Skip to content

Instantly share code, notes, and snippets.

View mattifestation's full-sized avatar

Matt Graeber mattifestation

1.8k followers · 0 following
View GitHub Profile
@mattifestation
mattifestation / WorldWritableDirs.txt
Created November 21, 2021 18:44
World-writable directories in %windir%
c:\windows\system32\microsoft\crypto\rsa\machinekeys
c:\windows\system32\tasks_migrated\microsoft\windows\pla\system
c:\windows\syswow64\tasks\microsoft\windows\pla\system
c:\windows\debug\wia
c:\windows\system32\tasks
c:\windows\syswow64\tasks
c:\windows\tasks
c:\windows\registration\crmlog
c:\windows\system32\com\dmp
c:\windows\system32\fxstmp
@mattifestation
mattifestation / BasePolicy.xml
Created November 21, 2021 18:26
My deployed base policy. This policy rarely changes and all additional allow rules (except a separate deny-rule base policy) are defined in supplemental policies.
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy">
<VersionEx>1.0.0.0</VersionEx>
<BasePolicyID>{783745D6-2407-458B-9A93-6AD4ACAD1098}</BasePolicyID>
<PolicyID>{783745D6-2407-458B-9A93-6AD4ACAD1098}</PolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Allow Supplemental Policies</Option>
</Rule>
@mattifestation
mattifestation / AppIDTaggingPolicy.xml
Created October 31, 2021 13:19
A hypothetical AppID Tagging Policy that ConvertFrom-CIPolicy will successfully convert into binary form. Note: at the time of committing this, I have no idea what the purpose of an "AppID Tagging Policy" is.
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="AppID Tagging Policy">
<VersionEx>1.0.0.0</VersionEx>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
@mattifestation
mattifestation / MDE_DataCollection_Scripts.md
Last active April 23, 2025 13:14

Microsoft Defender for Endpoint does a great job of ensuring the integrity of the scripts they push and execute.

First, they ensure that the script to execute matches the expected file hash. Example:

powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read);$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803'))
@mattifestation
mattifestation / BasePolicyAllowWindows.xml
Last active July 21, 2021 13:20
Final WDAC policy files used for Microsoft Surface Gen. 1 Laptop "Windows-only" configuration
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.1.0</VersionEx>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
@mattifestation
mattifestation / XLM_Analysis_Notes.md
Last active September 13, 2022 19:03
Excel 4 Macro Analysis Notes

Excel Spreadsheet Hash

VT Link: https://www.virustotal.com/gui/file/d9f00024784af858627a44731950ccb50fe3f37bf940ed47ae7b1ca35ac5ceff/detection

SHA256: D9F00024784AF858627A44731950CCB50FE3F37BF940ED47AE7B1CA35AC5CEFF

File Name: 2aKqjPrdo1-7192.xls

Analysis Code

@mattifestation
mattifestation / StreamNotes_04212020.md
Created April 21, 2020 23:25
Twitch Stream Notes 04/21/2020 - Obfuscated Script-based Malware Analysis with the Anti-Malware Scan Interface (AMSI)
@mattifestation
mattifestation / profile.ps1
Created March 28, 2020 22:16
PowerShell profile to add some functionality for Windows Terminal
# Personal preference. I like landing on the Desktop
Set-Location $Env:USERPROFILE\Desktop
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
# If the current session is elevated, prefix the prompt with '[Admin]'
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Set-Item -Path Function:\prompt -Value "`"[Admin] PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) `""
}
@mattifestation
mattifestation / SurfaceSIPolicy.xml
Created December 24, 2019 12:27
Since Windows 10 S won't update due to code signing issues, I rolled my own variant of the 10 S policy for my Surface device.
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
@mattifestation
mattifestation / WDACBaselining.ps1
Last active December 19, 2023 10:23
Script I use to make sense of code integrity audit/enforcement events for primarily baselining purposes.
function Get-CodeIntegrityEvent {
<#
.SYNOPSIS
Returns code integrity event log audit/enforcement events in a more human-readable fashion.
.DESCRIPTION
Get-CodeIntegrityEvent retrieves and parses Microsoft-Windows-CodeIntegrity/Operational PE audit and enforcement events into a format that is more human-readable. This function is designed to facilitate regular code integrity policy baselining.