Matt Graeber mattifestation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>1.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Audit Mode</Option> | |
| </Rule> | |
| <Rule> |
mattifestation
/ RootCAInstallationDetection.xml
Last active
December 22, 2017 15:27
A sample Sysmon config to detect root CA installation in both the LocalMachine and CurrentUser contexts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="3.4"> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. --> | |
| <RegistryEvent onmatch="include"> | |
| <!-- LocalMachine or CurrentUser ROOT certificate installation --> | |
| <!-- Reference: https://technet.microsoft.com/en-us/library/cc783813(v=ws.10).aspx --> | |
| <TargetObject condition="contains">\Software\Microsoft\SystemCertificates\Root\Certificates\</TargetObject> | |
| <TargetObject condition="contains">\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</TargetObject> |
mattifestation
/ EmptyConfig.xml
Created
January 17, 2018 19:34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4fuckyou"> | |
| <HashAlgorithms>md5,sha1</HashAlgorithms> | |
| <EventFiltering> | |
| <ProcessCreate onmatch="include"> | |
| </ProcessCreate> | |
| <FileCreateTime onmatch="include"> | |
| </FileCreateTime> | |
| <NetworkConnect onmatch="include"> | |
| </NetworkConnect> | |
| <ProcessTerminate onmatch="include"> |
mattifestation
/ WDAG_CI_Policy.xml
Created
October 18, 2017 21:59
Recovered Windows Defender Application Guard Hyper-V Container Code Integrity Policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> | |
| <Rule> |
mattifestation
/ CertificateSubjectToPEGrouping.ps1
Created
December 25, 2016 16:04
Can you trust everything that's signed on your host? This might help you begin to answer that question.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get-SystemDriver requires the ConfigCI module on Win10 Enterprise | |
| # This will collect all signer information for all PEs in C:\ | |
| # This will take a while!!! | |
| $Signers = Get-SystemDriver -ScanPath C:\ -UserPEs | |
| # Associate the subject name of each certificate to the file/signer info | |
| # so we can correlate the two. | |
| $CertSubjectMapping = $Signers | % { | |
| $Signer = $_ |
mattifestation
/ DFSPoC.ps1
Created
December 2, 2015 23:59
Perform unauthenticated WMI queries on a Dell Foundation Services server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DellFoundationServicesWmiObject { | |
| <# | |
| .SYNOPSIS | |
| Performs a WMI query on a Dell Foundation Services server. | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause | |
| .DESCRIPTION |
mattifestation
/ TrustedHashes.csv
Created
December 16, 2017 16:44
All catalog hashes extracted from a mounted install.wim from en_windows_10_multi-edition_vl_version_1709_updated_sept_2017_x64_dvd_100090741.iso
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Algorithm","Hash","CatalogPath","Hint" | |
| "SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","F5EEEC38876E48617643A9E735A30B9EC3D08D77075CD81F239A15626E3F7DD5","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","4BA33EC224E42FC929BA6487041C2C4275C5BCA66CD89471A09BC7F522A5661F","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", |
mattifestation
/ EmulateProcExpDotNetEnumeration.ps1
Created
July 26, 2018 18:50
Replicates the data collected when enumerating .NET Assemblies in Process Explorer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman start trace dotNetAssemblyTrace2 -p "Microsoft-Windows-DotNETRuntimeRundown" "LoaderRundownKeyword, StartRundownKeyword" win:Informational -o dotNetAssemblyTrace2.etl -ets | |
| Start-Sleep -Seconds 5 | |
| logman stop dotNetAssemblyTrace2 -ets | |
| $EnumeratedCLRRuntimes = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=187)]]' | |
| $EnumeratedAppDomains = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=157)]]' | |
| $EnumeratedAssemblies = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=155)]]' | |
| $EnumeratedModules = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=153)]]' |
mattifestation
/ ExtractDriversFromAuditLogs.ps1
Created
November 26, 2017 23:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a temp dir in which to copy the drivers to whitelist | |
| mkdir ScanMe | |
| Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -FilterXPath '*[System[EventID=3076]]' | ForEach-Object { | |
| $DriverPath = $_.Properties[1].Value | |
| # Normalize the paths | |
| switch -Wildcard ($DriverPath) { | |
| '\Device\HarddiskVolume4\*' { $DriverPath = "C:\$($DriverPath.Replace('\Device\HarddiskVolume4\', ''))" } | |
| 'System32*' { $DriverPath = "C:\Windows\$DriverPath" } |
mattifestation
/ WDAC_PolicyIDs.txt
Created
February 1, 2019 15:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PolicyIndex: 1 | |
| PolicyTypeID: a244370e-44c9-4c06-b551-f6016e563076 | |
| PolicyPath: System32\CodeIntegrity\SiPolicy.p7b | |
| PolicyIndex: 2 | |
| PolicyTypeID: 2a5a0136-f09f-498e-99cc-51099011157c | |
| PolicyPath: System32\CodeIntegrity\RvkSiPolicy.p7b | |
| PolicyIndex: 3 | |
| PolicyTypeID: 976d12c8-cb9f-4730-be52-54600843238e |