Skip to content

Instantly share code, notes, and snippets.

@wdormann
wdormann / gist:e15fbc671a0741b72264eca168a252e3
Created Mar 29, 2019
Vendor MACs targeted by ASUS attack
View gist:e15fbc671a0741b72264eca168a252e3
AMPAK Technology, Inc.
ASUSTek COMPUTER INC.
AzureWave Technology Inc.
BizLink (Kunshan) Co.,Ltd
Chicony Electronics Co., Ltd.
Digital Data Communications Asia Co.,Ltd
GOOD WAY IND. CO., LTD.
HUAWEI TECHNOLOGIES CO.,LTD
Hon Hai Precision Ind. Co.,Ltd.
Intel Corporate
@wdormann
wdormann / checksvc.py
Last active Jan 22, 2019
Check for insecure services on Windows
View checksvc.py
import os
import subprocess
import ctypes
# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')
@wdormann
wdormann / checkaslr.py
Last active Mar 23, 2019
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
View checkaslr.py
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.
usage: checkaslr.py <dir>
ex: checkaslr.py "C:\Program Files\"
requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''
@wdormann
wdormann / flash_killbit.reg
Last active Aug 4, 2018
Disable Flash ActiveX in all Windows versions (including 10)
View flash_killbit.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
@wdormann
wdormann / acltest.ps1
Created May 1, 2018
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
View acltest.ps1
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
Break
}
$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
# This prints a table of ACLs
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights
@wdormann
wdormann / disable_win10_foistware.reg
Created Jan 2, 2018
Attempt at disabling Windows 10 automatic installation of 3rd-party foistware
View disable_win10_foistware.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy]
"Disabled"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
"SubscribedContent-338388Enabled"=dword:00000000
@wdormann
wdormann / win10_applocker_no_foistware.xml
Created Dec 31, 2017
Prevent automatic installation of foistware on Windows 10 versions using AppLocker
View win10_applocker_no_foistware.xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="a1baec9b-3250-44fe-865d-41c9397dcfcd" Name="Microsoft.Windows.ContentDeliveryManager, from Microsoft Corporation" Description="Block foistware?" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
@wdormann
wdormann / enable_bottom-up_ASLR.reg
Created Nov 16, 2017
Enable both Mandatory ASLR *and* Bottom-up ASLR system-wide
View enable_bottom-up_ASLR.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00
@wdormann
wdormann / EG_popular.xml
Created Oct 20, 2017
EG profile converted from EMET, which causes Win10 BSOD
View EG_popular.xml
@wdormann
wdormann / gist:c11750585c5c0eda2b09438ca30271ab
Created Oct 20, 2017
Win10 BSOD after importing EMET profile
View gist:c11750585c5c0eda2b09438ca30271ab
Microsoft (R) Windows Debugger Version 10.0.17016.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\test\Documents\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
You can’t perform that action at this time.