View checksvc.py
import os | |
import subprocess | |
import ctypes | |
# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/ | |
svcinfo = {} | |
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG'] | |
FNULL = open(os.devnull, 'w') |
View checkaslr.py
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE, | |
but do not have a relocation table to allow ASLR to function. | |
usage: checkaslr.py <dir> | |
ex: checkaslr.py "C:\Program Files\" | |
requires: pefile <https://github.com/erocarrera/pefile>, which should be | |
installable via: pip install pefile | |
''' |
View flash_killbit.reg
Windows Registry Editor Version 5.00 | |
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
"Compatibility Flags"=dword:00000400 | |
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
"Compatibility Flags"=dword:00000400 | |
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
"Compatibility Flags"=dword:00000400 |
View acltest.ps1
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
Break | |
} | |
$outfile = "acltestfile" | |
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
Foreach ($path in $paths) { | |
# This prints a table of ACLs | |
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
View disable_win10_foistware.reg
Windows Registry Editor Version 5.00 | |
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy] | |
"Disabled"=dword:00000001 | |
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager] | |
"SubscribedContent-338388Enabled"=dword:00000000 | |
View win10_applocker_no_foistware.xml
<AppLockerPolicy Version="1"> | |
<RuleCollection Type="Appx" EnforcementMode="Enabled"> | |
<FilePublisherRule Id="a1baec9b-3250-44fe-865d-41c9397dcfcd" Name="Microsoft.Windows.ContentDeliveryManager, from Microsoft Corporation" Description="Block foistware?" UserOrGroupSid="S-1-1-0" Action="Deny"> | |
<Conditions> | |
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*"> | |
<BinaryVersionRange LowSection="*" HighSection="*" /> | |
</FilePublisherCondition> | |
</Conditions> | |
</FilePublisherRule> | |
</RuleCollection> |
View enable_bottom-up_ASLR.reg
Windows Registry Editor Version 5.00 | |
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] | |
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00 | |
View EG_popular.xml
<?xml version="1.0" encoding="UTF-8"?> | |
<MitigationPolicy> | |
<SystemConfig> | |
<DEP Enable="true" EmulateAtlThunks="false" /> | |
<ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="false" /> | |
<StrictHandle Enable="false" /> | |
<SystemCalls DisableWin32kSystemCalls="false" Audit="false" /> | |
<ExtensionPoints DisableExtensionPoints="false" /> | |
<DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" Audit="false" /> | |
<ControlFlowGuard Enable="false" SuppressExports="false" StrictControlFlowGuard="false" /> |
View gist:c11750585c5c0eda2b09438ca30271ab
Microsoft (R) Windows Debugger Version 10.0.17016.1000 AMD64 | |
Copyright (c) Microsoft Corporation. All rights reserved. | |
Loading Dump File [C:\Users\test\Documents\MEMORY.DMP] | |
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available. | |
Symbol search path is: srv* | |
Executable search path is: |
View disable_ddeauto.reg
Windows Registry Editor Version 5.00 | |
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options] | |
"DontUpdateLinks"=dword:00000001 | |
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options] | |
"DontUpdateLinks"=dword:00000001 | |
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options] | |
"DontUpdateLinks"=dword:00000001 |