wdormann

## disable_discimage.reg
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.iso]

[-HKEY_CLASSES_ROOT\.img]

[-HKEY_CLASSES_ROOT\.vhdx]

[-HKEY_CLASSES_ROOT\.vhd]

## packet-tpkt.c.diff
--- packet-tpkt.c.orig  2019-06-21 14:47:47.831026881 +0000
+++ packet-tpkt.c       2019-06-21 15:05:31.115056289 +0000
@@ -22,6 +22,7 @@
 #include <epan/show_exception.h>
 #include "packet-tpkt.h"
+#include "packet-tls.h"
 void proto_register_tpkt(void);
 void proto_reg_handoff_tpkt(void);
@@ -42,6 +43,7 @@
 static gboolean tpkt_desegment = TRUE;

## gist:e15fbc671a0741b72264eca168a252e3
AMPAK Technology, Inc.
ASUSTek COMPUTER INC.
AzureWave Technology Inc.
BizLink (Kunshan) Co.,Ltd
Chicony Electronics Co., Ltd.
Digital Data Communications Asia Co.,Ltd
GOOD WAY IND. CO., LTD.
HUAWEI TECHNOLOGIES CO.,LTD
Hon Hai Precision Ind. Co.,Ltd.
Intel Corporate

## checksvc.py
import os
import subprocess
import ctypes

# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')

## checkaslr.py
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.

usage: checkaslr.py <dir>
ex: checkaslr.py "C:\Program Files\"

requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''

## flash_killbit.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

## acltest.ps1
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
    Break
}

$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
    # This prints a table of ACLs
    # get-acl $path | %{ $_.Access  } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights

## disable_win10_foistware.reg
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy]
"Disabled"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
"SubscribedContent-338388Enabled"=dword:00000000


## win10_applocker_no_foistware.xml
<AppLockerPolicy Version="1">
  <RuleCollection Type="Appx" EnforcementMode="Enabled">
    <FilePublisherRule Id="a1baec9b-3250-44fe-865d-41c9397dcfcd" Name="Microsoft.Windows.ContentDeliveryManager, from Microsoft Corporation" Description="Block foistware?" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>

## enable_bottom-up_ASLR.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00