Modernize security checks for Windows 11 2023-2024 features #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add comprehensive new security checks: - VBS and Memory Integrity (HVCI) detection - Credential Guard status verification - TPM 2.0 validation (required for Windows 11) - Attack Surface Reduction (ASR) rules monitoring - Controlled Folder Access anti-ransomware protection - Enhanced Windows Defender checks (tamper protection, network protection, cloud protection, PUA, signature age) - Windows Hello for Business detection - Modern Windows LAPS support with legacy detection - Enhanced RDP security checks (NLA, SSL/TLS, port config) - SMB signing and encryption validation Improvements: - Modernized Windows Update check using service status and COM API - Reorganized check execution by priority (core security features first) - Fixed PSScriptAnalyzer warnings (variable naming) - Updated README with comprehensive feature documentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Ahored-By: Claude <[email protected]>
Tamper protection registry value can be: - 0 = Disabled - 1 = Enabled (via Group Policy or manual) - 5 = Enabled (via Intune/UI) Updated detection to recognize both 1 and 5 as enabled states. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
New security check monitors Defender exclusions: - Path exclusions - Extension exclusions (e.g., .exe, .dll) - Process exclusions - IP address exclusions Status assessment: - Good: No exclusions (maximum protection) - Warning: 1-5 exclusions (review for necessity) - Bad: >5 exclusions (excessive, reduces protection) Exclusions are a common security weakness as they create blind spots for malware. This check helps identify potential security gaps. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Enhanced the Defender exclusions check to display: - Specific paths being excluded - File extensions being excluded - Process names being excluded - IP addresses being excluded This provides actionable information so administrators can review and validate each exclusion for security necessity. Example output: "5 exclusion(s) configured. Paths (5): C:\Temp, C:\Build, ... | Review to ensure necessary." 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Major enhancement for VDI and locked-down workstation environments: Changes: - Script no longer requires admin rights to run - Shows warning when running as non-admin instead of exiting - Added Test-RequiresAdmin helper function - Admin-required checks gracefully skip with clear warning messages: * BitLocker encryption status * SMBv1 status * SMB Signing & Encryption * Audit Policy * Defender Exclusions (returns admin-required message) Most checks work without admin: - VBS/Memory Integrity - Credential Guard - TPM 2.0 - Windows Defender (Enhanced) - ASR Rules - Controlled Folder Access - Firewall - UAC - Windows Update - Guest Account - RDP status - Network Sharing (may vary) Updated README with usage instructions for both admin and non-admin execution. Perfect for security audits in VDI environments where testers don't have local admin rights. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Enhanced hardware security checks to work better without admin privileges: TPM 2.0 Check: - Primary: Uses Get-Tpm cmdlet (works for admin) - Fallback: Uses WMI Win32_Tpm class for non-admin scenarios - Better error handling with clear warning messages - Returns "Warning" status when privileges insufficient Secure Boot Check: - Primary: Uses Confirm-SecureBootUEFI cmdlet (requires admin on some systems) - Fallback: Reads HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\State registry - Registry method works for non-admin users in most cases - Detects Legacy BIOS vs UEFI systems These are Windows limitations where hardware security queries require elevated privileges on some systems. The fallback methods provide best-effort results for non-admin users. Updated README with complete list of admin-required checks. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
TPM 2.0 queries require administrator privileges on Windows - there is no reliable non-admin workaround. Simplified the check to: - Require admin elevation (shows clear warning for non-admin users) - Use Get-Tpm cmdlet for admin users (most reliable method) - Maintain TPM version detection via WMI - Provide consistent behavior across different Windows configurations Secure Boot continues to work for non-admin users via registry fallback. Updated README with clear list of admin-required checks and explanations. Note: This is a Windows security limitation, not a script limitation. Hardware security queries (TPM, some BitLocker operations) require elevation for security reasons. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
New script that enumerates Windows persistence mechanisms including: - Registry Run/RunOnce keys (HKLM/HKCU) - Startup folders (user and all users) - Scheduled tasks - Services - Winlogon keys - Boot execute entries - Image File Execution Options - AppInit_DLLs and LSA packages - Credential Manager entries Includes comprehensive permissions summary at the end that tests and displays: - Read/write access to key registry locations - Startup folder permissions - Scheduled task creation ability - Current user context and admin privileges Designed for easy pentest report screenshotting with color-coded output. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Combine check.ps1 and Registry-Startup-Check.ps1 into single SeChecks.ps1 - Add manual replication commands for BAD findings (pentest reporting) - Fix Network Sharing to show adapter names instead of repeated display names - Improve Boot Execute output format with default value detection - Include persistence and permissions data in generated report - Update README with remote execution methods (IEX, bitsadmin, certutil)
…un persistence enum
Im rich what the fuck is this shit I dont need anyone
- Windows version and build info from registry - Installed updates via wmic qfe (last 10) - Vulnerable driver detection (BYOVD targets) - Third-party software enumeration for common LPE targets
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add comprehensive new security checks:
Improvements: