sasqwatch

## disable_multicast.cmd
::  by JaCk (script struture/functions only)  |  Release 09/04/2018  |  url  https://gist.github.com/1ijack/bd5ed0da9bcaebb2a14e3698cefe7a49  |  disable_multicast.cmd -- change DNSClient/LLMNR behavior [enable/disable/restoreDefault] using windows registry. Restart maybe required for the settings to take effect.
::  Original source -- https://computerstepbystep.com/turn-off-multicast-name-resolution.html#CMD
@goto:argParser

rem - JaCkd Note: this seems backwards, but per site instructions: Enable = 0; Disable = 1
rem ~ Posted on [unknown] at url [https://computerstepbystep.com/turn-off-multicast-name-resolution.html#PowerShellScript]
rem  *Description*:  Local Link Multicast Name Resolution (LLMNR) is a secondary name resolution protocol. Queries are sent over the Local Link, a single subnet, from a client machine using Multicast to which another client on the same link, which also has LLMNR enabled, can respond. LLMNR provides name resolution in scenarios in which conventional DNS name resolution is not p

## PrintNightmareValidation.ps1
function PNValidate {
    $Results = [PSCustomObject]@{
        Spooler                                    = $null
        PatchInstalled                             = $false
        RestrictDriverInstallationToAdministrators = $null
        NoWarningNoElevationOnInstall              = $null
        UpdatePromptSettings                       = $null
        Exploitable                                = $true
        Explanation                                = $null
    }

## Cleanup-ClickOnce.ps1
#
# Simple Powershell script that removes ClickOnce deployments entirely from file system and registry.
# Attempts to remove both installed and online-only deployments.
#
# Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com>
#
# Usage:
#    PS> . .\Cleanup-ClickOnce.ps1
#    PS> Cleanup-ClickOnce -Name MyAppName
#

## check_vulnerabledrivers.ps1
# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list
# Author: Oddvar Moe - @oddvar.moe

$drivers = get-childitem -Path c:\windows\system32\drivers
$web_client = new-object system.net.webclient
$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json

Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count)
foreach ($lol in $loldrivers.KnownVulnerableSamples)
{

## Example_WMI_Detection_EventLogAlert.ps1
# Define the signature - i.e. __EventFilter
$EventFilterArgs = @{
    EventNamespace = 'root/cimv2'
    Name = 'LateralMovementEvent'
    Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"'
    QueryLanguage = 'WQL'
}

$InstanceArgs = @{
    Namespace = 'root/subscription'

## gist:54697d99f9496e6d37e922fad44bcbe8
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!--

		Author: Casey Smith, Twitter: @subTee

		License: BSD 3-Clause


## MITRE_Attack_WindowsAppControl.csv

          
            ID
            Name
            MitigatedByAppControl
            Notes

            
              T1001
              Data Obfuscation
              Not Applicable
              Relevant sub-techniques addressed below

            
              T1001.001
              Junk Data
              No
              Technique is not necessarily related to the execution of arbitrary code on an endpoint.

            
              T1001.002
              Steganography
              Limited
              If custom attacker code were necessary to perform this technique, it would be prevented.

            
              T1001.003
              Protocol Impersonation
              Limited
              If custom attacker code were necessary to perform this technique, it would be prevented.

            
              T1003
              OS Credential Dumping
              Not Applicable
              Relevant sub-techniques addressed below

            
              T1003.001
              LSASS Memory
              Limited
              Built-in utilities exist to perform this technique. They would have to be explicitly blocked.

            
              T1003.002
              Security Account Manager
              Limited
              Built-in utilities exist to perform this technique. They would have to be explicitly blocked.

            
              T1003.003
              NTDS
              Limited
              Built-in utilities exist to perform this technique. They would have to be explicitly blocked.

            
              T1003.004
              LSA Secrets
              Limited
              Built-in utilities exist to perform this technique.

## QueryCfgNt.c
#include <windows.h>
#include <ntstatus.h>
#include <winternl.h>
#include <stdio.h>

typedef struct __attribute__((packed))
{
        ULONG   ExtendedInfoClass;
        ULONG   ExtendedInfoClassResponse;
} MITIGATION_POLICY, *PMITIGATION_POLICY;

## seatbelt_registry_basic_exploration.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"

## seatbelt_appdata_basic_exploration.txt
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Roaming\\gcloud\\credentials.db"
	:: by JaCk (script struture/functions only) \| Release 09/04/2018 \| url https://gist.github.com/1ijack/bd5ed0da9bcaebb2a14e3698cefe7a49 \| disable_multicast.cmd -- change DNSClient/LLMNR behavior [enable/disable/restoreDefault] using windows registry. Restart maybe required for the settings to take effect.
	:: Original source -- https://computerstepbystep.com/turn-off-multicast-name-resolution.html#CMD
	@goto:argParser

	rem - JaCkd Note: this seems backwards, but per site instructions: Enable = 0; Disable = 1
	rem ~ Posted on [unknown] at url [https://computerstepbystep.com/turn-off-multicast-name-resolution.html#PowerShellScript]
	rem Description: Local Link Multicast Name Resolution (LLMNR) is a secondary name resolution protocol. Queries are sent over the Local Link, a single subnet, from a client machine using Multicast to which another client on the same link, which also has LLMNR enabled, can respond. LLMNR provides name resolution in scenarios in which conventional DNS name resolution is not p
	function PNValidate {
	$Results = [PSCustomObject]@{
	Spooler = $null
	PatchInstalled = $false
	RestrictDriverInstallationToAdministrators = $null
	NoWarningNoElevationOnInstall = $null
	UpdatePromptSettings = $null
	Exploitable = $true
	Explanation = $null
	}
	#
	# Simple Powershell script that removes ClickOnce deployments entirely from file system and registry.
	# Attempts to remove both installed and online-only deployments.
	#
	# Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com>
	#
	# Usage:
	# PS> . .\Cleanup-ClickOnce.ps1
	# PS> Cleanup-ClickOnce -Name MyAppName
	#
	# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list
	# Author: Oddvar Moe - @oddvar.moe

	$drivers = get-childitem -Path c:\windows\system32\drivers
	$web_client = new-object system.net.webclient
	$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") \| ConvertFrom-Json

	Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count)
	foreach ($lol in $loldrivers.KnownVulnerableSamples)
	{
	# Define the signature - i.e. __EventFilter
	$EventFilterArgs = @{
	EventNamespace = 'root/cimv2'
	Name = 'LateralMovementEvent'
	Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"'
	QueryLanguage = 'WQL'
	}

	$InstanceArgs = @{
	Namespace = 'root/subscription'
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!--

	Author: Casey Smith, Twitter: @subTee

	License: BSD 3-Clause
ID	Name	MitigatedByAppControl	Notes
T1001	Data Obfuscation	Not Applicable	Relevant sub-techniques addressed below
T1001.001	Junk Data	No	Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1001.002	Steganography	Limited	If custom attacker code were necessary to perform this technique, it would be prevented.
T1001.003	Protocol Impersonation	Limited	If custom attacker code were necessary to perform this technique, it would be prevented.
T1003	OS Credential Dumping	Not Applicable	Relevant sub-techniques addressed below
T1003.001	LSASS Memory	Limited	Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.002	Security Account Manager	Limited	Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.003	NTDS	Limited	Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.004	LSA Secrets	Limited	Built-in utilities exist to perform this technique.
	#include <windows.h>
	#include <ntstatus.h>
	#include <winternl.h>
	#include <stdio.h>

	typedef struct __attribute__((packed))
	{
	ULONG ExtendedInfoClass;
	ULONG ExtendedInfoClassResponse;
	} MITIGATION_POLICY, *PMITIGATION_POLICY;
	SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
	SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
	SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
	Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
	Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
	Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
	Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
	Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
	SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
	SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks"
	\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
	\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
	\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
	\AppData\\Roaming\\gcloud\\credentials.db"