View checksvc.py
| import os | |
| import subprocess | |
| import ctypes | |
| # See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/ | |
| svcinfo = {} | |
| nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG'] | |
| FNULL = open(os.devnull, 'w') |
wdormann
/ checkaslr.py
Last active Dec 1, 2018
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
View checkaslr.py
| '''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE, | |
| but do not have a relocation table to allow ASLR to function. | |
| usage: checkaslr.py <dir> | |
| ex: checkaslr.py "C:\Program Files\" | |
| requires: pefile <https://github.com/erocarrera/pefile>, which should be | |
| installable via: pip install pefile | |
| ''' |
wdormann
/ flash_killbit.reg
Last active Aug 4, 2018
Disable Flash ActiveX in all Windows versions (including 10)
View flash_killbit.reg
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
| "Compatibility Flags"=dword:00000400 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
| "Compatibility Flags"=dword:00000400 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
| "Compatibility Flags"=dword:00000400 |
wdormann
/ acltest.ps1
Created May 1, 2018
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
View acltest.ps1
| If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
| Break | |
| } | |
| $outfile = "acltestfile" | |
| set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
| Foreach ($path in $paths) { | |
| # This prints a table of ACLs | |
| # get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
wdormann
/ disable_win10_foistware.reg
Created Jan 2, 2018
Attempt at disabling Windows 10 automatic installation of 3rd-party foistware
View disable_win10_foistware.reg
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy] | |
| "Disabled"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager] | |
| "SubscribedContent-338388Enabled"=dword:00000000 | |
wdormann
/ win10_applocker_no_foistware.xml
Created Dec 31, 2017
Prevent automatic installation of foistware on Windows 10 versions using AppLocker
View win10_applocker_no_foistware.xml
| <AppLockerPolicy Version="1"> | |
| <RuleCollection Type="Appx" EnforcementMode="Enabled"> | |
| <FilePublisherRule Id="a1baec9b-3250-44fe-865d-41c9397dcfcd" Name="Microsoft.Windows.ContentDeliveryManager, from Microsoft Corporation" Description="Block foistware?" UserOrGroupSid="S-1-1-0" Action="Deny"> | |
| <Conditions> | |
| <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*"> | |
| <BinaryVersionRange LowSection="*" HighSection="*" /> | |
| </FilePublisherCondition> | |
| </Conditions> | |
| </FilePublisherRule> | |
| </RuleCollection> |
wdormann
/ enable_bottom-up_ASLR.reg
Created Nov 16, 2017
Enable both Mandatory ASLR *and* Bottom-up ASLR system-wide
View enable_bottom-up_ASLR.reg
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] | |
| "MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00 | |
wdormann
/ EG_popular.xml
Created Oct 20, 2017
EG profile converted from EMET, which causes Win10 BSOD
View EG_popular.xml
| <?xml version="1.0" encoding="UTF-8"?> | |
| <MitigationPolicy> | |
| <SystemConfig> | |
| <DEP Enable="true" EmulateAtlThunks="false" /> | |
| <ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="false" /> | |
| <StrictHandle Enable="false" /> | |
| <SystemCalls DisableWin32kSystemCalls="false" Audit="false" /> | |
| <ExtensionPoints DisableExtensionPoints="false" /> | |
| <DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" Audit="false" /> | |
| <ControlFlowGuard Enable="false" SuppressExports="false" StrictControlFlowGuard="false" /> |
wdormann
/ gist:c11750585c5c0eda2b09438ca30271ab
Created Oct 20, 2017
Win10 BSOD after importing EMET profile
View gist:c11750585c5c0eda2b09438ca30271ab
| Microsoft (R) Windows Debugger Version 10.0.17016.1000 AMD64 | |
| Copyright (c) Microsoft Corporation. All rights reserved. | |
| Loading Dump File [C:\Users\test\Documents\MEMORY.DMP] | |
| Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available. | |
| Symbol search path is: srv* | |
| Executable search path is: |
wdormann
/ disable_ddeauto.reg
Last active Sep 13, 2018
Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
View disable_ddeauto.reg
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 |