Skip to content

Instantly share code, notes, and snippets.

@wdormann
wdormann / privtasks.ps1
Last active Nov 15, 2020
List privileged scheduled tasks that don't come with Windows
View privtasks.ps1
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-Not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Warning "We don't have elevated privileges. The following results may not be complete."
}
schtasks /query /fo csv -v | ConvertFrom-Csv | ? {$_.Status -notlike "Disabled" -and $_.TaskName -notlike "\Microsoft\Windows\*" -and $_.TaskName -notlike "\Microsoft\Office\*" -and $_.TaskName -notlike "\Microsoft\XblGameSave\*" -and $_.TaskName -notlike "TaskName" -and ($_."Run As User" -like "*system" -or $_."Run As User" -like "Administrator*")} | fl taskname,"Comment","Task To Run","Run As User"
@wdormann
wdormann / privileged.ps1
Last active Nov 23, 2020
List privileged services that don't come with Windows 10
View privileged.ps1
$win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service',
'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense',
'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService',
'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv',
'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv',
'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc',
'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService',
'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange',
'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService',
'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService',
@wdormann
wdormann / tasks.py
Last active Sep 2, 2020
List privileged scheduled tasks in Windows that don't come with Windows 10
View tasks.py
# Don't use this version!
# Try https://gist.github.com/wdormann/8afe4edf605627ee4f203861b6cc3a1c instead
#
# Utility for listing SYSTEM-privileged scheduled tasks on Windows
# Tasks that come with Windows 10 are not included.
# Admin privileges are required to list all scheduled tasks.
import csv
import subprocess
import tempfile
@wdormann
wdormann / privileged.py
Last active Oct 10, 2020
List privileged services that don't come with Windows 10 - deprecated
View privileged.py
# DON'T USE THIS VERSION!
# Try https://gist.github.com/wdormann/89ed779933fe205fb52ecf3eacf5ff40 instead
import os
import subprocess
# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
svcinfo = {}
FNULL = open(os.devnull, 'w')
@wdormann
wdormann / checkaslr.py
Last active Apr 20, 2020
Check for running processes on Windows that have components that do not utilize ASLR
View checkaslr.py
#!/usr/bin/env python
'''
Utility to check for processes running with non-ASLR-compatible components.
Run with Administrative privileges to get visibility into all processes.
(1a) psutil: https://pypi.org/project/psutil/
Installed via PIP
-OR-
(1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls
@wdormann
wdormann / gist:874198c1bd29c7dd2157d9fc1d858263
Last active Jun 21, 2020
List of Android apps that include libpl_droidsonroids_gif.so - potentially vulnerable to CVE-2019-11932. Sorted by install count.
View gist:874198c1bd29c7dd2157d9fc1d858263
This file has been truncated, but you can view the full file.
com.whatsapp 1000000000
com.lenovo.anyshare.gps 1000000000
com.instagram.android 1000000000
com.zhiliaoapp.musically 500000000
com.viber.voip 500000000
wp.wattpad 100000000
vStudio.Android.Camera360 100000000
vsin.t16_funny_photo 100000000
com.yahoo.mobile.client.android.mail 100000000
@wdormann
wdormann / disable_discimage.reg
Created Aug 29, 2019
Disable Windows Explorer file associations for Disc Image Mount (ISO, IMG, VHD, VHDX)
View disable_discimage.reg
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\.iso]
[-HKEY_CLASSES_ROOT\.img]
[-HKEY_CLASSES_ROOT\.vhdx]
[-HKEY_CLASSES_ROOT\.vhd]
@wdormann
wdormann / packet-tpkt.c.diff
Created Jun 21, 2019
Patch Wireshark 3.0.2 to hook TPKT dissector into TLS decryption
View packet-tpkt.c.diff
--- packet-tpkt.c.orig 2019-06-21 14:47:47.831026881 +0000
+++ packet-tpkt.c 2019-06-21 15:05:31.115056289 +0000
@@ -22,6 +22,7 @@
#include <epan/show_exception.h>
#include "packet-tpkt.h"
+#include "packet-tls.h"
void proto_register_tpkt(void);
void proto_reg_handoff_tpkt(void);
@@ -42,6 +43,7 @@
static gboolean tpkt_desegment = TRUE;
@wdormann
wdormann / gist:e15fbc671a0741b72264eca168a252e3
Created Mar 29, 2019
Vendor MACs targeted by ASUS attack
View gist:e15fbc671a0741b72264eca168a252e3
AMPAK Technology, Inc.
ASUSTek COMPUTER INC.
AzureWave Technology Inc.
BizLink (Kunshan) Co.,Ltd
Chicony Electronics Co., Ltd.
Digital Data Communications Asia Co.,Ltd
GOOD WAY IND. CO., LTD.
HUAWEI TECHNOLOGIES CO.,LTD
Hon Hai Precision Ind. Co.,Ltd.
Intel Corporate
@wdormann
wdormann / checksvc.py
Last active Nov 10, 2019
Check for insecure services on Windows
View checksvc.py
import os
import subprocess
import ctypes
# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')
You can’t perform that action at this time.