Matt Graeber mattifestation
mattifestation
/ PSBinaryManipulation.ps1
Last active
September 29, 2020 02:39
Parsing binary values using bit math in PowerShell - Parsing an IO control code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 3 | |
| # -shr and [PSCustomObject] are only available in PSv3+ | |
| function ConvertFrom-IOControlCode { | |
| <# | |
| .SYNOPSIS | |
| Converts an IO control code to its respective arguments. | |
| Author: Matthew Graeber (@mattifestation) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Yes I know I should do this with the CIM cmdlets too... | |
| function Get-WmiNamespace { | |
| <# | |
| .SYNOPSIS | |
| Returns a list of WMI namespaces present within the specified namespace. | |
| .PARAMETER Namespace | |
| Specifies the WMI repository namespace in which to list sub-namespaces. Get-WmiNamespace defaults to the ROOT namespace. |
mattifestation
/ autodump_powershell_process.ps1
Last active
September 16, 2019 04:58
Automatically capture a full PowerShell memory dump upon any PowerShell host process termination
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'PowerShellProcessStarted' | |
| Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $EventFilterArgs | |
| $CommandLineConsumerArgs = @{ |
mattifestation
/ wmi_provider_association.ps1
Last active
August 16, 2022 05:14
Enumerates WMI providers, the DLLs that back the provider, and the classes hosted by the provider.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause | |
| #> | |
| function Get-WmiNamespace { | |
| [OutputType([String])] | |
| Param ( | |
| [String] | |
| [ValidateNotNullOrEmpty()] |
mattifestation
/ UACBypass.ps1
Last active
March 27, 2024 03:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-UACBypass { | |
| <# | |
| .SYNOPSIS | |
| Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy. | |
| Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |
mattifestation
/ Win10IoTCoreEoP.ps1
Created
July 24, 2016 05:26
Window 10 IoT Core (Build 14393) Elevation of Privilege PoC Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Win10IoT Audit Code | |
| $CimSession = New-CimSession -ComputerName Win10IoT -Credential Administrator -Authentication Negotiate | |
| Get-CimInstance -ClassName Win32_OperatingSystem -CimSession $CimSession | |
| Get-CimInstance -ClassName Win32_Service -Filter 'Name = "InputService"' -CimSession $CimSession | Format-List * | |
| # Run the service audit function in CimSweep | |
| $ServicePermissions = Get-CSVulnerableServicePermission -CimSession $CimSession | |
| $ServicePermissions | Where-Object { $_.GroupName -eq 'NT AUTHORITY\Authenticated Users' } | |
| # The fact that Authenticated Users can change the service configuration means that |
mattifestation
/ CIPolicy.xsd
Last active
September 13, 2022 18:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <xs:schema | |
| targetNamespace="urn:schemas-microsoft-com:sipolicy" | |
| elementFormDefault="qualified" | |
| xmlns="urn:schemas-microsoft-com:sipolicy" | |
| xmlns:ps="urn:schemas-microsoft-com:sipolicy" | |
| xmlns:xs="http://www.w3.org/2001/XMLSchema" | |
| > | |
| <!-- A {00000000-0000-0000-0000-000000000000} GUID type --> | |
| <xs:simpleType name="GuidType"> |
mattifestation
/ CIPolicyParser.ps1
Last active
March 13, 2024 19:48
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ensure System.Security assembly is loaded. | |
| Add-Type -AssemblyName System.Security | |
| function ConvertTo-CIPolicy { | |
| <# | |
| .SYNOPSIS | |
| Converts a binary file that contains a Code Integrity policy into XML format. | |
| Author: Matthew Graeber (@mattifestation) |
mattifestation
/ Microsoft-Windows-CodeIntegrity.manifest.xml
Created
October 17, 2016 20:08
Extracted ETW manifest for the Microsoft-Windows-CodeIntegrity provider.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"> | |
| <events> | |
| <provider name="Microsoft-Windows-CodeIntegrity" guid="{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}" resourceFileName="Microsoft-Windows-CodeIntegrity" messageFileName="Microsoft-Windows-CodeIntegrity" symbol="MicrosoftWindowsCodeIntegrity" source="Xml" > | |
| <keywords> | |
| </keywords> | |
| <tasks> | |
| <task name="CreateSection" message="$(string.task_CreateSection)" value="1"> | |
| > | |
| <opcodes> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ConvertTo-Oid { | |
| <# | |
| .SYNOPSIS | |
| Decodes a DER encoded ASN.1 object identifier (OID) | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause | |
| .DESCRIPTION |