Matt Graeber mattifestation

## StreamNotes_04212020.md

      
              1 file
            
          
              2 forks
            
          
              0 comments
            
          
              5 stars
            
          
                mattifestation
                / StreamNotes_04212020.md
            
            
              Created Apr 21, 2020
            
              
                Twitch Stream Notes 04/21/2020 - Obfuscated Script-based Malware Analysis with the Anti-Malware Scan Interface (AMSI)
              
          
      View StreamNotes_04212020.md
  
    
    Malware Sample Inspected
Trickbot COVID macro lure via MSFT: ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593
test.js
eval("WScript.CreateObject(\"WScript.Shell\").Run(\"calc.exe\");");


## profile.ps1
# Personal preference. I like landing on the Desktop
Set-Location $Env:USERPROFILE\Desktop

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())

# If the current session is elevated, prefix the prompt with '[Admin]'
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Set-Item -Path Function:\prompt -Value "`"[Admin] PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) `""
}

## GetECCSignedFiles.ps1
# This script requires Win 10 Enterprise to run Get-SystemDriver, unfortunately.

# Note: Get-SystemDriver will take a long time if it has a lot of files and folders to recurse through.
$ScanPath = 'C:\Windows'

# All supported ECC signatures algorithms according to wincrypt.h in the SDK.
$ECCSignatureAlgorithms = @(
    '1.2.840.10045.4.1', # szOID_ECDSA_SHA1
    '1.2.840.10045.4.3', # szOID_ECDSA_SPECIFIED
    '1.2.840.10045.4.3.2', # szOID_ECDSA_SHA256

## ECCCurveParser.ps1
# Hex string taken from the "para" field of Audit-CVE event ID 1 event in the Application log
$EventParaString = '3081E0020101302C06072A8648CE3D0101022100A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377304404207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9042026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B60441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997022100A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7020101'

# Convert the hex string to a byte array
[Byte[]] $EventParaBytes = $EventParaString -split '([0-9A-F]{2})' | Where-Object { $_ } | ForEach-Object { [Byte] "0x$_" }

# Save the byte array to disk
[IO.File]::WriteAllBytes("$PWD\ECCCurveParams.bin", $EventParaBytes)

# Use certutil to parse the ASN.1-encoded ECC curve parameters

## SurfaceSIPolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
  <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>

## WDACBaselining.ps1
function Get-CodeIntegrityEvent {
<#
.SYNOPSIS

Returns code integrity event log audit/enforcement events in a more human-readable fashion.

.DESCRIPTION

Get-CodeIntegrityEvent retrieves and parses Microsoft-Windows-CodeIntegrity/Operational PE audit and enforcement events into a format that is more human-readable. This function is designed to facilitate regular code integrity policy baselining.

## driversipolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.17689.0</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
  <BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>

## rundll_exports.csv

          
            Module
            Function

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32W

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32A

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32

            
              C:\Windows\System32\ConnectedAccountState.dll
              ActionCenterRunDllW

            
              C:\Windows\System32\cryptcatsvc.dll
              CatDbOfflineRebuildDatabasesRundll32W

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLLW

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLLA

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLL

            
              C:\Windows\System32\devmgr.dll
              DeviceProblenWizard_RunDLLW

## msobjs_event_table.ps1
$Source = @'
using System;
using System.Runtime.InteropServices;
using System.Text;

public class Win32Native {
    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode)]

## EventLogAuditing.ps1
# Run the following from an elevated PowerShell session

# This hashtable will be used to store access rights granted to each group.
$PrincipalGrouping = @{}

# Enumerate all installed event logs
Get-WinEvent -ListLog * | ForEach-Object {
    $LogName = $_.LogName

    # Convert the security descriptor SDDL string to a security descriptor object.
	# Personal preference. I like landing on the Desktop
	Set-Location $Env:USERPROFILE\Desktop

	$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())

	# If the current session is elevated, prefix the prompt with '[Admin]'
	if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
	Set-Item -Path Function:\prompt -Value "`"[Admin] PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) `""
	}
	# This script requires Win 10 Enterprise to run Get-SystemDriver, unfortunately.

	# Note: Get-SystemDriver will take a long time if it has a lot of files and folders to recurse through.
	$ScanPath = 'C:\Windows'

	# All supported ECC signatures algorithms according to wincrypt.h in the SDK.
	$ECCSignatureAlgorithms = @(
	'1.2.840.10045.4.1', # szOID_ECDSA_SHA1
	'1.2.840.10045.4.3', # szOID_ECDSA_SPECIFIED
	'1.2.840.10045.4.3.2', # szOID_ECDSA_SHA256
	# Hex string taken from the "para" field of Audit-CVE event ID 1 event in the Application log
	$EventParaString = '3081E0020101302C06072A8648CE3D0101022100A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377304404207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9042026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B60441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997022100A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7020101'

	# Convert the hex string to a byte array
	[Byte[]] $EventParaBytes = $EventParaString -split '([0-9A-F]{2})' \| Where-Object { $_ } \| ForEach-Object { [Byte] "0x$_" }

	# Save the byte array to disk
	[IO.File]::WriteAllBytes("$PWD\ECCCurveParams.bin", $EventParaBytes)

	# Use certutil to parse the ASN.1-encoded ECC curve parameters
	<?xml version="1.0"?>
	<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.0.0</VersionEx>
	<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
	<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:UMCI</Option>
	</Rule>
	function Get-CodeIntegrityEvent {
	<#
	.SYNOPSIS

	Returns code integrity event log audit/enforcement events in a more human-readable fashion.

	.DESCRIPTION

	Get-CodeIntegrityEvent retrieves and parses Microsoft-Windows-CodeIntegrity/Operational PE audit and enforcement events into a format that is more human-readable. This function is designed to facilitate regular code integrity policy baselining.
	<?xml version="1.0"?>
	<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.17689.0</VersionEx>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
	<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	Module	Function
	C:\Windows\System32\advpack.dll	DelNodeRunDLL32W
	C:\Windows\System32\advpack.dll	DelNodeRunDLL32A
	C:\Windows\System32\advpack.dll	DelNodeRunDLL32
	C:\Windows\System32\ConnectedAccountState.dll	ActionCenterRunDllW
	C:\Windows\System32\cryptcatsvc.dll	CatDbOfflineRebuildDatabasesRundll32W
	C:\Windows\System32\cscui.dll	CSCOptions_RunDLLW
	C:\Windows\System32\cscui.dll	CSCOptions_RunDLLA
	C:\Windows\System32\cscui.dll	CSCOptions_RunDLL
	C:\Windows\System32\devmgr.dll	DeviceProblenWizard_RunDLLW
	$Source = @'
	using System;
	using System.Runtime.InteropServices;
	using System.Text;

	public class Win32Native {
	[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
	public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);

	[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
	# Run the following from an elevated PowerShell session

	# This hashtable will be used to store access rights granted to each group.
	$PrincipalGrouping = @{}

	# Enumerate all installed event logs
	Get-WinEvent -ListLog * \| ForEach-Object {
	$LogName = $_.LogName

	# Convert the security descriptor SDDL string to a security descriptor object.