Matt Graeber mattifestation
mattifestation
/ driversipolicy.xml
Last active
March 9, 2020 22:33
Recovered code integrity policy from %windir%\System32\CodeIntegrity\driversipolicy.p7b
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.17689.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID> | |
| <BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> |
mattifestation
/ rundll_exports.csv
Created
October 18, 2019 13:48
All System32 DLL export functions that contain "RunDLL", an indicator that it's designed to run with rundll32.exe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Module | Function | |
|---|---|---|
| C:\Windows\System32\advpack.dll | DelNodeRunDLL32W | |
| C:\Windows\System32\advpack.dll | DelNodeRunDLL32A | |
| C:\Windows\System32\advpack.dll | DelNodeRunDLL32 | |
| C:\Windows\System32\ConnectedAccountState.dll | ActionCenterRunDllW | |
| C:\Windows\System32\cryptcatsvc.dll | CatDbOfflineRebuildDatabasesRundll32W | |
| C:\Windows\System32\cscui.dll | CSCOptions_RunDLLW | |
| C:\Windows\System32\cscui.dll | CSCOptions_RunDLLA | |
| C:\Windows\System32\cscui.dll | CSCOptions_RunDLL | |
| C:\Windows\System32\devmgr.dll | DeviceProblenWizard_RunDLLW |
mattifestation
/ msobjs_event_table.ps1
Created
October 9, 2019 21:22
Extracts msobjs.dll message table strings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Source = @' | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class Win32Native { | |
| [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] | |
| public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags); | |
| [DllImport("kernel32.dll", CharSet = CharSet.Unicode)] |
mattifestation
/ EventLogAuditing.ps1
Last active
January 18, 2024 17:37
Example code used to automate the process of auditing event log security descriptors.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run the following from an elevated PowerShell session | |
| # This hashtable will be used to store access rights granted to each group. | |
| $PrincipalGrouping = @{} | |
| # Enumerate all installed event logs | |
| Get-WinEvent -ListLog * | ForEach-Object { | |
| $LogName = $_.LogName | |
| # Convert the security descriptor SDDL string to a security descriptor object. |
mattifestation
/ HowToDetectTechniqueX_Demos.ps1
Created
September 6, 2019 22:03
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Attack validations | |
| wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe | |
| Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe | |
| $CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator | |
| Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' } | |
| $CimSession | Remove-CimSession | |
| winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword |
mattifestation
/ ExpandDefenderSig.ps1
Created
March 28, 2019 20:17
Decompresses Windows Defender AV signatures for exploration purposes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Expand-DefenderAVSignatureDB { | |
| <# | |
| .SYNOPSIS | |
| Decompresses a Windows Defender AV signature database (.VDM file). | |
| .DESCRIPTION | |
| Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed. |
mattifestation
/ SimpleTCGLogParser.ps1
Last active
April 14, 2019 01:43
If you have the HgsDiagnostics PowerShell module, then you can parse TCG logs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Import-Module HgsDiagnostics | |
| $GetHgsTrace = Get-Command Get-HgsTrace | |
| $RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' } | |
| Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName | |
| $MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName | |
| $LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog) | |
| $ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes) | |
| $ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex |
mattifestation
/ PSProcmon.psm1
Last active
May 9, 2023 20:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry | |
| [Flags()] | |
| enum RegistryOptions { | |
| CloseKey = 0x00000001 | |
| QuerySecurityKey = 0x00000002 | |
| SetSecurityKey = 0x00000004 | |
| EnumerateValueKey = 0x00000010 | |
| QueryMultipleValueKey = 0x00000020 | |
| SetInformationKey = 0x00000040 | |
| FlushKey = 0x00000080 |
mattifestation
/ WDAC_PolicyIDs.txt
Created
February 1, 2019 15:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PolicyIndex: 1 | |
| PolicyTypeID: a244370e-44c9-4c06-b551-f6016e563076 | |
| PolicyPath: System32\CodeIntegrity\SiPolicy.p7b | |
| PolicyIndex: 2 | |
| PolicyTypeID: 2a5a0136-f09f-498e-99cc-51099011157c | |
| PolicyPath: System32\CodeIntegrity\RvkSiPolicy.p7b | |
| PolicyIndex: 3 | |
| PolicyTypeID: 976d12c8-cb9f-4730-be52-54600843238e |
mattifestation
/ process_image_logging.ps1
Created
January 31, 2019 17:52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process | |
| $WINEVENT_KEYWORD_PROCESS = 0x10 | |
| $WINEVENT_KEYWORD_IMAGE = 0x40 | |
| # Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy. | |
| # I'm going to limit collection to only image and process event | |
| $KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic' | |
| $KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE) | |
| $KernelProcessLog.ProviderLevel = 0xFF | |
| $KernelProcessLog.IsEnabled = $true |