Matt Graeber mattifestation

## driversipolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.17689.0</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
  <BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>

## rundll_exports.csv

          
            Module
            Function

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32W

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32A

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32

            
              C:\Windows\System32\ConnectedAccountState.dll
              ActionCenterRunDllW

            
              C:\Windows\System32\cryptcatsvc.dll
              CatDbOfflineRebuildDatabasesRundll32W

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLLW

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLLA

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLL

            
              C:\Windows\System32\devmgr.dll
              DeviceProblenWizard_RunDLLW

## msobjs_event_table.ps1
$Source = @'
using System;
using System.Runtime.InteropServices;
using System.Text;

public class Win32Native {
    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode)]

## EventLogAuditing.ps1
# Run the following from an elevated PowerShell session

# This hashtable will be used to store access rights granted to each group.
$PrincipalGrouping = @{}

# Enumerate all installed event logs
Get-WinEvent -ListLog * | ForEach-Object {
    $LogName = $_.LogName

    # Convert the security descriptor SDDL string to a security descriptor object.

## HowToDetectTechniqueX_Demos.ps1
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe

Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe

$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession

winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword

## ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS

Decompresses a Windows Defender AV signature database (.VDM file).

.DESCRIPTION

Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.

## SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName

$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)

$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex

## WSH_approved_list.txt
041e868e-0c7d-48c6-965f-5fd576530e5b
0438c02b-eb9c-4e42-81ad-407f6cd6cde1
078b1f7d-c34c-4b13-a7c3-9663901650f1
0abb2961-2cc1-4f1d-be8e-9d330d06b77d
0d7237e6-930f-4682-ad0a-52ebffd3aee3
0d972387-817b-46e7-913f-e9993ff401eb
0e770b12-7221-4a5d-86ee-77310a5506bb
0fa57208-5100-4cd6-955c-fe69f8898973
1080a020-2b47-4da9-8095-dbc9cefffc04
10cf2e12-1681-4c53-adc0-932c84832cd8

## ntasn1_notes.txt
Ordinal Export Symbol
------- -------------
1       RtlAsn1Encode
2       RtlAsn1EncodeAndAllocate
3       RtlAsn1Decode
4       RtlAsn1DecodeAndAllocate
5       RtlAsn1GetModuleHandle
6       ASN1_FindOidInfo
7       ASN1_FindOidInfoByEoid
8       CryptEncodeObjectEx

## Sysmon9Schema.dtd
<!DOCTYPE Sysmon [<!ELEMENT Sysmon (EventFiltering|HashAlgorithms|DriverName|ProcessAccessConfig|CheckRevocation|PipeMonitoringConfig)*>
<!ATTLIST Sysmon schemaversion CDATA #REQUIRED>
<!ELEMENT EventFiltering (RuleGroup|ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead|ProcessAccess|FileCreate|RegistryEvent|RegistryEvent|RegistryEvent|FileCreateStreamHash|PipeEvent|PipeEvent|WmiEvent|WmiEvent|WmiEvent)*>
<!ELEMENT RuleGroup (ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead|ProcessAccess|FileCreate|RegistryEvent|RegistryEvent|RegistryEvent|FileCreateStreamHash|PipeEvent|PipeEvent|WmiEvent|WmiEvent|WmiEvent)*>
<!ATTLIST RuleGroup groupRelation (and|or) #REQUIRED>
<!ATTLIST RuleGroup name CDATA #IMPLIED>
<!ELEMENT ProcessCreate (RuleName|UtcTime|ProcessGuid|ProcessId|Image|FileVersion|Description|Product|Company|CommandLine|CurrentDirectory|User|LogonGuid|LogonId|TerminalSessionId|I