Skip to content

Instantly share code, notes, and snippets.

@mattifestation
mattifestation / SignatureVerificationAttack.ps1
Created September 22, 2017 16:10
Demos from my DerbyCon keynote
$Host.Runspace.LanguageMode
Get-AuthenticodeSignature -FilePath C:\Demo\bypass_test.psm1
Get-AuthenticodeSignature -FilePath C:\Demo\notepad_backdoored.exe
# Try to execute the script. Add-Type will fail.
Import-Module C:\Demo\bypass_test.psm1
$VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +
'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'
@Neo23x0
Neo23x0 / config-server.xml
Last active March 11, 2024 14:34
Sysmon Base Configuration - Windows Server
<!--
This is a Microsoft Sysmon configuation to be used on Windows server systems
v0.2.1 December 2016
Florian Roth
The focus of this configuration is
- hacking activity on servers / lateral movement (bad admin, attacker)
It is not focussed on
- malware detection (execution)
- malware detection (network connections)