wdormann wdormann

## dangerous.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
"HighRiskFileTypes"=".appinstaller;.application;.appx;.appxbundle;.diagcab;.diagpkg;.diagcfg;.fluid;.fxb;.glb;.gltf;.library-ms;.loop;.msix;.partial;.perfmoncfg;.pko;.ply;.ppkg;.qds;.rat;.resmoncfg;.search-ms;.searchConnector-ms;.settingcontent-ms;.stl;.symlink;.theme;.themepack;.UDL;.url;.wab;.wbcat;.wcx;.website;.whiteboard;.xbap;.ZFSendToTarget;"

## diagcab_highrisk.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
"HighRiskFileTypes"=".diagcab"

## unregister-msdt.reg
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\ms-msdt]

## checkjndi.ps1
# This script is deprecated.
# See https://github.com/CERTCC/CVE-2021-44228_scanner for up-to-date scanners

## checkjndi.py
# This script is deprecated.
# See https://github.com/CERTCC/CVE-2021-44228_scanner for up-to-date scanners

## noappinstaller.reg
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\ms-appinstaller]
"URL Protocol"=-

## checksvc-lpe.py
import os
import subprocess
import ctypes

# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

svcinfo = {}
#nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'IU', 'LG']
FNULL = open(os.devnull, 'w')

## CVE-2021-21224.html
<script>
    function gc() {
        for (var i = 0; i < 0x80000; ++i) {
            var a = new ArrayBuffer();
        }
    }

let shellcode = [

// Move x18 to x28 (TEB)

## privtasks.ps1
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-Not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
  Write-Warning "We don't have elevated privileges. The following results may not be complete."
}
schtasks /query /fo csv -v | ConvertFrom-Csv | ? {$_.Status -notlike "Disabled" -and $_.TaskName -notlike "\Microsoft\Windows\*" -and $_.TaskName -notlike "\Microsoft\Office\*" -and $_.TaskName -notlike "\Microsoft\XblGameSave\*" -and $_.TaskName -notlike "TaskName" -and ($_."Run As User" -like "*system" -or  $_."Run As User" -like "Administrator*")} | fl taskname,"Comment","Task To Run","Run As User"

## privileged.ps1
$win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service',
           'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense',
           'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService',
           'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv',
           'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv',
           'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc',
           'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService',
           'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange',
           'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService',
           'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService',
	Windows Registry Editor Version 5.00

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
	"HighRiskFileTypes"=".appinstaller;.application;.appx;.appxbundle;.diagcab;.diagpkg;.diagcfg;.fluid;.fxb;.glb;.gltf;.library-ms;.loop;.msix;.partial;.perfmoncfg;.pko;.ply;.ppkg;.qds;.rat;.resmoncfg;.search-ms;.searchConnector-ms;.settingcontent-ms;.stl;.symlink;.theme;.themepack;.UDL;.url;.wab;.wbcat;.wcx;.website;.whiteboard;.xbap;.ZFSendToTarget;"
	Windows Registry Editor Version 5.00

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
	"HighRiskFileTypes"=".diagcab"
	Windows Registry Editor Version 5.00

	[-HKEY_CLASSES_ROOT\ms-msdt]
	# This script is deprecated.
	# See https://github.com/CERTCC/CVE-2021-44228_scanner for up-to-date scanners
	Windows Registry Editor Version 5.00

	[HKEY_CURRENT_USER\Software\Classes\ms-appinstaller]
	"URL Protocol"=-
	import os
	import subprocess
	import ctypes

	# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

	svcinfo = {}
	#nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
	nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'IU', 'LG']
	FNULL = open(os.devnull, 'w')
	<script>
	function gc() {
	for (var i = 0; i < 0x80000; ++i) {
	var a = new ArrayBuffer();
	}
	}

	let shellcode = [

	// Move x18 to x28 (TEB)
	$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
	if (-Not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
	Write-Warning "We don't have elevated privileges. The following results may not be complete."
	}
	schtasks /query /fo csv -v \| ConvertFrom-Csv \| ? {$_.Status -notlike "Disabled" -and $_.TaskName -notlike "\Microsoft\Windows\" -and $_.TaskName -notlike "\Microsoft\Office\" -and $_.TaskName -notlike "\Microsoft\XblGameSave\" -and $_.TaskName -notlike "TaskName" -and ($_."Run As User" -like "system" -or $_."Run As User" -like "Administrator*")} \| fl taskname,"Comment","Task To Run","Run As User"
	$win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service',
	'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense',
	'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService',
	'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv',
	'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv',
	'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc',
	'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService',
	'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange',
	'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService',
	'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService',