wdormann wdormann
wdormann
/ drivers_hvci_on_latest.log
Created
May 30, 2023 17:06
Log of attempt to load 554 x86-64 drivers from LOLDrivers on an HVCI-enabled Win11 22H2 system with a May 24, 2023 MS drivers block list
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 87: | |
| The parameter is incorrect. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 4551: | |
| Your organization used Device Guard to block this app. Contact your support person for more info. |
wdormann
/ drivers_hvci_on.log
Created
May 30, 2023 16:54
Log of attempt to load 554 x86-64 drivers from LOLDrivers on an HVCI-enabled Win11 22H2 system with an October 31, 2022 driversipolicy.p7b
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 87: | |
| The parameter is incorrect. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 2148204812: | |
| A certificate was explicitly revoked by its issuer. |
wdormann
/ drivers_latest.log
Last active
May 24, 2023 15:01
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with a May 24, 2023 MS drivers block list
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 577: | |
| Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 4551: | |
| Your organization used Device Guard to block this app. Contact your support person for more info. |
wdormann
/ drivers.log
Created
May 24, 2023 12:35
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with an October 31, 2022 driversipolicy.p7b
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 577: | |
| Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 2148204812: | |
| A certificate was explicitly revoked by its issuer. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| using Aspose.Email; | |
| namespace msgtotnef | |
| { | |
| class Program |
wdormann
/ mandiant.xml
Last active
March 9, 2023 20:46
WDAC blocking policy for Mandiant-mentioned BYOVD drivers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Audit Mode</Option> |
wdormann
/ rewrite.py
Created
March 9, 2023 17:43
mitmproxy rewrite rule to allow user to use personal login for Microsoft as opposed to org-controlled oauth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##################################################### | |
| ## Content rewriting script for mitmproxy 4 | |
| ## Other versions of mitmproxy may not be compatible | |
| ##################################################### | |
| # | |
| # BEGIN LICENSE # | |
| # | |
| # CERT Tapioca | |
| # | |
| # Copyright 2018 Carnegie Mellon University. All Rights Reserved. |
wdormann
/ blockeddrivers-vt-annotated.xml
Last active
May 27, 2023 06:56
Microsoft recommended driver block rules, but annotated with samples that are present in VirusTotal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <ns0:SiPolicy xmlns:ns0="urn:schemas-microsoft-com:sipolicy"> | |
| <ns0:VersionEx>10.0.25310.0</ns0:VersionEx> | |
| <ns0:PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</ns0:PlatformID> | |
| <ns0:Rules> | |
| <ns0:Rule> | |
| <ns0:Option>Enabled:Unsigned System Integrity Policy</ns0:Option> | |
| </ns0:Rule> | |
| <ns0:Rule> | |
| <ns0:Option>Enabled:Advanced Boot Options Menu</ns0:Option> | |
| </ns0:Rule> |
wdormann
/ suspendvms.ps1
Created
November 28, 2022 14:15
Suspend running VMs, for use in Windows shutdown script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @(& "C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" list | Select-String -Pattern ".vmx") | %{&"C:\Program Files (x86)\VMware\VMware Workstation\vmrun" suspend $_} |
wdormann
/ gist:f9552721166aaf2234b62e56f92a023f
Created
November 5, 2022 12:59
Turn off SmartScreen to avoid Windows 11 22H2 lack of prompting/scanning when opening files directly from ZIPs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] | |
| "SmartScreenEnabled"="Off" |
NewerOlder