wdormann wdormann
wdormann
/ privileged.ps1
Last active
May 9, 2024 17:42
List privileged services that don't come with Windows 10 VMware guest
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service', | |
| 'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense', | |
| 'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService', | |
| 'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv', | |
| 'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv', | |
| 'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc', | |
| 'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService', | |
| 'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange', | |
| 'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService', | |
| 'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService', |
wdormann
/ disable_ddeauto.reg
Last active
May 8, 2024 07:50
Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 |
wdormann
/ acltest.ps1
Created
May 1, 2018 15:20
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
| Break | |
| } | |
| $outfile = "acltestfile" | |
| set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
| Foreach ($path in $paths) { | |
| # This prints a table of ACLs | |
| # get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
wdormann
/ privtasks.ps1
Last active
August 15, 2023 15:15
List privileged scheduled tasks that don't come with Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) | |
| if (-Not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
| Write-Warning "We don't have elevated privileges. The following results may not be complete." | |
| } | |
| schtasks /query /fo csv -v | ConvertFrom-Csv | ? {$_.Status -notlike "Disabled" -and $_.TaskName -notlike "\Microsoft\Windows\*" -and $_.TaskName -notlike "\Microsoft\Office\*" -and $_.TaskName -notlike "\Microsoft\XblGameSave\*" -and $_.TaskName -notlike "TaskName" -and ($_."Run As User" -like "*system" -or $_."Run As User" -like "Administrator*")} | fl taskname,"Comment","Task To Run","Run As User" |
wdormann
/ disable_discimage.reg
Last active
July 28, 2023 01:45
Disable Windows Explorer file associations for Disc Image Mount (ISO, IMG, VHD, VHDX)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [-HKEY_CLASSES_ROOT\.iso] | |
| [-HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount\command] | |
| [-HKEY_CLASSES_ROOT\.img] | |
| [-HKEY_CLASSES_ROOT\.vhdx] |
wdormann
/ drivers_hvci_on_latest.log
Created
May 30, 2023 17:06
Log of attempt to load 554 x86-64 drivers from LOLDrivers on an HVCI-enabled Win11 22H2 system with a May 24, 2023 MS drivers block list
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 87: | |
| The parameter is incorrect. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 4551: | |
| Your organization used Device Guard to block this app. Contact your support person for more info. |
wdormann
/ drivers_hvci_on.log
Created
May 30, 2023 16:54
Log of attempt to load 554 x86-64 drivers from LOLDrivers on an HVCI-enabled Win11 22H2 system with an October 31, 2022 driversipolicy.p7b
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 87: | |
| The parameter is incorrect. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 2148204812: | |
| A certificate was explicitly revoked by its issuer. |
wdormann
/ blockeddrivers-vt-annotated.xml
Last active
May 27, 2023 06:56
Microsoft recommended driver block rules, but annotated with samples that are present in VirusTotal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <ns0:SiPolicy xmlns:ns0="urn:schemas-microsoft-com:sipolicy"> | |
| <ns0:VersionEx>10.0.25310.0</ns0:VersionEx> | |
| <ns0:PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</ns0:PlatformID> | |
| <ns0:Rules> | |
| <ns0:Rule> | |
| <ns0:Option>Enabled:Unsigned System Integrity Policy</ns0:Option> | |
| </ns0:Rule> | |
| <ns0:Rule> | |
| <ns0:Option>Enabled:Advanced Boot Options Menu</ns0:Option> | |
| </ns0:Rule> |
wdormann
/ drivers_latest.log
Last active
May 24, 2023 15:01
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with a May 24, 2023 MS drivers block list
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 577: | |
| Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 4551: | |
| Your organization used Device Guard to block this app. Contact your support person for more info. |
wdormann
/ drivers.log
Created
May 24, 2023 12:35
Log of attempt to load 554 x86-64 drivers from LOLDrivers on a Win11 22H2 system with an October 31, 2022 driversipolicy.p7b
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sc start 0023ca0ca16a62d93ef51f3df98b2f94.bin | |
| [SC] StartService FAILED 577: | |
| Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | |
| sc start 0067c788e1cb174f008c325ebde56c22.bin | |
| [SC] StartService FAILED 2148204812: | |
| A certificate was explicitly revoked by its issuer. |
NewerOlder