Skip to content

Instantly share code, notes, and snippets.

@mattifestation
mattifestation / StreamNotes_04212020.md
Created Apr 21, 2020
Twitch Stream Notes 04/21/2020 - Obfuscated Script-based Malware Analysis with the Anti-Malware Scan Interface (AMSI)
View StreamNotes_04212020.md
@mattifestation
mattifestation / profile.ps1
Created Mar 28, 2020
PowerShell profile to add some functionality for Windows Terminal
View profile.ps1
# Personal preference. I like landing on the Desktop
Set-Location $Env:USERPROFILE\Desktop
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
# If the current session is elevated, prefix the prompt with '[Admin]'
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Set-Item -Path Function:\prompt -Value "`"[Admin] PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) `""
}
@mattifestation
mattifestation / GetECCSignedFiles.ps1
Created Jan 17, 2020
Retrieves any files that were signed where any cert in the chain uses an ECDSA signature algorithm.
View GetECCSignedFiles.ps1
# This script requires Win 10 Enterprise to run Get-SystemDriver, unfortunately.
# Note: Get-SystemDriver will take a long time if it has a lot of files and folders to recurse through.
$ScanPath = 'C:\Windows'
# All supported ECC signatures algorithms according to wincrypt.h in the SDK.
$ECCSignatureAlgorithms = @(
'1.2.840.10045.4.1', # szOID_ECDSA_SHA1
'1.2.840.10045.4.3', # szOID_ECDSA_SPECIFIED
'1.2.840.10045.4.3.2', # szOID_ECDSA_SHA256
@mattifestation
mattifestation / ECCCurveParser.ps1
Created Jan 15, 2020
Parses the ASN.1-encoded ECC curve parameters from an Audit-CVE
View ECCCurveParser.ps1
# Hex string taken from the "para" field of Audit-CVE event ID 1 event in the Application log
$EventParaString = '3081E0020101302C06072A8648CE3D0101022100A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377304404207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9042026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B60441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997022100A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7020101'
# Convert the hex string to a byte array
[Byte[]] $EventParaBytes = $EventParaString -split '([0-9A-F]{2})' | Where-Object { $_ } | ForEach-Object { [Byte] "0x$_" }
# Save the byte array to disk
[IO.File]::WriteAllBytes("$PWD\ECCCurveParams.bin", $EventParaBytes)
# Use certutil to parse the ASN.1-encoded ECC curve parameters
@mattifestation
mattifestation / SurfaceSIPolicy.xml
Created Dec 24, 2019
Since Windows 10 S won't update due to code signing issues, I rolled my own variant of the 10 S policy for my Surface device.
View SurfaceSIPolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
@mattifestation
mattifestation / WDACBaselining.ps1
Last active Nov 19, 2019
Script I use to make sense of code integrity audit/enforcement events for primarily baselining purposes.
View WDACBaselining.ps1
function Get-CodeIntegrityEvent {
<#
.SYNOPSIS
Returns code integrity event log audit/enforcement events in a more human-readable fashion.
.DESCRIPTION
Get-CodeIntegrityEvent retrieves and parses Microsoft-Windows-CodeIntegrity/Operational PE audit and enforcement events into a format that is more human-readable. This function is designed to facilitate regular code integrity policy baselining.
@mattifestation
mattifestation / driversipolicy.xml
Last active Mar 9, 2020
Recovered code integrity policy from %windir%\System32\CodeIntegrity\driversipolicy.p7b
View driversipolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.17689.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
@mattifestation
mattifestation / rundll_exports.csv
Created Oct 18, 2019
All System32 DLL export functions that contain "RunDLL", an indicator that it's designed to run with rundll32.exe
View rundll_exports.csv
Module Function
C:\Windows\System32\advpack.dll DelNodeRunDLL32W
C:\Windows\System32\advpack.dll DelNodeRunDLL32A
C:\Windows\System32\advpack.dll DelNodeRunDLL32
C:\Windows\System32\ConnectedAccountState.dll ActionCenterRunDllW
C:\Windows\System32\cryptcatsvc.dll CatDbOfflineRebuildDatabasesRundll32W
C:\Windows\System32\cscui.dll CSCOptions_RunDLLW
C:\Windows\System32\cscui.dll CSCOptions_RunDLLA
C:\Windows\System32\cscui.dll CSCOptions_RunDLL
C:\Windows\System32\devmgr.dll DeviceProblenWizard_RunDLLW
@mattifestation
mattifestation / msobjs_event_table.ps1
Created Oct 9, 2019
Extracts msobjs.dll message table strings
View msobjs_event_table.ps1
$Source = @'
using System;
using System.Runtime.InteropServices;
using System.Text;
public class Win32Native {
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
@mattifestation
mattifestation / EventLogAuditing.ps1
Last active Oct 11, 2019
Example code used to automate the process of auditing event log security descriptors.
View EventLogAuditing.ps1
# Run the following from an elevated PowerShell session
# This hashtable will be used to store access rights granted to each group.
$PrincipalGrouping = @{}
# Enumerate all installed event logs
Get-WinEvent -ListLog * | ForEach-Object {
$LogName = $_.LogName
# Convert the security descriptor SDDL string to a security descriptor object.
You can’t perform that action at this time.