joshfinley · March 31, 2025 01:41
diff --git a/Get-EtwProviderAces.ps1 b/Get-EtwProviderAces.ps1
 # Helper script to get SDDL/ACES for ETW Providers
 # Inspired by / draws from Chapter 8 of "Evading EDR" by Matt Hand
 param (
    [Parameter(Mandatory = $false)]
    [string]$ProviderName,

    [Parameter(Mandatory = $false)]
    [Guid]$Guid
 )

 if (-not $ProviderName -and -not $Guid) {
    Write-Error "You must specify either -ProviderName or -Guid."
    exit 1
 }

 if ($ProviderName) {
    $providerInfo = wevtutil gp "$ProviderName" 2>$null
    if (-not $providerInfo) {
        Write-Error "Could not retrieve provider info."
        exit 1
    }

    $guidLine = $providerInfo | Where-Object { $_ -match '^GUID:' }
    if (-not $guidLine) {
        Write-Error "GUID not found in provider info."
        exit 1
    }

    $guid = $guidLine -replace '^GUID:\s*', ''
    $guid = $guid.Trim('{}').ToUpper()
 } else {
    $guid = $Guid.ToString().ToUpper()
 }

 try {
    $sdTable = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Security
    $binarySD = $sdTable.$guid
    if (-not $binarySD) {
        throw "No binary security descriptor found for GUID: {$guid}"
    }

    $sddl = ([wmiclass]"Win32_SecurityDescriptorHelper").BinarySDToSDDL($binarySD).SDDL
    $decoded = ConvertFrom-SddlString -Sddl $sddl

    if ($ProviderName) {
        Write-Output "Provider Name: $ProviderName"
    }
    Write-Output "GUID: {$guid}"
    Write-Output "SDDL: $sddl"
    Write-Output "Decoded:"
    $decoded
 } catch {
    Write-Error $_
 }
	# Helper script to get SDDL/ACES for ETW Providers
	# Inspired by / draws from Chapter 8 of "Evading EDR" by Matt Hand
	param (
	[Parameter(Mandatory = $false)]
	[string]$ProviderName,

	[Parameter(Mandatory = $false)]
	[Guid]$Guid
	)

	if (-not $ProviderName -and -not $Guid) {
	Write-Error "You must specify either -ProviderName or -Guid."
	exit 1
	}

	if ($ProviderName) {
	$providerInfo = wevtutil gp "$ProviderName" 2>$null
	if (-not $providerInfo) {
	Write-Error "Could not retrieve provider info."
	exit 1
	}

	$guidLine = $providerInfo \| Where-Object { $_ -match '^GUID:' }
	if (-not $guidLine) {
	Write-Error "GUID not found in provider info."
	exit 1
	}

	$guid = $guidLine -replace '^GUID:\s*', ''
	$guid = $guid.Trim('{}').ToUpper()
	} else {
	$guid = $Guid.ToString().ToUpper()
	}

	try {
	$sdTable = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Security
	$binarySD = $sdTable.$guid
	if (-not $binarySD) {
	throw "No binary security descriptor found for GUID: {$guid}"
	}

	$sddl = ([wmiclass]"Win32_SecurityDescriptorHelper").BinarySDToSDDL($binarySD).SDDL
	$decoded = ConvertFrom-SddlString -Sddl $sddl

	if ($ProviderName) {
	Write-Output "Provider Name: $ProviderName"
	}
	Write-Output "GUID: {$guid}"
	Write-Output "SDDL: $sddl"
	Write-Output "Decoded:"
	$decoded
	} catch {
	Write-Error $_
	}