Skip to content

Instantly share code, notes, and snippets.

Matt Graeber mattifestation

Block or report user

Report or block mattifestation

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
mattifestation /
Created Apr 21, 2020
Twitch Stream Notes 04/21/2020 - Obfuscated Script-based Malware Analysis with the Anti-Malware Scan Interface (AMSI)
mattifestation / profile.ps1
Created Mar 28, 2020
PowerShell profile to add some functionality for Windows Terminal
View profile.ps1
# Personal preference. I like landing on the Desktop
Set-Location $Env:USERPROFILE\Desktop
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
# If the current session is elevated, prefix the prompt with '[Admin]'
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Set-Item -Path Function:\prompt -Value "`"[Admin] PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) `""
mattifestation / GetECCSignedFiles.ps1
Created Jan 17, 2020
Retrieves any files that were signed where any cert in the chain uses an ECDSA signature algorithm.
View GetECCSignedFiles.ps1
# This script requires Win 10 Enterprise to run Get-SystemDriver, unfortunately.
# Note: Get-SystemDriver will take a long time if it has a lot of files and folders to recurse through.
$ScanPath = 'C:\Windows'
# All supported ECC signatures algorithms according to wincrypt.h in the SDK.
$ECCSignatureAlgorithms = @(
'1.2.840.10045.4.1', # szOID_ECDSA_SHA1
'1.2.840.10045.4.3', # szOID_ECDSA_SPECIFIED
'1.2.840.10045.4.3.2', # szOID_ECDSA_SHA256
mattifestation / ECCCurveParser.ps1
Created Jan 15, 2020
Parses the ASN.1-encoded ECC curve parameters from an Audit-CVE
View ECCCurveParser.ps1
# Hex string taken from the "para" field of Audit-CVE event ID 1 event in the Application log
$EventParaString = '3081E0020101302C06072A8648CE3D0101022100A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377304404207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9042026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B60441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997022100A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7020101'
# Convert the hex string to a byte array
[Byte[]] $EventParaBytes = $EventParaString -split '([0-9A-F]{2})' | Where-Object { $_ } | ForEach-Object { [Byte] "0x$_" }
# Save the byte array to disk
[IO.File]::WriteAllBytes("$PWD\ECCCurveParams.bin", $EventParaBytes)
# Use certutil to parse the ASN.1-encoded ECC curve parameters
mattifestation / SurfaceSIPolicy.xml
Created Dec 24, 2019
Since Windows 10 S won't update due to code signing issues, I rolled my own variant of the 10 S policy for my Surface device.
View SurfaceSIPolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="" xmlns:xsi="" xmlns="urn:schemas-microsoft-com:sipolicy">
mattifestation / WDACBaselining.ps1
Last active Nov 19, 2019
Script I use to make sense of code integrity audit/enforcement events for primarily baselining purposes.
View WDACBaselining.ps1
function Get-CodeIntegrityEvent {
Returns code integrity event log audit/enforcement events in a more human-readable fashion.
Get-CodeIntegrityEvent retrieves and parses Microsoft-Windows-CodeIntegrity/Operational PE audit and enforcement events into a format that is more human-readable. This function is designed to facilitate regular code integrity policy baselining.
mattifestation / driversipolicy.xml
Last active Mar 9, 2020
Recovered code integrity policy from %windir%\System32\CodeIntegrity\driversipolicy.p7b
View driversipolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="" xmlns:xsi="" xmlns="urn:schemas-microsoft-com:sipolicy">
<Option>Enabled:Unsigned System Integrity Policy</Option>
mattifestation / rundll_exports.csv
Created Oct 18, 2019
All System32 DLL export functions that contain "RunDLL", an indicator that it's designed to run with rundll32.exe
View rundll_exports.csv
Module Function
C:\Windows\System32\advpack.dll DelNodeRunDLL32W
C:\Windows\System32\advpack.dll DelNodeRunDLL32A
C:\Windows\System32\advpack.dll DelNodeRunDLL32
C:\Windows\System32\ConnectedAccountState.dll ActionCenterRunDllW
C:\Windows\System32\cryptcatsvc.dll CatDbOfflineRebuildDatabasesRundll32W
C:\Windows\System32\cscui.dll CSCOptions_RunDLLW
C:\Windows\System32\cscui.dll CSCOptions_RunDLLA
C:\Windows\System32\cscui.dll CSCOptions_RunDLL
C:\Windows\System32\devmgr.dll DeviceProblenWizard_RunDLLW
mattifestation / msobjs_event_table.ps1
Created Oct 9, 2019
Extracts msobjs.dll message table strings
View msobjs_event_table.ps1
$Source = @'
using System;
using System.Runtime.InteropServices;
using System.Text;
public class Win32Native {
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
mattifestation / EventLogAuditing.ps1
Last active Oct 11, 2019
Example code used to automate the process of auditing event log security descriptors.
View EventLogAuditing.ps1
# Run the following from an elevated PowerShell session
# This hashtable will be used to store access rights granted to each group.
$PrincipalGrouping = @{}
# Enumerate all installed event logs
Get-WinEvent -ListLog * | ForEach-Object {
$LogName = $_.LogName
# Convert the security descriptor SDDL string to a security descriptor object.
You can’t perform that action at this time.