#x_ops

Set PowerShell to Constrained Language Mode

‍‍PoC Video

Details

📜 This PowerShell script enables detailed logging of PowerShell activity, including module usage, command transcription, and script block execution. It ensures that all relevant logging settings are properly configured in the Windows Registry.

🛠️ How to Use

1. Run the script with administrator privileges.
2. Specify the desired transcription path for logs (default: C:\PSLogs).
3. Optionally, enable script block logging for detailed script execution tracking.
4. The script will:
   
   • Create necessary registry paths if they do not exist.
   • Enable module logging.
   • Configure transcription settings.
   • Enable script block logging (if specified).
5. After execution, verify the configuration through the returned status summary.

⚠️ Importance

• Security & Auditing: Helps track PowerShell activity, detecting unauthorized script executions.
• Troubleshooting: Provides logs for debugging issues in PowerShell scripts.
• Compliance: Meets organizational or regulatory requirements for script execution monitoring.
• Incident Response: Allows forensic analysis in case of security breaches.

By implementing this logging mechanism, administrators can improve security posture and maintain control over PowerShell execution within their environments.

Set PowerShell to Constrained Language Mode

📜 This PowerShell script enforces Constrained Language Mode to restrict potentially harmful operations. It first checks the current execution mode, attempts to change it if necessary, and then validates the change by running a separate PowerShell process to ensure the setting persists. Additionally, the script logs all actions to a local file (C:\Logs\PowerShell_LanguageMode.log) for auditing purposes.

Constrained Language Mode is a PowerShell security feature designed to restrict certain scripting capabilities, especially those that can execute arbitrary .NET methods. This mode is enforced through AppLocker or WDAC (Windows Defender Application Control) and helps mitigate risks like malicious script execution, fileless malware, and privilege escalation attacks.

⚠️ Potential Security Issue

• By default, PowerShell runs in Full Language Mode, allowing unrestricted access to .NET classes and system functions.
• Attackers who gain access to PowerShell in Full Language Mode can execute arbitrary code, access system files, and modify security settings.
• Switching PowerShell to Constrained Language Mode limits these capabilities, significantly reducing the attack surface.

🛠️ How the Script Works

1. Checks Current Execution Mode: If already in Constrained Mode, it logs and exits.
2. Attempts to Enforce Constrained Mode: Modifies $ExecutionContext.SessionState.LanguageMode.
3. Validates the Change in a New Process: Runs a separate PowerShell instance to ensure persistence.
4. Logs Actions for Auditing: Saves mode status and validation results to C:\Logs\PowerShell_LanguageMode.log.

‍

Remove PowerShell version 2.0‍

PoC Video‍

This script checks whether PowerShell v2.0 is installed on a Windows 10/11 system and, if found, disablesowerShell v2.0 is outdated and poses security risks, as it lacks modern security enhancements and allows attackers to execute.

‍
Update Thunderbird Script (Spanish)‍

See Video Link

✅ This script automates the process of updating Thunderbird and configuring it to run in Spanish. It handles the technical aspects of changing the email client's language settings, including updating the system packages, installing the Spanish language pack, and properly configuring all language-related preferences across multiple possible profile locations.security policies. Disabling it reduces the attack surface and improves system security.‍

1. System Update

• Updates the package list and upgrades Thunderbird using apt-get update and apt-get install
• Installs Spanish language pack via thunderbird-l10n-es-es package

2. Profile Management
   
   • Searches for Thunderbird profiles in ~/.thunderbird and ~/.mozilla-thunderbird
   • Creates or modifies configuration files (prefs.js and user.js) in each profile found
3. Language Configuration
   
   • Sets key preferences in user.js:
     
     • general.useragent.locale: "es-ES"
     • spellchecker.dictionary: "es-ES"
     • intl.locale.requested: "es-ES"
     • intl.accept_languages: "es-ES"
   • Configures Spanish date format: dd/MM/yyyy
4. Permission Management
   
   • Executes pkill thunderbird to ensure the application is closed
   • Runs permission fix script:
     
     • chmod 644 for all files
     • chmod 755 for all directories
   • Ensures proper read/write access to configuration files

After running the script, a restart of Thunderbird is required for all changes to take effect.

List All Chrome Extensions

PoC video

✅ This script lists all installed Chrome extensions by scanning the default Chrome user data directories. It also allows the user to specify a custom extensions path if their Chrome extensions are located elsewhere.

Key features:

Default Paths: Automatically checks common Chrome extensions locations:
Copy
Default/Extensions

• Profile */Extensions

Custom Extensions Path: Users can set a custom path by modifying the CUSTOM_EXTENSIONS_PATH variable:
Copy
CUSTOM_EXTENSIONS_PATH="/path/to/your/extensions"

ℹ️ How it works:

• Scans for Chrome extensions in default and custom paths.
• Identifies the latest version of each extension and extracts its name from the manifest.json file.
• Displays the list of installed extensions along with their unique IDs in a clear format.

Configure Windows Endpoint Firewall Rules

Description

This script is designed to configure Windows firewall rules to secure a system by controlling inbound and outbound traffic. It performs the following steps:

1. Clear Existing Rules: The script begins by deleting all existing firewall rules to start with a clean configuration, ensuring no conflicting or outdated settings remain.

2. Set Default Inbound Policy: The script sets the default inbound firewall policy to block all incoming connections by default while allowing all outbound connections. This helps to prevent unauthorized inbound traffic while maintaining functionality for outgoing connections.
3. Allow Local Loopback Traffic: It adds rules to allow inbound traffic on the local loopback interface (IP 127.0.0.1) for both TCP and UDP protocols. This is necessary for internal communication and ensures that local processes can interact with each other without restrictions.

4. Allow Established and Related Connections: The script adds rules to allow inbound traffic for established and related connections. This ensures that connections that have already been established (such as responses to outgoing requests) are not blocked, maintaining proper system functionality.

5. Allow Specific Inbound Traffic:

• SSH: Inbound traffic on port 22 (SSH) is allowed, which is essential for remote access to the system.

• HTTP: Inbound traffic on port 80 (HTTP) is permitted, allowing web servers to accept HTTP connections.

• HTTPS: Inbound traffic on port 443 (HTTPS) is permitted, allowing secure web traffic for encrypted communications.

6. Allow ICMP Traffic (Ping): The script enables inbound ICMP traffic (specifically type 8, echo request) to allow network diagnostics, such as ping tests, for troubleshooting and network analysis.

7. Enable Logging for Dropped Packets: The script enables logging of dropped packets to monitor and review any traffic that is blocked by the firewall. It specifies a log file path and a maximum log file size, ensuring the log stays manageable. This can help in detecting malicious attempts or other abnormal network behavior.
8. Save the Firewall Rules: After applying the firewall configurations, the script exports the firewall rules to a backup file (C:\firewall_rules.wfw). This enables easy restoration or transfer of the rules in the future.

9. Ensure Firewall Service Starts Automatically: The script ensures that the Windows Firewall service (MpsSvc) is set to start automatically on system boot. It also starts the service if it's not already running, ensuring continuous protection after reboot.

This script provides a comprehensive configuration for securing an endpoint, allowing essential services while blocking unnecessary and potentially harmful traffic. It also includes logging and persistence features to ensure the rules remain active and monitor network activity effectively.

List All Firefox Extensions

PoC video

Description

✅ This script lists all installed Firefox extensions by scanning the default Firefox profile directories. It also allows the user to specify a custom profile path if their Firefox profile is located elsewhere.

ℹ️ Key features:

• Default Paths: Automatically checks common Firefox profile locations:

$env:APPDATA\Mozilla\Firefox\Profiles\*.default*

$env:APPDATA\Mozilla\Firefox\Profiles\*.default-release*

Custom Profile Path: Users can set a custom path by modifying the $CustomProfilePath variable:

• $CustomProfilePath = "C:\Path\To\Your\Profile"

ℹ️ How it works:

• Scans for Firefox profiles in default and custom paths.
• Lists all .xpi files and directories in the extensions folder of each profile.
• Displays the results in a clear, color-coded format.

Remove All Firefox Extensions

PoC video

Description

✅ This script removes all installed Firefox extensions by deleting .xpi files and extension directories from the Firefox profile's extensions folder. It ensures Firefox is not running before attempting removal and handles errors gracefully.

ℹ️ Key features:

• Default Paths: Checks common Firefox profile locations:

$env:APPDATA\Mozilla\Firefox\Profiles\*.default*

$env:APPDATA\Mozilla\Firefox\Profiles\*.default-release*

Custom Profile Path: Users can set a custom path by modifying the $CustomProfilePath variable:

• $CustomProfilePath = "C:\Path\To\Your\Profile"

ℹ️ How it works:

Ensures Firefox is not running before proceeding.

• Scans for Firefox profiles in default and custom paths.
• Deletes all .xpi files and extension directories in the extensions folder.
• Displays the results in a clear, color-coded format.

‍

#x_remediation‍

‍
Elevation of Privilege Vulnerability in Microsoft Edge (Chromium-based) - Mitigation Script

PoC Video Link

❗ CVE-2025-21399 is a privilege escalation vulnerability affecting the update mechanism of Microsoft Edge (Chromium-based), carrying a CVSS score of 7.4. This flaw allows an attacker to obtain elevated privileges on the affected system, potentially enabling unauthorized actions that could compromise user data and system integrity.

ℹ️ This mitigation script works as follows:

• Service Disabling:
  
  • Stops and disables the edgeupdate and edgeupdatem services.
  • Prevents the Edge Update process from running automatically.
• Executable Renaming:
  
  • Renames MicrosoftEdgeUpdate.exe to MicrosoftEdgeUpdate_Disabled.exe in default installation paths to prevent it from being launched by other means.
  • Blocks the updater from being executed.
• Registry Configuration:
  
  • Disables Microsoft Edge automatic updates by setting the AutoUpdateCheckPeriodMinutes registry value to 0.
  • Ensures the registry path exists and is properly configured.
• ACL Enforcement:
  
  • Applies a Deny Write rule for BUILTIN\Users on the Edge Update directories.
  • Prevents non-admin users from modifying or replacing the updater executable.
• Error Handling:
  
  • Provides detailed feedback on each step, including failures or skipped actions.
  • Handles missing files, directories, or permission issues effectively.

✅ By running this mitigation script, you can reduce the risk of exploitation for CVE-2025-21399 by disabling the vulnerable update mechanism and enforcing strict access controls.

‍CVE-2024-49765: Mitigation Discourse Vulnerability

PoC video

Description

📜This script mitigates CVE-2024-49765, a security vulnerability in Discourse that occurs when Discourse Connect is enabled, but local login (DISCOURSE_ALLOW_LOCAL_LOGIN) is still allowed. This misconfiguration can let attackers bypass authentication and create accounts via the local login method.

The script automatically modifies the Discourse configuration file (app.yml), disabling local login to prevent unauthorized access. It also creates a backup before making any changes.

🚀Allowing local login while using Discourse Connect creates a security loophole that attackers can exploit to create unauthorized accounts. By disabling local login, this script ensures that authentication only happens through Discourse Connect, reducing the risk of exploitation.

x_detection

Elevation of Privilege Vulnerability in Microsoft Edge (Chromium-based) - Detection Script

PoC video

Description

❗ CVE-2025-21399 is a privilege escalation vulnerability affecting the update mechanism of Microsoft Edge (Chromium-based), carrying a CVSS score of 7.4. This flaw allows an attacker to obtain elevated privileges on the affected system, potentially enabling unauthorized actions that could compromise user data and system integrity.

ℹ️ This detection script works as follows:

• Version Identification:
  
  • Checks the installed Microsoft Edge Update version from the registry.
  • Determines if the version falls within the vulnerable range (1.0.0.0 to 1.3.195.42).

• Mitigation Verification:
  
  • Verifies if the Edge Update service is disabled and not set to auto-start.
  • Checks if the Edge Update process is currently running.
  • Confirms if automatic updates are disabled via registry policy.
  • Validates if write access is blocked for non-admin users via ACLs.

• Error Handling:
  
  • Handles missing directories or inaccessible paths gracefully.
  • Provides detailed feedback on each check for troubleshooting.

• Reporting:
  
  • Outputs a clear summary of vulnerability status and mitigation effectiveness.

✅ By running this detection script, you can assess whether your system is potentially vulnerable to CVE-2025-21399 and verify if mitigations are in place.

CVE-2024-49765: Detection Discourse Vulnerability

PoC video

Description

📜This script identifies whether a Discourse instance is vulnerable to CVE-2024-49765, a security issue affecting sites using Discourse Connect while still allowing local logins. The vulnerability allows attackers to bypass Discourse Connect authentication and create accounts using the local login method.

🚀This vulnerability can lead to unauthorized account creation and potential security breaches. If Discourse Connect is enabled but local login is not disabled, attackers may exploit this misconfiguration to gain unauthorized access to the system. Detecting and mitigating this issue is crucial to maintaining a secure authentication flow.