bcdedit-revert-uefi-gpt-boot-order: Powershell script to modify the UEFI/GPT boot order

March 28, 2019 ~ hucktech ~ Leave a comment

This powershell script modifies the UEFI/GPT boot order by finding the first non-Windows entry and moving it to the top of the order. When using UEFI+GPT, the Windows installation (since Windows 7?) creates its own boot device entry (“Windows Boot Manager”, a.k.a. “{bootmgr}”) in the UEFI/GPT boot order list and, obnoxiously, takes the liberty of moving said entry to the top of the list. Under most circumstances, this is fine, and probably desirable. However for systems used for repeated deployment testing, or systems which you want a different bootloader to take priority (such as dual-boot systems, or computer lab systems that can be remotely re-imaged), this is a show stopper. So I needed a way to do this programmatically. This script makes use of the arcane and undocumented {fwbootmgr} identifier implemented by bcdedit to find the first non-Windows boot device entry in the UEFI/GPT boot order list and move it to the top of the list.

https://github.com/mmseng/bcdedit-revert-uefi-gpt-boot-order

Get-USBHistory: get history of a USB flash driving using PowerShell

February 22, 2019 ~ hucktech ~ Leave a comment

#DFIR tip:

You can mass query USB devices used across an enterprise by leveraging PowerShell.

Leverage this to hunt for malicious insiders. Keep historical records to detect anomalies.

1) https://t.co/k4g06z30QV

2) https://t.co/P8zUs18H3B

— Andrew Case (@attrc) February 9, 2018

https://gallery.technet.microsoft.com/scriptcenter/Get-USBHistory-707e43a3

https://devblogs.microsoft.com/scripting/use-powershell-to-find-the-history-of-usb-flash-drive-usage/

PowerShellBIOSUpdate: A PowerShell script to deploy BIOS updates for PSADT

January 17, 2019 ~ hucktech ~ Leave a comment

A PowerShell script to deploy BIOS updates for PSADT

https://github.com/adamleinss/PowerShellBIOSUpdate

Firmware-BiosUpgrades: Update BIOS for any make and model (incremental if needed) [using PowerShell]

January 17, 2019 ~ hucktech ~ Leave a comment

Update BIOS for any make and model (incremental if needed).

Invoke-BIOSUpgrade.ps1 – Checks the make and model and bios version, then compares that with whats in a corresponding folder (BIOS<make><model>). Does check for Bios password in plain text file BIOSPassword.txt (if exists). It will attempt to suspend bitlocker if enabled. Also sets a SMSTS environment variable SMSTS_BiosRebootRequired, SMSTS_BiosBatteryCharge, SMSTS_BiosBatteryCharge which can be used for a additional sequences. Also set a variable (SMSTS_MutipleBIOSUpdatesNeeded), which allows the bios to update incrementally if needed. This does require to have two steps in the tasksequence to run this script twice (or three times), but one of them should check if this variable is true.

https://github.com/PowerShellCrack/Firmware-BiosUpgrades

PSRedfishEventListener: Redfish Event Listener in PowerShell

December 11, 2018 ~ hucktech ~ Leave a comment

The Redfish specification supports event mechanism through which the target redfish devices can send events from different components in the system to an event listener. This project provides an event listener that is create in native PowerShell.

https://github.com/rchaganti/PSRedfishEventListener

https://www.powershellmagazine.com/2018/11/13/redfish-event-listener-in-powershell/

https://psredfishlistener.readthedocs.io/en/latest/

Detecting Evil Maid attacks with PowerShell

April 26, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/04/25/donotdisturb-detect-evil-maid-attacks/

the above solution was a Mac-centric solution. Here’s a Microsoft-centric solution, using Powershell:

Detecting Evil Maid attacks with PowerShell 🙂 https://t.co/EB5ENq68HZ pic.twitter.com/DmxxiONH1v

— Lee Holmes (@Lee_Holmes) April 25, 2018

https://pastebin.com/hAEHibHf

Grab this version before the Visual Studio or Azure teams ties the code to their products. 🙂

PSSysmonTools: SysMon Tools for PowerShell

April 8, 2018 ~ hucktech ~ Leave a comment

Sysmon Tools for PowerShell, by @mattifestation https://t.co/swGDNFtbiv

— DirectoryRanger (@DirectoryRanger) April 7, 2018

https://github.com/mattifestation/PSSysmonTools

Windows: enable BIOS and UEFI boot for PXE in DHCP

February 14, 2018 ~ hucktech ~ Leave a comment

Enable BIOS and UEFI Boot for PXE in DHCP https://t.co/yeZu71dUFS via @PhilPritchett

— skatterbrainzz (@skatterbrainzz) February 12, 2018

There’s an URL to a live.com download in the blog, as well as PowerShell script inline with blog text:

Enable BIOS and UEFI Boot for PXE in DHCP

UEFI-CheckScript: PowerShell script for SCCM/WinPE

September 18, 2017 ~ hucktech ~ Leave a comment

“This Windows PowerShell script can be used in an SCCM task sequence to see if WinPE was booted in UEFI or BIOS mode.”

https://github.com/diablolot53/uefi-checkscript

CreateUEFIBootableUSB

June 6, 2017 ~ hucktech ~ Leave a comment

If you use Windows and want a PowerShell script to help with boot USB drives, this might be useful for you.

https://github.com/yowko/CreateUEFIBootableUSB

Lenovo BIOS to UEFI

October 28, 2016 ~ hucktech ~ Leave a comment

https://github.com/theznerd/LenovoBIOStoUEFI

“Lenovo BIOS to UEFI TS Converter with CG/DG Prep: Allows you to configure SecureBoot/UEFI settings, as well as Virtualization Technology and TPM for Credential Guard and Device Guard. This script is designed to work on both ThinkPad and ThinkCentre machines. This script connects to the WMI instances for Lenovo machines, and then configures the requested settings. This script is designed to be used as part of a task sequence where you want to convert from legacy BIOS to UEFI and at the same time prepare the machine for Credential Guard and Device Guard.”

Kansa: incident response framework for Windows Powershell

April 23, 2016 ~ hucktech ~ Leave a comment

I saw one of the speakers of Kansa recently, speaking about their project. Bryan tweeted about that talk:

@z4ns4tsu explaining #kansa. you can get the app here (fancy graph not included) https://t.co/nSrisugvhU pic.twitter.com/5C8V6RtiWn

— Bryan Brake (@bryanbrake) April 22, 2016

[…] Kansa is a modular incident response framework in Powershell. It uses Powershell Remoting to run user contributed, ahem, user contributed modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline. […]

Kansa kindof reminds me of a Windows-centric, PowerShell-centric version of OSquery. 🙂 It runs a remote powershell with various scripts on all the remote systems, and gathers the data into CSVs for analysis. It has multiple plugins. IMO, it needs many new firmware-related plugins (eg, one for the x-UEFI Configuration Database, etc.).

More info:
https://github.com/davehull/Kansa
http://trustedsignal.blogspot.com/search/label/Kansa
http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

UEFI Advanced Security Settings for Microsoft Surface devices

June 9, 2015June 11, 2015 ~ hucktech ~ Leave a comment

A while ago, Mark Morowczynski of Microsoft wrote a blog post, “How to Manage Surface Pro 3 UEFI Through PowerShell”. In the post, he describes advanced UEFI security configuration options for the Microsoft Surface, such as enable/disable cameras, WiFi, Blootooth, Network Boot. There’s also information about using PowerShell to configure UEFI settings, scaling to control “tends of thousands” of Surface devices.

IMO, this is a nice use of UEFI to configure security settings, I hope other OEMs and OS vendors enable this kind of granularity to configure their systems. I also hope malware authors don’t exploit this ability to scale to all Surface devices in an enterprise with a single PowerShell command. 🙂
More information:

http://blogs.technet.com/b/askpfeplat/archive/2015/04/20/how-to-manage-surface-pro-3-uefi-through-powershell.aspx
https://technet.microsoft.com/en-us/windows/dn965440