Matt Graeber mattifestation
mattifestation
/ GetCatalogHashes.ps1
Created
December 16, 2017 16:48
Sample code used to extract catalog hashes from a mounted Windows image
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://github.com/mattifestation/CatalogTools | |
| Import-Module CatalogTools | |
| # install.wim was mounted to C:\Mount with Mount-WindowsImage | |
| $SystemCatalogEntries = ls -Path C:\Mount -Include '*.cat' -Recurse | % { | |
| $CatalogInfo = Get-CatalogFile -Path $_.FullName | |
| $FilePath = 'C:' + $CatalogInfo.FilePath.Path.Substring(8) | |
| $CatalogInfo.CatalogMembers | ? { $_.HashInfo.Algorithm -and $_.HashInfo.FileHash } | % { | |
| $Hint = $null |
mattifestation
/ CertificateCloning.ps1
Created
December 18, 2017 00:53
The steps required to clone a legitimate certificate chain and sign code with it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # We'll just store the cloned certificates in current user "Personal" store for now. | |
| $CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' } | |
| $MS_Root_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Root.cer | |
| $Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation | |
| $MS_PCA_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32PCA.cer | |
| $Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation | |
| $MS_Leaf_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Leaf.cer |
mattifestation
/ RemoteCertTrust.ps1
Created
December 20, 2017 14:41
An example weaponization of trusting a cloned MSFT root CA certificate by installing directly into the registry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $CertThumbprint = '1F3D38F280635F275BE92B87CF83E40E40458400' | |
| $EncodedCertBlob = 'BAAAAAEAAAAQAAAAgaT+C9ETBIfHkH5Zi2eoqw8AAAABAAAAIAAAAK7pIm4Ori+vdX436CAjk55T8gJEI7WBW1muIpb8dcC8FAAAAAEAAAAUAAAAAIZxjuuFqSJSqIzGDU9d5gKzHTAZAAAAAQAAABAAAADSxnNDC24NyPBSKJlFvtVeAwAAAAEAAAAUAAAAHz048oBjXydb6SuHz4PkDkBFhABcAAAAAQAAAAQAAAAAEAAAWQAAAAEAAAAWAAAAUgBTAEEALwBTAEgAQQAyADUANgAAACAAAAABAAAA3wUAADCCBdswggPDoAMCAQICEFJ2FzbupEWBQkU+LXP6ibIwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTE3MTIwMTIxNTUxNFoXDTQyMTIwMTA1MDYzN1owgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzSRYTzEnnwmvABZcLTj5H+xw1ulaHN2DJGwwKt77hrM8BcsJ/AdVY7EAf0QGqvV94QuDf5ENxihl59E6WMT5O5SRHcCQweVs0PHMhlw3qbEx7iiUr7HusyUiOA6 |
mattifestation
/ RootCAInstallationDetection.xml
Last active
December 22, 2017 15:27
A sample Sysmon config to detect root CA installation in both the LocalMachine and CurrentUser contexts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="3.4"> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. --> | |
| <RegistryEvent onmatch="include"> | |
| <!-- LocalMachine or CurrentUser ROOT certificate installation --> | |
| <!-- Reference: https://technet.microsoft.com/en-us/library/cc783813(v=ws.10).aspx --> | |
| <TargetObject condition="contains">\Software\Microsoft\SystemCertificates\Root\Certificates\</TargetObject> | |
| <TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</TargetObject> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # http://www.bouncycastle.org/csharp/ | |
| $BouncyCastlePath = 'Path\To\BouncyCastle.Crypto.dll' | |
| $BouncyCastle = Add-Type -Path $BouncyCastlePath -PassThru | |
| function Get-TrustedRootCertificateHash { | |
| [OutputType([String])] | |
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] |
mattifestation
/ EmptyConfig.xml
Created
January 17, 2018 19:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4fuckyou"> | |
| <HashAlgorithms>md5,sha1</HashAlgorithms> | |
| <EventFiltering> | |
| <ProcessCreate onmatch="include"> | |
| </ProcessCreate> | |
| <FileCreateTime onmatch="include"> | |
| </FileCreateTime> | |
| <NetworkConnect onmatch="include"> | |
| </NetworkConnect> | |
| <ProcessTerminate onmatch="include"> |
mattifestation
/ CustomASRRuleGenerator.ps1
Created
January 25, 2018 09:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ScrObjBlockRule = New-CIPolicyRule -DriverFilePath $Env:windir\System32\scrobj.dll -Level FileName -Deny -AppID $Env:windir\System32\regsvr32.exe | |
| # Merge the block rule into the allow all template rule included in the OS | |
| Merge-CIPolicy -OutputFilePath CustomASRPolicy.xml -PolicyPaths $Env:windir\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -Rules $ScrObjBlockRule | |
| # This must be run elevated. Convert the policy to binary form and copy it to where WDAC will consume it. | |
| ConvertFrom-CIPolicy -XmlFilePath .\CustomASRPolicy.xml -BinaryFilePath $Env:windir\System32\CodeIntegrity\SIPolicy.p7b | |
| # Now reboot and the policy will take effect. |
mattifestation
/ CustomASRPolicy.xml
Created
January 25, 2018 09:04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> |
mattifestation
/ WmiEventConsumerClassDerivation.ps1
Last active
November 15, 2023 18:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-ActiveScriptEventConsumerClass { | |
| <# | |
| .SYNOPSIS | |
| Creates an ActiveScriptEventConsumer WMI class in the namespace of your choosing. | |
| .DESCRIPTION | |
| New-ActiveScriptEventConsumerClass creates a clone of the ActiveScriptEventConsumer WMI event consumer class using the class name and namespace name of your choosing. |
mattifestation
/ CILStreamObfuscation.ps1
Created
March 1, 2018 20:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ${🤷} = New-Object Reflection.Emit.DynamicMethod('💩', [UInt32], @([UInt32], [UInt32])) | |
| ${🤔} = ${🤷}.GetILGenerator() | |
| @(@(2, 275120805),@(3, 275120805),@(88, -261739867),@(42, 23440101)) | % { | |
| ${🤔}.Emit([Activator]::CreateInstance([System.Reflection.Emit.OpCode], [Reflection.BindingFlags] 'NonPublic, Instance', $null, @(($_[0] -as [System.Reflection.Emit.OpCode].Assembly.GetType('System.Reflection.Emit.OpCodeValues')), $_[1]), $null)) | |
| } | |
| ${💩} = ${🤷}.CreateDelegate([Func``3[UInt32, UInt32, UInt32]]) | |
| ${💩}.Invoke(2,3) |