mgraeber-rc’s gists

mgraeber-rc / AMSITools.psm1

Created November 10, 2021 18:41

Get-AMSIEvent and Send-AmsiContent are helper functions used to validate AMSI ETW events. Note: because this script contains the word AMSI, it will flag most AV engines. Add an exception on a test system accordingly in order to get this to work.

	filter Send-AmsiContent {
	<#
	.SYNOPSIS

	Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider.

	Author: Matt Graeber
	Company: Red Canary

	.DESCRIPTION

mgraeber-rc / GetAMSIEvent.ps1

Created October 8, 2021 20:53

A simple AMSI event trace parser

	# Author: Matt Graeber
	# Company: Red Canary

	# To start a trace, run the following from an elevated command prompt: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
	# To stop the trace, run the following: logman stop AMSITrace -ets

	# Example usage: Get-AMSIEvent -Path .\AMSITrace.etl

	function Get-AMSIEvent {
	param (

mgraeber-rc / gist:bfc80007cb8816d029ff116928a76e76

Created September 2, 2021 14:52

Extensions scrutinized by the AssocIsDangerous

	.ade
	.adp
	.app
	.asp
	.bas
	.bat
	.cer
	.chm
	.cmd
	.cnt

mgraeber-rc / AllowAllRuleAdded.xml

Created August 31, 2021 14:48

Resulting driver deny policy resulting from a few tweaks of Microsoft's supplied policy

	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.0.0</VersionEx>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	<Rule>
	<Option>Enabled:Audit Mode</Option>

mgraeber-rc / MDE_AppControl_KQL.txt

Created July 30, 2021 16:06

Example query to join AppControlCodeIntegrityPolicy MDE events with AppControlCodeIntegritySigningInformation events. The queries are semi-duplicative to address the way hashes are presented in an unintuitive fashion.

	DeviceEvents
	\| where ActionType startswith "AppControlCodeIntegrityPolicy"
	\| extend Hash = SHA1
	\| join kind = inner (
	DeviceEvents
	\| where ActionType == "AppControlCodeIntegritySigningInformation"
	\| extend VerificationError = extractjson("$.VerificationError", AdditionalFields, typeof(string))
	\| where VerificationError == "Explicitly denied by WDAC policy"
	\| extend PublisherName = extractjson("$.PublisherName", AdditionalFields, typeof(string))
	\| extend PublisherTBSHash = extractjson("$.PublisherTBSHash", AdditionalFields, typeof(string))

mgraeber-rc / GenerateWHQLDriverRules.ps1

Created July 27, 2021 17:23

	# Create a scratch directory as the destination for drivers that would have failed to load due to WHQL enforcement.
	mkdir Drivers

	# After a reboot, list all drivers that would have failed WHQL enforcement - i.e. event ID 3082 events
	Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; Id = 3082 } \| ForEach-Object { "C:$($_.Properties[1].Value)" } \| Sort-Object -Unique \| Get-ChildItem \| Copy-Item -Destination .\Drivers\

	# Get signer information for all the affected drivers
	$DriverSigners = Get-SystemDriver -ScanPath .\Drivers\ -NoScript -NoShadowCopy

	# Build a WHQLPublisher allow rule for the WHQL signed drivers that will only allow WHQL-signed drivers issued to a specific vendor.

mgraeber-rc / DefaultWindows_Audit.xml

Last active July 29, 2021 00:41

Modified default window-only audit WDAC with WHQL rules removed

	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.1.0</VersionEx>
	<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
	<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>

mgraeber-rc / SimulateInternetZoneTest.ps1

Created May 28, 2021 16:57

Example highlighting why attackers likely choose ISO/IMG as a delivery mechanism - it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes

	Add-Type -OutputAssembly hello.exe -TypeDefinition @'
	using System;

	public class Hello {
	public static void Main(string[] Args) {
	System.Console.WriteLine("Hello, world!");
	System.Console.Read();
	}
	}
	'@

mgraeber-rc / EventDiff.ps1

Created May 28, 2021 14:45

Display only new event log events - I refer to this as event log differential analysis

	# Log the time prior to executing the action.
	# This will be used as parth of an event log XPath filter.
	$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc)

	# Do the thing now that you want to see potential relevant events surface...
	$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly

	# Allow a moment to allow events to populate
	Start-Sleep -Seconds 5

mgraeber-rc / Windows_Application_Control_Mitigation_Coverage.json

Created May 27, 2021 13:44

MITRE ATT&CK Navigator Layer - Windows Application Control Mitigation Coverage: Techniques on Windows endpoints that would be prevented, mitigated, or detected by the enforcement of an application control/application allowlisting solution.

	{
	"name": "Windows Application Control Mitigation Coverage",
	"versions": {
	"attack": "9",
	"navigator": "4.3",
	"layer": "4.2"
	},
	"domain": "enterprise-attack",
	"description": "Techniques on Windows endpoints that would be prevented, mitigated, or detected by the enforcement of an application control/application allowlisting solution.\n\nAuthor: Matt Graeber, Red Canary",
	"filters": {

Matt Graeber mgraeber-rc