(Get-Date).AddDays(-1);} \|
	select-object TimeCreated,
	@{Name='Name'; Expression={$_.Properties[1].Value}},
	@{Name='Application'; Expression={$_.Properties[4].Value}},
	@{Name='Path'; Expression={$_.Properties[8].Value}},
	@{Name='Created By'; Expression={$_.Properties[22].Value}},
	@{Name='Direction'; Expression={$_.Properties[5].Value}},
	@{Name='Action'; Expression={$_.Properties[7].Value}},
	@{Name='Protocol'; Expression={$_.Properties[6].Value}},
	@{Name='Local Port'; Expression={$_.Properties[11].Value}},
	'-----------------------------------------------------------------------------
	' Auto save because Microsoft forces you to use OneDrive for autosave now
	' Instructions:
	' 1. Show the Developer ribbon
	' 2. Go into Visual Basic
	' 3. Add a new module in Normal
	' 4. Paste this code there


	Const MINUTES_INTERVAL = 5 'Set the desired interval, in minutes
	<filters numItems="4">
	<item>
	<filterKey>{bbae6a9c-e041-4941-afc9-0c93a84b84e0}</filterKey>
	<displayData>
	<name>Port Scanning Prevention Filter</name>
	<description>This filter prevents port scanning. This many times means there are no listeners. If debugging ensure your scenario has one.</description>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
	/*
	Copyright (c) Microsoft Corporation

	SYNOPSIS

	Declares the management portion of the FWP API.
	*/
	#include <winapifamily.h>

	#pragma region Desktop Family or AppRuntime Package
	<item>
	<filterKey>{96809035-6827-4d6f-a6b8-980ac33511ac}</filterKey>
	<displayData>
	<name>Query User</name>
	<description>Prompt the User for a decision corresponding this Inbound Traffic</description>
	</displayData>
	<flags/>
	<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
	<providerData>
	<data>1e27010000000000</data>