Ibrahimous
mattifestation
/ SignatureVerificationAttack.ps1
Created
September 22, 2017 16:10
Demos from my DerbyCon keynote
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Host.Runspace.LanguageMode | |
| Get-AuthenticodeSignature -FilePath C:\Demo\bypass_test.psm1 | |
| Get-AuthenticodeSignature -FilePath C:\Demo\notepad_backdoored.exe | |
| # Try to execute the script. Add-Type will fail. | |
| Import-Module C:\Demo\bypass_test.psm1 | |
| $VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' + | |
| '\OID\EncodingType 0\CryptSIPDllVerifyIndirectData' |
Neo23x0
/ config-server.xml
Last active
March 11, 2024 14:34
Sysmon Base Configuration - Windows Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| This is a Microsoft Sysmon configuation to be used on Windows server systems | |
| v0.2.1 December 2016 | |
| Florian Roth | |
| The focus of this configuration is | |
| - hacking activity on servers / lateral movement (bad admin, attacker) | |
| It is not focussed on | |
| - malware detection (execution) | |
| - malware detection (network connections) |