Matt Graeber mattifestation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <xs:schema attributeFormDefault="unqualified" | |
| elementFormDefault="qualified" | |
| xmlns:xs="http://www.w3.org/2001/XMLSchema" | |
| version="1.0"> | |
| <!-- --> | |
| <!-- AppLockerPolicy-Type --> | |
| <!-- --> | |
| <xs:element name="AppLockerPolicy" |
mattifestation
/ CIPolicy_Schema_diff_1709.txt
Created
October 19, 2017 19:40
Device Guard/Windows Defender Application Control features additions based on schema diffs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OptionType: | |
| * Here are the new policy rule options: | |
| * Enabled:Intelligent Security Graph Authorization | |
| * Reputation-based whitelisting. More info here: https://channel9.msdn.com/Events/Ignite/Microsoft-Ignite-Orlando-2017/BRK2080 | |
| * Enabled:Invalidate EAs on Reboot | |
| * Presumably, this refers to NTFS extended attribute caching. More info: https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea | |
| New Allow/Deny/FileAttrib Rule attributes: | |
| * InternalName | |
| * FileDescription |
mattifestation
/ Microsoft-Windows-CodeIntegrity.manifest.xml
Created
October 20, 2017 20:54
Updated CodeIntegrity provider event manifest for Win 10 1709
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"> | |
| <events> | |
| <provider name="Microsoft-Windows-CodeIntegrity" guid="{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}" resourceFileName="Microsoft-Windows-CodeIntegrity" messageFileName="Microsoft-Windows-CodeIntegrity" symbol="MicrosoftWindowsCodeIntegrity" source="Xml" > | |
| <keywords> | |
| </keywords> | |
| <tasks> | |
| <task name="CreateSection" message="$(string.task_CreateSection)" value="1"> | |
| > | |
| <opcodes> |
mattifestation
/ GetWinCertificateHash.ps1
Last active
July 5, 2024 12:43
A helper function to calculate the SHA256 hash of an Authenticode-signed PE WIN_CERTIFICATE structure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-WinCertificateHash { | |
| <# | |
| .SYNOPSIS | |
| Calculates the SHA256 hash of the WIN_CERTIFICATE structure of an Authenticode-signed PE file | |
| .DESCRIPTION | |
| Get-WinCertificateHash calculates the SHA256 hash of the WIN_CERTIFICATE structure of an Authenticode-signed PE file. I wrote this function to attempt to identify the exact file that the BadRabbit signature was stolen from. |
mattifestation
/ RunscripthelperBypass.ps1
Created
October 29, 2017 15:29
PowerShell weaponization for the runscripthelper.exe constrained language mode bypass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-RunScriptHelperExpression { | |
| <# | |
| .SYNOPSIS | |
| Executes PowerShell code in full language mode in the context of runscripthelper.exe. | |
| .DESCRIPTION | |
| Invoke-RunScriptHelperExpression executes PowerShell code in the context of runscripthelper.exe - a Windows-signed PowerShell host application which appears to be used for telemetry collection purposes. The PowerShell code supplied will run in FullLanguage mode and bypass constrained language mode. |
mattifestation
/ DeviceGuard_Driver_Strict_Enforcement_policy.xml
Created
November 20, 2017 00:38
File-based driver enforcement Device Guard policy for my Surface Laptop w/ Windows 10 Enterprise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> |
mattifestation
/ Copy-AuthenticodeSignedFile.ps1
Last active
July 5, 2024 12:43
When supplied with an Authenticode-signed PowerShell script, Copy-AuthenticodeSignedFile generates the same signed, validated file but with a different file hash.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Copy-AuthenticodeSignedFile { | |
| <# | |
| .SYNOPSIS | |
| Creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature. | |
| .DESCRIPTION | |
| Copy-AuthenticodeSignedFile creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature. This is used to bypass application whitelisting hash-based blacklist rules. |
mattifestation
/ ExtractDriversFromAuditLogs.ps1
Created
November 26, 2017 23:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a temp dir in which to copy the drivers to whitelist | |
| mkdir ScanMe | |
| Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -FilterXPath '*[System[EventID=3076]]' | ForEach-Object { | |
| $DriverPath = $_.Properties[1].Value | |
| # Normalize the paths | |
| switch -Wildcard ($DriverPath) { | |
| '\Device\HarddiskVolume4\*' { $DriverPath = "C:\$($DriverPath.Replace('\Device\HarddiskVolume4\', ''))" } | |
| 'System32*' { $DriverPath = "C:\Windows\$DriverPath" } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>1.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Audit Mode</Option> | |
| </Rule> | |
| <Rule> |
mattifestation
/ TrustedHashes.csv
Created
December 16, 2017 16:44
All catalog hashes extracted from a mounted install.wim from en_windows_10_multi-edition_vl_version_1709_updated_sept_2017_x64_dvd_100090741.iso
We can't make this file beautiful and searchable because it's too large.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Algorithm","Hash","CatalogPath","Hint" | |
| "SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","F5EEEC38876E48617643A9E735A30B9EC3D08D77075CD81F239A15626E3F7DD5","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","4BA33EC224E42FC929BA6487041C2C4275C5BCA66CD89471A09BC7F522A5661F","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", |