Skip to content

Instantly share code, notes, and snippets.

Matt Graeber mattifestation

Block or report user

Report or block mattifestation

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@mattifestation
mattifestation / GetECCSignedFiles.ps1
Created Jan 17, 2020
Retrieves any files that were signed where any cert in the chain uses an ECDSA signature algorithm.
View GetECCSignedFiles.ps1
# This script requires Win 10 Enterprise to run Get-SystemDriver, unfortunately.
# Note: Get-SystemDriver will take a long time if it has a lot of files and folders to recurse through.
$ScanPath = 'C:\Windows'
# All supported ECC signatures algorithms according to wincrypt.h in the SDK.
$ECCSignatureAlgorithms = @(
'1.2.840.10045.4.1', # szOID_ECDSA_SHA1
'1.2.840.10045.4.3', # szOID_ECDSA_SPECIFIED
'1.2.840.10045.4.3.2', # szOID_ECDSA_SHA256
@mattifestation
mattifestation / ECCCurveParser.ps1
Created Jan 15, 2020
Parses the ASN.1-encoded ECC curve parameters from an Audit-CVE
View ECCCurveParser.ps1
# Hex string taken from the "para" field of Audit-CVE event ID 1 event in the Application log
$EventParaString = '3081E0020101302C06072A8648CE3D0101022100A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377304404207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9042026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B60441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997022100A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7020101'
# Convert the hex string to a byte array
[Byte[]] $EventParaBytes = $EventParaString -split '([0-9A-F]{2})' | Where-Object { $_ } | ForEach-Object { [Byte] "0x$_" }
# Save the byte array to disk
[IO.File]::WriteAllBytes("$PWD\ECCCurveParams.bin", $EventParaBytes)
# Use certutil to parse the ASN.1-encoded ECC curve parameters
@mattifestation
mattifestation / SurfaceSIPolicy.xml
Created Dec 24, 2019
Since Windows 10 S won't update due to code signing issues, I rolled my own variant of the 10 S policy for my Surface device.
View SurfaceSIPolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
@mattifestation
mattifestation / WDACBaselining.ps1
Last active Nov 19, 2019
Script I use to make sense of code integrity audit/enforcement events for primarily baselining purposes.
View WDACBaselining.ps1
function Get-CodeIntegrityEvent {
<#
.SYNOPSIS
Returns code integrity event log audit/enforcement events in a more human-readable fashion.
.DESCRIPTION
Get-CodeIntegrityEvent retrieves and parses Microsoft-Windows-CodeIntegrity/Operational PE audit and enforcement events into a format that is more human-readable. This function is designed to facilitate regular code integrity policy baselining.
@mattifestation
mattifestation / driversipolicy.xml
Last active Oct 23, 2019
Recovered code integrity policy from %windir%\System32\CodeIntegrity\driversipolicy.p7b
View driversipolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.17689.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
@mattifestation
mattifestation / rundll_exports.csv
Created Oct 18, 2019
All System32 DLL export functions that contain "RunDLL", an indicator that it's designed to run with rundll32.exe
View rundll_exports.csv
Module Function
C:\Windows\System32\advpack.dll DelNodeRunDLL32W
C:\Windows\System32\advpack.dll DelNodeRunDLL32A
C:\Windows\System32\advpack.dll DelNodeRunDLL32
C:\Windows\System32\ConnectedAccountState.dll ActionCenterRunDllW
C:\Windows\System32\cryptcatsvc.dll CatDbOfflineRebuildDatabasesRundll32W
C:\Windows\System32\cscui.dll CSCOptions_RunDLLW
C:\Windows\System32\cscui.dll CSCOptions_RunDLLA
C:\Windows\System32\cscui.dll CSCOptions_RunDLL
C:\Windows\System32\devmgr.dll DeviceProblenWizard_RunDLLW
@mattifestation
mattifestation / msobjs_event_table.ps1
Created Oct 9, 2019
Extracts msobjs.dll message table strings
View msobjs_event_table.ps1
$Source = @'
using System;
using System.Runtime.InteropServices;
using System.Text;
public class Win32Native {
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
@mattifestation
mattifestation / EventLogAuditing.ps1
Last active Oct 11, 2019
Example code used to automate the process of auditing event log security descriptors.
View EventLogAuditing.ps1
# Run the following from an elevated PowerShell session
# This hashtable will be used to store access rights granted to each group.
$PrincipalGrouping = @{}
# Enumerate all installed event logs
Get-WinEvent -ListLog * | ForEach-Object {
$LogName = $_.LogName
# Convert the security descriptor SDDL string to a security descriptor object.
@mattifestation
mattifestation / HowToDetectTechniqueX_Demos.ps1
Created Sep 6, 2019
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
View HowToDetectTechniqueX_Demos.ps1
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe
Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe
$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession
winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword
@mattifestation
mattifestation / ExpandDefenderSig.ps1
Created Mar 28, 2019
Decompresses Windows Defender AV signatures for exploration purposes
View ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS
Decompresses a Windows Defender AV signature database (.VDM file).
.DESCRIPTION
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
You can’t perform that action at this time.