Skip to content

Instantly share code, notes, and snippets.

Matt Graeber mattifestation

Block or report user

Report or block mattifestation

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@mattifestation
mattifestation / driversipolicy.xml
Last active Oct 23, 2019
Recovered code integrity policy from %windir%\System32\CodeIntegrity\driversipolicy.p7b
View driversipolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.17689.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
@mattifestation
mattifestation / rundll_exports.csv
Created Oct 18, 2019
All System32 DLL export functions that contain "RunDLL", an indicator that it's designed to run with rundll32.exe
View rundll_exports.csv
Module Function
C:\Windows\System32\advpack.dll DelNodeRunDLL32W
C:\Windows\System32\advpack.dll DelNodeRunDLL32A
C:\Windows\System32\advpack.dll DelNodeRunDLL32
C:\Windows\System32\ConnectedAccountState.dll ActionCenterRunDllW
C:\Windows\System32\cryptcatsvc.dll CatDbOfflineRebuildDatabasesRundll32W
C:\Windows\System32\cscui.dll CSCOptions_RunDLLW
C:\Windows\System32\cscui.dll CSCOptions_RunDLLA
C:\Windows\System32\cscui.dll CSCOptions_RunDLL
C:\Windows\System32\devmgr.dll DeviceProblenWizard_RunDLLW
@mattifestation
mattifestation / msobjs_event_table.ps1
Created Oct 9, 2019
Extracts msobjs.dll message table strings
View msobjs_event_table.ps1
$Source = @'
using System;
using System.Runtime.InteropServices;
using System.Text;
public class Win32Native {
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
@mattifestation
mattifestation / EventLogAuditing.ps1
Last active Oct 11, 2019
Example code used to automate the process of auditing event log security descriptors.
View EventLogAuditing.ps1
# Run the following from an elevated PowerShell session
# This hashtable will be used to store access rights granted to each group.
$PrincipalGrouping = @{}
# Enumerate all installed event logs
Get-WinEvent -ListLog * | ForEach-Object {
$LogName = $_.LogName
# Convert the security descriptor SDDL string to a security descriptor object.
@mattifestation
mattifestation / HowToDetectTechniqueX_Demos.ps1
Created Sep 6, 2019
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
View HowToDetectTechniqueX_Demos.ps1
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe
Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe
$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession
winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword
@mattifestation
mattifestation / ExpandDefenderSig.ps1
Created Mar 28, 2019
Decompresses Windows Defender AV signatures for exploration purposes
View ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS
Decompresses a Windows Defender AV signature database (.VDM file).
.DESCRIPTION
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
@mattifestation
mattifestation / SimpleTCGLogParser.ps1
Last active Apr 14, 2019
If you have the HgsDiagnostics PowerShell module, then you can parse TCG logs.
View SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName
$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)
$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex
@mattifestation
mattifestation / WSH_approved_list.txt
Created Mar 12, 2019
WldpIsClassInApprovedList approved classID for WLDP_HOST_ID_WSH hosts (which includes COM scriptlets)
View WSH_approved_list.txt
041e868e-0c7d-48c6-965f-5fd576530e5b
0438c02b-eb9c-4e42-81ad-407f6cd6cde1
078b1f7d-c34c-4b13-a7c3-9663901650f1
0abb2961-2cc1-4f1d-be8e-9d330d06b77d
0d7237e6-930f-4682-ad0a-52ebffd3aee3
0d972387-817b-46e7-913f-e9993ff401eb
0e770b12-7221-4a5d-86ee-77310a5506bb
0fa57208-5100-4cd6-955c-fe69f8898973
1080a020-2b47-4da9-8095-dbc9cefffc04
10cf2e12-1681-4c53-adc0-932c84832cd8
@mattifestation
mattifestation / ntasn1_notes.txt
Created Feb 27, 2019
Exported functions of ntasn1.dll
View ntasn1_notes.txt
Ordinal Export Symbol
------- -------------
1 RtlAsn1Encode
2 RtlAsn1EncodeAndAllocate
3 RtlAsn1Decode
4 RtlAsn1DecodeAndAllocate
5 RtlAsn1GetModuleHandle
6 ASN1_FindOidInfo
7 ASN1_FindOidInfoByEoid
8 CryptEncodeObjectEx
@mattifestation
mattifestation / Sysmon9Schema.dtd
Created Feb 20, 2019
Extracted schema from Sysmon 9.0
View Sysmon9Schema.dtd
<!DOCTYPE Sysmon [<!ELEMENT Sysmon (EventFiltering|HashAlgorithms|DriverName|ProcessAccessConfig|CheckRevocation|PipeMonitoringConfig)*>
<!ATTLIST Sysmon schemaversion CDATA #REQUIRED>
<!ELEMENT EventFiltering (RuleGroup|ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead|ProcessAccess|FileCreate|RegistryEvent|RegistryEvent|RegistryEvent|FileCreateStreamHash|PipeEvent|PipeEvent|WmiEvent|WmiEvent|WmiEvent)*>
<!ELEMENT RuleGroup (ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead|ProcessAccess|FileCreate|RegistryEvent|RegistryEvent|RegistryEvent|FileCreateStreamHash|PipeEvent|PipeEvent|WmiEvent|WmiEvent|WmiEvent)*>
<!ATTLIST RuleGroup groupRelation (and|or) #REQUIRED>
<!ATTLIST RuleGroup name CDATA #IMPLIED>
<!ELEMENT ProcessCreate (RuleName|UtcTime|ProcessGuid|ProcessId|Image|FileVersion|Description|Product|Company|CommandLine|CurrentDirectory|User|LogonGuid|LogonId|TerminalSessionId|I
You can’t perform that action at this time.