Matt Graeber mattifestation
mattifestation
/ PSBinaryManipulation.ps1
Last active
July 5, 2024 12:47
Parsing binary values using bit math in PowerShell - Parsing an IO control code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 3 | |
| # -shr and [PSCustomObject] are only available in PSv3+ | |
| function ConvertFrom-IOControlCode { | |
| <# | |
| .SYNOPSIS | |
| Converts an IO control code to its respective arguments. | |
| Author: Matthew Graeber (@mattifestation) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Yes I know I should do this with the CIM cmdlets too... | |
| function Get-WmiNamespace { | |
| <# | |
| .SYNOPSIS | |
| Returns a list of WMI namespaces present within the specified namespace. | |
| .PARAMETER Namespace | |
| Specifies the WMI repository namespace in which to list sub-namespaces. Get-WmiNamespace defaults to the ROOT namespace. |
mattifestation
/ autodump_powershell_process.ps1
Last active
September 16, 2019 04:58
Automatically capture a full PowerShell memory dump upon any PowerShell host process termination
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'PowerShellProcessStarted' | |
| Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $EventFilterArgs | |
| $CommandLineConsumerArgs = @{ |
mattifestation
/ wmi_provider_association.ps1
Last active
August 16, 2022 05:14
Enumerates WMI providers, the DLLs that back the provider, and the classes hosted by the provider.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause | |
| #> | |
| function Get-WmiNamespace { | |
| [OutputType([String])] | |
| Param ( | |
| [String] | |
| [ValidateNotNullOrEmpty()] |
mattifestation
/ UACBypass.ps1
Last active
December 6, 2024 14:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-UACBypass { | |
| <# | |
| .SYNOPSIS | |
| Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy. | |
| Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |
mattifestation
/ Win10IoTCoreEoP.ps1
Created
July 24, 2016 05:26
Window 10 IoT Core (Build 14393) Elevation of Privilege PoC Exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Win10IoT Audit Code | |
| $CimSession = New-CimSession -ComputerName Win10IoT -Credential Administrator -Authentication Negotiate | |
| Get-CimInstance -ClassName Win32_OperatingSystem -CimSession $CimSession | |
| Get-CimInstance -ClassName Win32_Service -Filter 'Name = "InputService"' -CimSession $CimSession | Format-List * | |
| # Run the service audit function in CimSweep | |
| $ServicePermissions = Get-CSVulnerableServicePermission -CimSession $CimSession | |
| $ServicePermissions | Where-Object { $_.GroupName -eq 'NT AUTHORITY\Authenticated Users' } | |
| # The fact that Authenticated Users can change the service configuration means that |
mattifestation
/ CIPolicy.xsd
Last active
April 24, 2025 11:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <xs:schema | |
| targetNamespace="urn:schemas-microsoft-com:sipolicy" | |
| elementFormDefault="qualified" | |
| xmlns="urn:schemas-microsoft-com:sipolicy" | |
| xmlns:ps="urn:schemas-microsoft-com:sipolicy" | |
| xmlns:xs="http://www.w3.org/2001/XMLSchema" | |
| > | |
| <!-- A {00000000-0000-0000-0000-000000000000} GUID type --> | |
| <xs:simpleType name="GuidType"> |
mattifestation
/ CIPolicyParser.ps1
Last active
April 23, 2025 13:12
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ensure System.Security assembly is loaded. | |
| Add-Type -AssemblyName System.Security | |
| function ConvertTo-CIPolicy { | |
| <# | |
| .SYNOPSIS | |
| Converts a binary file that contains a Code Integrity policy into XML format. | |
| Author: Matthew Graeber (@mattifestation) |
mattifestation
/ Microsoft-Windows-CodeIntegrity.manifest.xml
Created
October 17, 2016 20:08
Extracted ETW manifest for the Microsoft-Windows-CodeIntegrity provider.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"> | |
| <events> | |
| <provider name="Microsoft-Windows-CodeIntegrity" guid="{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}" resourceFileName="Microsoft-Windows-CodeIntegrity" messageFileName="Microsoft-Windows-CodeIntegrity" symbol="MicrosoftWindowsCodeIntegrity" source="Xml" > | |
| <keywords> | |
| </keywords> | |
| <tasks> | |
| <task name="CreateSection" message="$(string.task_CreateSection)" value="1"> | |
| > | |
| <opcodes> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ConvertTo-Oid { | |
| <# | |
| .SYNOPSIS | |
| Decodes a DER encoded ASN.1 object identifier (OID) | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause | |
| .DESCRIPTION |