wdormann

## privtasks.ps1
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-Not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
  Write-Warning "We don't have elevated privileges. The following results may not be complete."
}
schtasks /query /fo csv -v | ConvertFrom-Csv | ? {$_.Status -notlike "Disabled" -and $_.TaskName -notlike "\Microsoft\Windows\*" -and $_.TaskName -notlike "\Microsoft\Office\*" -and $_.TaskName -notlike "\Microsoft\XblGameSave\*" -and $_.TaskName -notlike "TaskName" -and ($_."Run As User" -like "*system" -or  $_."Run As User" -like "Administrator*")} | fl taskname,"Comment","Task To Run","Run As User"

## privileged.ps1
$win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service',
           'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense',
           'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService',
           'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv',
           'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv',
           'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc',
           'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService',
           'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange',
           'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService',
           'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService',

## tasks.py
# Don't use this version!
# Try https://gist.github.com/wdormann/8afe4edf605627ee4f203861b6cc3a1c instead
#
# Utility for listing SYSTEM-privileged scheduled tasks on Windows
# Tasks that come with Windows 10 are not included.
# Admin privileges are required to list all scheduled tasks.

import csv
import subprocess
import tempfile

## privileged.py
# DON'T USE THIS VERSION!
# Try https://gist.github.com/wdormann/89ed779933fe205fb52ecf3eacf5ff40 instead

import os
import subprocess

# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

svcinfo = {}
FNULL = open(os.devnull, 'w')

## checkaslr.py
#!/usr/bin/env python

'''
Utility to check for processes running with non-ASLR-compatible components.
Run with Administrative privileges to get visibility into all processes.

(1a) psutil: https://pypi.org/project/psutil/
    Installed via PIP
-OR-
(1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls

## gist:874198c1bd29c7dd2157d9fc1d858263
com.whatsapp 1000000000
com.lenovo.anyshare.gps 1000000000
com.instagram.android 1000000000
com.zhiliaoapp.musically 500000000
com.viber.voip 500000000
wp.wattpad 100000000
vStudio.Android.Camera360 100000000
vsin.t16_funny_photo 100000000
com.yahoo.mobile.client.android.mail 100000000

## disable_discimage.reg
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.iso]

[-HKEY_CLASSES_ROOT\.img]

[-HKEY_CLASSES_ROOT\.vhdx]

[-HKEY_CLASSES_ROOT\.vhd]

## packet-tpkt.c.diff
--- packet-tpkt.c.orig  2019-06-21 14:47:47.831026881 +0000
+++ packet-tpkt.c       2019-06-21 15:05:31.115056289 +0000
@@ -22,6 +22,7 @@
 #include <epan/show_exception.h>
 #include "packet-tpkt.h"
+#include "packet-tls.h"
 void proto_register_tpkt(void);
 void proto_reg_handoff_tpkt(void);
@@ -42,6 +43,7 @@
 static gboolean tpkt_desegment = TRUE;

## gist:e15fbc671a0741b72264eca168a252e3
AMPAK Technology, Inc.
ASUSTek COMPUTER INC.
AzureWave Technology Inc.
BizLink (Kunshan) Co.,Ltd
Chicony Electronics Co., Ltd.
Digital Data Communications Asia Co.,Ltd
GOOD WAY IND. CO., LTD.
HUAWEI TECHNOLOGIES CO.,LTD
Hon Hai Precision Ind. Co.,Ltd.
Intel Corporate

## checksvc.py
import os
import subprocess
import ctypes

# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')
	$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
	if (-Not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
	Write-Warning "We don't have elevated privileges. The following results may not be complete."
	}
	schtasks /query /fo csv -v \| ConvertFrom-Csv \| ? {$_.Status -notlike "Disabled" -and $_.TaskName -notlike "\Microsoft\Windows\" -and $_.TaskName -notlike "\Microsoft\Office\" -and $_.TaskName -notlike "\Microsoft\XblGameSave\" -and $_.TaskName -notlike "TaskName" -and ($_."Run As User" -like "system" -or $_."Run As User" -like "Administrator*")} \| fl taskname,"Comment","Task To Run","Run As User"
	$win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service',
	'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense',
	'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService',
	'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv',
	'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv',
	'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc',
	'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService',
	'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange',
	'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService',
	'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService',
	# Don't use this version!
	# Try https://gist.github.com/wdormann/8afe4edf605627ee4f203861b6cc3a1c instead
	#
	# Utility for listing SYSTEM-privileged scheduled tasks on Windows
	# Tasks that come with Windows 10 are not included.
	# Admin privileges are required to list all scheduled tasks.

	import csv
	import subprocess
	import tempfile
	# DON'T USE THIS VERSION!
	# Try https://gist.github.com/wdormann/89ed779933fe205fb52ecf3eacf5ff40 instead

	import os
	import subprocess

	# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

	svcinfo = {}
	FNULL = open(os.devnull, 'w')
	#!/usr/bin/env python

	'''
	Utility to check for processes running with non-ASLR-compatible components.
	Run with Administrative privileges to get visibility into all processes.

	(1a) psutil: https://pypi.org/project/psutil/
	Installed via PIP
	-OR-
	(1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls
	com.whatsapp 1000000000
	com.lenovo.anyshare.gps 1000000000
	com.instagram.android 1000000000
	com.zhiliaoapp.musically 500000000
	com.viber.voip 500000000
	wp.wattpad 100000000
	vStudio.Android.Camera360 100000000
	vsin.t16_funny_photo 100000000
	com.yahoo.mobile.client.android.mail 100000000
	Windows Registry Editor Version 5.00

	[-HKEY_CLASSES_ROOT\.iso]

	[-HKEY_CLASSES_ROOT\.img]

	[-HKEY_CLASSES_ROOT\.vhdx]

	[-HKEY_CLASSES_ROOT\.vhd]
	--- packet-tpkt.c.orig 2019-06-21 14:47:47.831026881 +0000
	+++ packet-tpkt.c 2019-06-21 15:05:31.115056289 +0000
	@@ -22,6 +22,7 @@
	#include <epan/show_exception.h>
	#include "packet-tpkt.h"
	+#include "packet-tls.h"
	void proto_register_tpkt(void);
	void proto_reg_handoff_tpkt(void);
	@@ -42,6 +43,7 @@
	static gboolean tpkt_desegment = TRUE;
	AMPAK Technology, Inc.
	ASUSTek COMPUTER INC.
	AzureWave Technology Inc.
	BizLink (Kunshan) Co.,Ltd
	Chicony Electronics Co., Ltd.
	Digital Data Communications Asia Co.,Ltd
	GOOD WAY IND. CO., LTD.
	HUAWEI TECHNOLOGIES CO.,LTD
	Hon Hai Precision Ind. Co.,Ltd.
	Intel Corporate
	import os
	import subprocess
	import ctypes

	# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

	svcinfo = {}
	nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
	FNULL = open(os.devnull, 'w')