sasqwatch
/ disable_multicast.cmd
Created
October 19, 2023 19:04
— forked from 1ijack/disable_multicast.cmd
change DNSClient/LLMNR behavior [enable/disable/restoreDefault] using windows registry. Restart maybe required for the settings to take effect.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: by JaCk (script struture/functions only) | Release 09/04/2018 | url https://gist.github.com/1ijack/bd5ed0da9bcaebb2a14e3698cefe7a49 | disable_multicast.cmd -- change DNSClient/LLMNR behavior [enable/disable/restoreDefault] using windows registry. Restart maybe required for the settings to take effect. | |
| :: Original source -- https://computerstepbystep.com/turn-off-multicast-name-resolution.html#CMD | |
| @goto:argParser | |
| rem - JaCkd Note: this seems backwards, but per site instructions: Enable = 0; Disable = 1 | |
| rem ~ Posted on [unknown] at url [https://computerstepbystep.com/turn-off-multicast-name-resolution.html#PowerShellScript] | |
| rem *Description*: Local Link Multicast Name Resolution (LLMNR) is a secondary name resolution protocol. Queries are sent over the Local Link, a single subnet, from a client machine using Multicast to which another client on the same link, which also has LLMNR enabled, can respond. LLMNR provides name resolution in scenarios in which conventional DNS name resolution is not p |
sasqwatch
/ PrintNightmareValidation.ps1
Created
October 17, 2023 20:41
— forked from mdjx/PrintNightmareValidation.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function PNValidate { | |
| $Results = [PSCustomObject]@{ | |
| Spooler = $null | |
| PatchInstalled = $false | |
| RestrictDriverInstallationToAdministrators = $null | |
| NoWarningNoElevationOnInstall = $null | |
| UpdatePromptSettings = $null | |
| Exploitable = $true | |
| Explanation = $null | |
| } |
sasqwatch
/ Cleanup-ClickOnce.ps1
Created
June 28, 2023 04:57
— forked from mgeeky/Cleanup-ClickOnce.ps1
Cleanup-ClickOnce.ps1 - Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. Attempts to remove both installed and online-only deployments.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. | |
| # Attempts to remove both installed and online-only deployments. | |
| # | |
| # Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com> | |
| # | |
| # Usage: | |
| # PS> . .\Cleanup-ClickOnce.ps1 | |
| # PS> Cleanup-ClickOnce -Name MyAppName | |
| # |
sasqwatch
/ check_vulnerabledrivers.ps1
Created
May 22, 2023 21:56
— forked from api0cradle/check_vulnerabledrivers.ps1
A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list | |
| # Author: Oddvar Moe - @oddvar.moe | |
| $drivers = get-childitem -Path c:\windows\system32\drivers | |
| $web_client = new-object system.net.webclient | |
| $loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json | |
| Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count) | |
| foreach ($lol in $loldrivers.KnownVulnerableSamples) | |
| { |
sasqwatch
/ Example_WMI_Detection_EventLogAlert.ps1
Created
September 21, 2022 23:09
An example of how to use permanent WMI event subscriptions to log a malicious action to the event log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'LateralMovementEvent' | |
| Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' |
sasqwatch
/ gist:54697d99f9496e6d37e922fad44bcbe8
Created
September 21, 2022 23:09
MSBuild Property Functions - Load RWX Memory Mapped File
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > | |
| <Target Name="Hello" > | |
| <!-- Call ANY .NET API --> | |
| <!-- | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause | |
sasqwatch
/ MITRE_Attack_WindowsAppControl.csv
Created
August 29, 2022 20:53
— forked from mgraeber-rc/MITRE_Attack_WindowsAppControl.csv
Windows-specific MITRE ATT&CK techniques application control prevention assessment. This is a first attempt to assess the extent to which application control solutions would mitigate/prevent attack techniques. Note: this highly subjective assessment assumes a system that enforces an application control solution that at a minimum allows all Windo…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ID | Name | MitigatedByAppControl | Notes | |
|---|---|---|---|---|
| T1001 | Data Obfuscation | Not Applicable | Relevant sub-techniques addressed below | |
| T1001.001 | Junk Data | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1001.002 | Steganography | Limited | If custom attacker code were necessary to perform this technique, it would be prevented. | |
| T1001.003 | Protocol Impersonation | Limited | If custom attacker code were necessary to perform this technique, it would be prevented. | |
| T1003 | OS Credential Dumping | Not Applicable | Relevant sub-techniques addressed below | |
| T1003.001 | LSASS Memory | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
| T1003.002 | Security Account Manager | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
| T1003.003 | NTDS | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
| T1003.004 | LSA Secrets | Limited | Built-in utilities exist to perform this technique. |
sasqwatch
/ QueryCfgNt.c
Created
February 1, 2021 20:04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <ntstatus.h> | |
| #include <winternl.h> | |
| #include <stdio.h> | |
| typedef struct __attribute__((packed)) | |
| { | |
| ULONG ExtendedInfoClass; | |
| ULONG ExtendedInfoClassResponse; | |
| } MITIGATION_POLICY, *PMITIGATION_POLICY; |
sasqwatch
/ seatbelt_registry_basic_exploration.txt
Created
August 19, 2020 05:58
— forked from Cyb3rWard0g/seatbelt_registry_basic_exploration.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer" |
sasqwatch
/ seatbelt_appdata_basic_exploration.txt
Created
August 19, 2020 05:58
— forked from Cyb3rWard0g/seatbelt_appdata_basic_exploration.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks" | |
| \AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\" | |
| \AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | |
| \AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" | |
| \AppData\\Roaming\\gcloud\\credentials.db" |
NewerOlder