Matt Graeber mattifestation

## build.bat
csc test.cs
ildasm /OUT=test.il test.exe
type moduleinititalizer.il >> test.il
ilasm /EXE /OUTPUT=test.exe test.il

## drop_binary.bat
echo -----BEGIN CERTIFICATE----- > encoded.txt
echo Just Base64 encode your binary data
echo TVoAAA== >> encoded.txt
echo -----END CERTIFICATE----- >> encoded.txt
certutil -decode encoded.txt decoded.bin

## DFSPoC.ps1
function Get-DellFoundationServicesWmiObject {
<#
.SYNOPSIS

Performs a WMI query on a Dell Foundation Services server.

Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause

.DESCRIPTION

## AssocEnum.ps1
function Get-AssociatedClassRelationship {
    param (
        [String]
        $Namespace = 'root/cimv2'
    )

    Get-CimClass -Namespace $Namespace | ? { $_.CimClassQualifiers['Association'] -and (-not $_.CimClassQualifiers['Abstract']) } | % {
        $KeyQualifiers = @($_.CimClassProperties | ? { $_.Qualifiers['key'] })

        if ($KeyQualifiers.Count -eq 2) {

## WMI_attack_detection.ps1
#region Scriptblocks that will execute upon alert trigger
$LateralMovementDetected = {
    $Event = $EventArgs.NewEvent

    $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)

    $MethodName = $Event.MethodName
    $Namespace = $Event.Namespace
    $Object = $Event.ObjectPath
    $User = $Event.User

## WMI_recon_and_attacks.ps1
#############
### SETUP ###
#############

# Set up remote session
$Credential = Get-Credential TestUser
$AdminCred = Get-Credential Administrator
$SessionOption = New-CimSessionOption -Protocol Dcom
$CimSession = New-CimSession -Credential $Credential -ComputerName TestPC -SessionOption $SessionOption
$AdminCimSession = New-CimSession -Credential $AdminCred -ComputerName TestPC -SessionOption $SessionOption

## Example_WMI_Detection_EventLogAlert.ps1
# Define the signature - i.e. __EventFilter
$EventFilterArgs = @{
    EventNamespace = 'root/cimv2'
    Name = 'LateralMovementEvent'
    Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"'
    QueryLanguage = 'WQL'
}

$InstanceArgs = @{
    Namespace = 'root/subscription'

## remote_at_job.ps1
# This code could be used to remotely enable and launch AT jobs regardless of the fact that AT is deprecated in Win8+.

$HKLM = [UInt32] 2147483650

# Check to see if EnableAt is set
$Result = Invoke-CimMethod -Namespace root/default -ClassName StdRegProv -MethodName GetDWORDValue -Arguments @{
    hDefKey = $HKLM
    sSubKeyName = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration'
    sValueName = 'EnableAt'
}

## WMI_event_discovery.ps1
function Get-WmiNamespace {
<#
.SYNOPSIS

Returns a list of WMI namespaces present within the specified namespace.

.PARAMETER Namespace

Specifies the WMI repository namespace in which to list sub-namespaces. Get-WmiNamespace defaults to the ROOT namespace.

## sample_drive_infector.ps1
$EventFilterArgs = @{
    EventNamespace = 'root/cimv2'
    Name = 'DriveChanged'
    Query = 'SELECT * FROM Win32_VolumeChangeEvent'
    QueryLanguage = 'WQL'
}

$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs

$CommandLineConsumerArgs = @{
	csc test.cs
	ildasm /OUT=test.il test.exe
	type moduleinititalizer.il >> test.il
	ilasm /EXE /OUTPUT=test.exe test.il
	echo -----BEGIN CERTIFICATE----- > encoded.txt
	echo Just Base64 encode your binary data
	echo TVoAAA== >> encoded.txt
	echo -----END CERTIFICATE----- >> encoded.txt
	certutil -decode encoded.txt decoded.bin
	function Get-DellFoundationServicesWmiObject {
	<#
	.SYNOPSIS

	Performs a WMI query on a Dell Foundation Services server.

	Author: Matthew Graeber (@mattifestation)
	License: BSD 3-Clause

	.DESCRIPTION
	function Get-AssociatedClassRelationship {
	param (
	[String]
	$Namespace = 'root/cimv2'
	)

	Get-CimClass -Namespace $Namespace \| ? { $_.CimClassQualifiers['Association'] -and (-not $_.CimClassQualifiers['Abstract']) } \| % {
	$KeyQualifiers = @($_.CimClassProperties \| ? { $_.Qualifiers['key'] })

	if ($KeyQualifiers.Count -eq 2) {
	#region Scriptblocks that will execute upon alert trigger
	$LateralMovementDetected = {
	$Event = $EventArgs.NewEvent

	$EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)

	$MethodName = $Event.MethodName
	$Namespace = $Event.Namespace
	$Object = $Event.ObjectPath
	$User = $Event.User
	#############
	### SETUP ###
	#############

	# Set up remote session
	$Credential = Get-Credential TestUser
	$AdminCred = Get-Credential Administrator
	$SessionOption = New-CimSessionOption -Protocol Dcom
	$CimSession = New-CimSession -Credential $Credential -ComputerName TestPC -SessionOption $SessionOption
	$AdminCimSession = New-CimSession -Credential $AdminCred -ComputerName TestPC -SessionOption $SessionOption
	# Define the signature - i.e. __EventFilter
	$EventFilterArgs = @{
	EventNamespace = 'root/cimv2'
	Name = 'LateralMovementEvent'
	Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"'
	QueryLanguage = 'WQL'
	}

	$InstanceArgs = @{
	Namespace = 'root/subscription'
	# This code could be used to remotely enable and launch AT jobs regardless of the fact that AT is deprecated in Win8+.

	$HKLM = [UInt32] 2147483650

	# Check to see if EnableAt is set
	$Result = Invoke-CimMethod -Namespace root/default -ClassName StdRegProv -MethodName GetDWORDValue -Arguments @{
	hDefKey = $HKLM
	sSubKeyName = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration'
	sValueName = 'EnableAt'
	}
	function Get-WmiNamespace {
	<#
	.SYNOPSIS

	Returns a list of WMI namespaces present within the specified namespace.

	.PARAMETER Namespace

	Specifies the WMI repository namespace in which to list sub-namespaces. Get-WmiNamespace defaults to the ROOT namespace.
	$EventFilterArgs = @{
	EventNamespace = 'root/cimv2'
	Name = 'DriveChanged'
	Query = 'SELECT * FROM Win32_VolumeChangeEvent'
	QueryLanguage = 'WQL'
	}

	$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs

	$CommandLineConsumerArgs = @{