Skip to content

Instantly share code, notes, and snippets.

Matt Graeber mattifestation

Block or report user

Report or block mattifestation

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@mattifestation
mattifestation / HowToDetectTechniqueX_Demos.ps1
Created Sep 6, 2019
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
View HowToDetectTechniqueX_Demos.ps1
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe
Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe
$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession
winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword
@mattifestation
mattifestation / ExpandDefenderSig.ps1
Created Mar 28, 2019
Decompresses Windows Defender AV signatures for exploration purposes
View ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS
Decompresses a Windows Defender AV signature database (.VDM file).
.DESCRIPTION
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
@mattifestation
mattifestation / SimpleTCGLogParser.ps1
Last active Apr 14, 2019
If you have the HgsDiagnostics PowerShell module, then you can parse TCG logs.
View SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName
$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)
$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex
@mattifestation
mattifestation / WSH_approved_list.txt
Created Mar 12, 2019
WldpIsClassInApprovedList approved classID for WLDP_HOST_ID_WSH hosts (which includes COM scriptlets)
View WSH_approved_list.txt
041e868e-0c7d-48c6-965f-5fd576530e5b
0438c02b-eb9c-4e42-81ad-407f6cd6cde1
078b1f7d-c34c-4b13-a7c3-9663901650f1
0abb2961-2cc1-4f1d-be8e-9d330d06b77d
0d7237e6-930f-4682-ad0a-52ebffd3aee3
0d972387-817b-46e7-913f-e9993ff401eb
0e770b12-7221-4a5d-86ee-77310a5506bb
0fa57208-5100-4cd6-955c-fe69f8898973
1080a020-2b47-4da9-8095-dbc9cefffc04
10cf2e12-1681-4c53-adc0-932c84832cd8
@mattifestation
mattifestation / ntasn1_notes.txt
Created Feb 27, 2019
Exported functions of ntasn1.dll
View ntasn1_notes.txt
Ordinal Export Symbol
------- -------------
1 RtlAsn1Encode
2 RtlAsn1EncodeAndAllocate
3 RtlAsn1Decode
4 RtlAsn1DecodeAndAllocate
5 RtlAsn1GetModuleHandle
6 ASN1_FindOidInfo
7 ASN1_FindOidInfoByEoid
8 CryptEncodeObjectEx
@mattifestation
mattifestation / Sysmon9Schema.dtd
Created Feb 20, 2019
Extracted schema from Sysmon 9.0
View Sysmon9Schema.dtd
<!DOCTYPE Sysmon [<!ELEMENT Sysmon (EventFiltering|HashAlgorithms|DriverName|ProcessAccessConfig|CheckRevocation|PipeMonitoringConfig)*>
<!ATTLIST Sysmon schemaversion CDATA #REQUIRED>
<!ELEMENT EventFiltering (RuleGroup|ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead|ProcessAccess|FileCreate|RegistryEvent|RegistryEvent|RegistryEvent|FileCreateStreamHash|PipeEvent|PipeEvent|WmiEvent|WmiEvent|WmiEvent)*>
<!ELEMENT RuleGroup (ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead|ProcessAccess|FileCreate|RegistryEvent|RegistryEvent|RegistryEvent|FileCreateStreamHash|PipeEvent|PipeEvent|WmiEvent|WmiEvent|WmiEvent)*>
<!ATTLIST RuleGroup groupRelation (and|or) #REQUIRED>
<!ATTLIST RuleGroup name CDATA #IMPLIED>
<!ELEMENT ProcessCreate (RuleName|UtcTime|ProcessGuid|ProcessId|Image|FileVersion|Description|Product|Company|CommandLine|CurrentDirectory|User|LogonGuid|LogonId|TerminalSessionId|I
View Microsoft-Windows-WER-Diag.manifest.xml
<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">
<instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">
<events>
<provider name="Microsoft-Windows-WER-Diag" guid="{ad8aa069-a01b-40a0-ba40-948d1d8dedc5}" resourceFileName="Microsoft-Windows-WER-Diag" messageFileName="Microsoft-Windows-WER-Diag" symbol="MicrosoftWindowsWERDiag" source="Xml" >
<keywords>
</keywords>
<tasks>
<task name="task_0" message="$(string.task_task_0)" value="0"/>
</tasks>
<events>
View PSProcmon.psm1
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
CloseKey = 0x00000001
QuerySecurityKey = 0x00000002
SetSecurityKey = 0x00000004
EnumerateValueKey = 0x00000010
QueryMultipleValueKey = 0x00000020
SetInformationKey = 0x00000040
FlushKey = 0x00000080
View WDAC_PolicyIDs.txt
PolicyIndex: 1
PolicyTypeID: a244370e-44c9-4c06-b551-f6016e563076
PolicyPath: System32\CodeIntegrity\SiPolicy.p7b
PolicyIndex: 2
PolicyTypeID: 2a5a0136-f09f-498e-99cc-51099011157c
PolicyPath: System32\CodeIntegrity\RvkSiPolicy.p7b
PolicyIndex: 3
PolicyTypeID: 976d12c8-cb9f-4730-be52-54600843238e
View process_image_logging.ps1
# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
$WINEVENT_KEYWORD_PROCESS = 0x10
$WINEVENT_KEYWORD_IMAGE = 0x40
# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
# I'm going to limit collection to only image and process event
$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
$KernelProcessLog.ProviderLevel = 0xFF
$KernelProcessLog.IsEnabled = $true
You can’t perform that action at this time.