This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>1.0.0.0</VersionEx> | |
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:Audit Mode</Option> | |
</Rule> | |
<Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Sysmon schemaversion="3.4"> | |
<HashAlgorithms>*</HashAlgorithms> | |
<EventFiltering> | |
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. --> | |
<RegistryEvent onmatch="include"> | |
<!-- LocalMachine or CurrentUser ROOT certificate installation --> | |
<!-- Reference: https://technet.microsoft.com/en-us/library/cc783813(v=ws.10).aspx --> | |
<TargetObject condition="contains">\Software\Microsoft\SystemCertificates\Root\Certificates\</TargetObject> | |
<TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\</TargetObject> | |
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</TargetObject> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Sysmon schemaversion="4fuckyou"> | |
<HashAlgorithms>md5,sha1</HashAlgorithms> | |
<EventFiltering> | |
<ProcessCreate onmatch="include"> | |
</ProcessCreate> | |
<FileCreateTime onmatch="include"> | |
</FileCreateTime> | |
<NetworkConnect onmatch="include"> | |
</NetworkConnect> | |
<ProcessTerminate onmatch="include"> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.0.0</VersionEx> | |
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> | |
<Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Get-SystemDriver requires the ConfigCI module on Win10 Enterprise | |
# This will collect all signer information for all PEs in C:\ | |
# This will take a while!!! | |
$Signers = Get-SystemDriver -ScanPath C:\ -UserPEs | |
# Associate the subject name of each certificate to the file/signer info | |
# so we can correlate the two. | |
$CertSubjectMapping = $Signers | % { | |
$Signer = $_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-DellFoundationServicesWmiObject { | |
<# | |
.SYNOPSIS | |
Performs a WMI query on a Dell Foundation Services server. | |
Author: Matthew Graeber (@mattifestation) | |
License: BSD 3-Clause | |
.DESCRIPTION |
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"Algorithm","Hash","CatalogPath","Hint" | |
"SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
"SHA256","F5EEEC38876E48617643A9E735A30B9EC3D08D77075CD81F239A15626E3F7DD5","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
"SHA256","4BA33EC224E42FC929BA6487041C2C4275C5BCA66CD89471A09BC7F522A5661F","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
"SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
logman start trace dotNetAssemblyTrace2 -p "Microsoft-Windows-DotNETRuntimeRundown" "LoaderRundownKeyword, StartRundownKeyword" win:Informational -o dotNetAssemblyTrace2.etl -ets | |
Start-Sleep -Seconds 5 | |
logman stop dotNetAssemblyTrace2 -ets | |
$EnumeratedCLRRuntimes = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=187)]]' | |
$EnumeratedAppDomains = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=157)]]' | |
$EnumeratedAssemblies = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=155)]]' | |
$EnumeratedModules = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=153)]]' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a temp dir in which to copy the drivers to whitelist | |
mkdir ScanMe | |
Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -FilterXPath '*[System[EventID=3076]]' | ForEach-Object { | |
$DriverPath = $_.Properties[1].Value | |
# Normalize the paths | |
switch -Wildcard ($DriverPath) { | |
'\Device\HarddiskVolume4\*' { $DriverPath = "C:\$($DriverPath.Replace('\Device\HarddiskVolume4\', ''))" } | |
'System32*' { $DriverPath = "C:\Windows\$DriverPath" } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PolicyIndex: 1 | |
PolicyTypeID: a244370e-44c9-4c06-b551-f6016e563076 | |
PolicyPath: System32\CodeIntegrity\SiPolicy.p7b | |
PolicyIndex: 2 | |
PolicyTypeID: 2a5a0136-f09f-498e-99cc-51099011157c | |
PolicyPath: System32\CodeIntegrity\RvkSiPolicy.p7b | |
PolicyIndex: 3 | |
PolicyTypeID: 976d12c8-cb9f-4730-be52-54600843238e |