Matt Graeber mattifestation

## GetECCSignedFiles.ps1
# This script requires Win 10 Enterprise to run Get-SystemDriver, unfortunately.

# Note: Get-SystemDriver will take a long time if it has a lot of files and folders to recurse through.
$ScanPath = 'C:\Windows'

# All supported ECC signatures algorithms according to wincrypt.h in the SDK.
$ECCSignatureAlgorithms = @(
    '1.2.840.10045.4.1', # szOID_ECDSA_SHA1
    '1.2.840.10045.4.3', # szOID_ECDSA_SPECIFIED
    '1.2.840.10045.4.3.2', # szOID_ECDSA_SHA256

## ECCCurveParser.ps1
# Hex string taken from the "para" field of Audit-CVE event ID 1 event in the Application log
$EventParaString = '3081E0020101302C06072A8648CE3D0101022100A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377304404207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9042026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B60441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997022100A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7020101'

# Convert the hex string to a byte array
[Byte[]] $EventParaBytes = $EventParaString -split '([0-9A-F]{2})' | Where-Object { $_ } | ForEach-Object { [Byte] "0x$_" }

# Save the byte array to disk
[IO.File]::WriteAllBytes("$PWD\ECCCurveParams.bin", $EventParaBytes)

# Use certutil to parse the ASN.1-encoded ECC curve parameters

## SurfaceSIPolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
  <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>

## WDACBaselining.ps1
function Get-CodeIntegrityEvent {
<#
.SYNOPSIS

Returns code integrity event log audit/enforcement events in a more human-readable fashion.

.DESCRIPTION

Get-CodeIntegrityEvent retrieves and parses Microsoft-Windows-CodeIntegrity/Operational PE audit and enforcement events into a format that is more human-readable. This function is designed to facilitate regular code integrity policy baselining.

## driversipolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.17689.0</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
  <BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>

## rundll_exports.csv

          
            Module
            Function

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32W

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32A

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32

            
              C:\Windows\System32\ConnectedAccountState.dll
              ActionCenterRunDllW

            
              C:\Windows\System32\cryptcatsvc.dll
              CatDbOfflineRebuildDatabasesRundll32W

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLLW

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLLA

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLL

            
              C:\Windows\System32\devmgr.dll
              DeviceProblenWizard_RunDLLW

## msobjs_event_table.ps1
$Source = @'
using System;
using System.Runtime.InteropServices;
using System.Text;

public class Win32Native {
    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode)]

## EventLogAuditing.ps1
# Run the following from an elevated PowerShell session

# This hashtable will be used to store access rights granted to each group.
$PrincipalGrouping = @{}

# Enumerate all installed event logs
Get-WinEvent -ListLog * | ForEach-Object {
    $LogName = $_.LogName

    # Convert the security descriptor SDDL string to a security descriptor object.

## HowToDetectTechniqueX_Demos.ps1
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe

Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe

$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession

winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword

## ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS

Decompresses a Windows Defender AV signature database (.VDM file).

.DESCRIPTION

Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.