sunnyc7 / checkaslr.py

Created April 20, 2020 18:16 — forked from wdormann/checkaslr.py

Check for running processes on Windows that have components that do not utilize ASLR

	#!/usr/bin/env python

	'''
	Utility to check for processes running with non-ASLR-compatible components.
	Run with Administrative privileges to get visibility into all processes.

	(1a) psutil: https://pypi.org/project/psutil/
	Installed via PIP
	-OR-
	(1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls

sunnyc7 / Get-BlockedPowershellHashInCIPolicy.ps1

Last active April 15, 2020 08:07

	# Based on a hint by @tiraniddo in chat today on Matt's Twitch Stream - https://www.twitch.tv/mattifestation
	# Context: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md

	# What does the script do?:
	# Get a list of blocked filenames from the hashes in Microsoft recommended block rules.

	# Result
	# Some strange filenames from hashes in VT output, for e.g.169339.ps1
	# Some hashes do not exist in VT.

sunnyc7 / WDEG_CFA1.md

Created April 3, 2020 04:44

Quick notes on WDEG (Windows Defender Exploit Guard) - CFA feature

Quick note on WDEG CFA (Controlled Folder Access)

Scenario:

sunnyc7 / DeviceGuard_Driver_Strict_Enforcement_policy.xml

Created March 23, 2020 23:39 — forked from mattifestation/DeviceGuard_Driver_Strict_Enforcement_policy.xml

File-based driver enforcement Device Guard policy for my Surface Laptop w/ Windows 10 Enterprise.

	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.0.0</VersionEx>
	<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	<Rule>

sunnyc7 / Sudoku.com AI Solver.py

Created March 11, 2020 03:35 — forked from ahmedkhalf/Sudoku.com AI Solver.py

Solve sudoku.com using Selenium!

	from selenium import webdriver
	from selenium.webdriver.common.by import By
	from selenium.webdriver.support.ui import WebDriverWait
	from selenium.webdriver.support import expected_conditions as EC
	import time

	# Make sure chrome driver is in your path,
	# full download totorial on official python selenium website.

	# Start broswer with sudoku.com

sunnyc7 / ExpandDefenderSig.ps1

Created January 24, 2020 16:26 — forked from mattifestation/ExpandDefenderSig.ps1

Decompresses Windows Defender AV signatures for exploration purposes

	filter Expand-DefenderAVSignatureDB {
	<#
	.SYNOPSIS

	Decompresses a Windows Defender AV signature database (.VDM file).

	.DESCRIPTION

	Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.

sunnyc7 / NiftyETWProviders.json

Created January 24, 2020 16:17 — forked from mattifestation/NiftyETWProviders.json

ETW providers you never knew existed...

	[
	{
	"ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a",
	"ProviderName": "AccEventTool",
	"ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba",
	"AssociatedFilenames": [
	"accevent.exe",
	"inspect.exe",
	"narrator.exe",
	"srh.dll"

sunnyc7 / Test-IfServernameIsCluster .ps1

Created November 27, 2019 15:43

This is a perennial issue when you are trying to run inventory based on AD, and not count all the Cluster objects. I hope this helps someone

	Function Test-IfServernameIsCluster {
	<#
	.Synopsis
	Test if an AD Object is a Cluster

	.INPUT
	Input Object requires PsComputerName, ServicePrincipalName AD Attributes

	$test = get-qadcomputer VDICLU001 -IncludedProperties 'ServicePrincipalName' \| select Name,ServicePrincipalName
	$test = get-qadcomputer VDICLU001 -OSName "Windows Server*" -SizeLimit -1 -IncludedProperties 'ServicePrincipalName' \| select Name,ServicePrincipalName

sunnyc7 / Test-IfServerIsCluster.ps1

Created November 27, 2019 15:42

This is a perennial issue when you are trying to run inventory based on AD, and not count all the Cluster objects.

	Function Test-IfServerIsCluster {
	<#
	.Synopsis
	Test if an AD Object is a Cluster

	.INPUT
	Input Object requires PsComputerName, ServicePrincipalName AD Attributes

	$test = get-qadcomputer VDICLU001 -IncludedProperties 'ServicePrincipalName' \| select Name,ServicePrincipalName
	$test = get-qadcomputer VDICLU001 -OSName "Windows Server*" -SizeLimit -1 -IncludedProperties 'ServicePrincipalName' \| select Name,ServicePrincipalName

sunnyc7 / Trim-WorkingSetIL.ps1

Created November 17, 2019 13:27

	Function Trim-WorkingSet {
	[cmdletbinding()]
	param([int] $procid)

	begin {
	$sig = @"
	[DllImport("kernel32.dll")]
	public static extern bool SetProcessWorkingSetSize( IntPtr proc, int min, int max );
	"@
	}