Matt Graeber mattifestation

## driversipolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.17689.0</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
  <BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>

## rundll_exports.csv

          
            Module
            Function

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32W

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32A

            
              C:\Windows\System32\advpack.dll
              DelNodeRunDLL32

            
              C:\Windows\System32\ConnectedAccountState.dll
              ActionCenterRunDllW

            
              C:\Windows\System32\cryptcatsvc.dll
              CatDbOfflineRebuildDatabasesRundll32W

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLLW

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLLA

            
              C:\Windows\System32\cscui.dll
              CSCOptions_RunDLL

            
              C:\Windows\System32\devmgr.dll
              DeviceProblenWizard_RunDLLW

## msobjs_event_table.ps1
$Source = @'
using System;
using System.Runtime.InteropServices;
using System.Text;

public class Win32Native {
    [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);

    [DllImport("kernel32.dll", CharSet = CharSet.Unicode)]

## EventLogAuditing.ps1
# Run the following from an elevated PowerShell session

# This hashtable will be used to store access rights granted to each group.
$PrincipalGrouping = @{}

# Enumerate all installed event logs
Get-WinEvent -ListLog * | ForEach-Object {
    $LogName = $_.LogName

    # Convert the security descriptor SDDL string to a security descriptor object.

## HowToDetectTechniqueX_Demos.ps1
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe

Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe

$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession

winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword

## ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS

Decompresses a Windows Defender AV signature database (.VDM file).

.DESCRIPTION

Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.

## SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName

$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)

$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex

## PSProcmon.psm1
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
    CloseKey              = 0x00000001
    QuerySecurityKey      = 0x00000002
    SetSecurityKey        = 0x00000004
    EnumerateValueKey     = 0x00000010
    QueryMultipleValueKey = 0x00000020
    SetInformationKey     = 0x00000040
    FlushKey              = 0x00000080

## WDAC_PolicyIDs.txt
PolicyIndex: 1
PolicyTypeID: a244370e-44c9-4c06-b551-f6016e563076
PolicyPath: System32\CodeIntegrity\SiPolicy.p7b

PolicyIndex: 2
PolicyTypeID: 2a5a0136-f09f-498e-99cc-51099011157c
PolicyPath: System32\CodeIntegrity\RvkSiPolicy.p7b

PolicyIndex: 3
PolicyTypeID: 976d12c8-cb9f-4730-be52-54600843238e

## process_image_logging.ps1
# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
$WINEVENT_KEYWORD_PROCESS = 0x10
$WINEVENT_KEYWORD_IMAGE   = 0x40

# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
# I'm going to limit collection to only image and process event
$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
$KernelProcessLog.ProviderLevel = 0xFF
$KernelProcessLog.IsEnabled = $true
	<?xml version="1.0"?>
	<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.17689.0</VersionEx>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
	<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	Module	Function
	C:\Windows\System32\advpack.dll	DelNodeRunDLL32W
	C:\Windows\System32\advpack.dll	DelNodeRunDLL32A
	C:\Windows\System32\advpack.dll	DelNodeRunDLL32
	C:\Windows\System32\ConnectedAccountState.dll	ActionCenterRunDllW
	C:\Windows\System32\cryptcatsvc.dll	CatDbOfflineRebuildDatabasesRundll32W
	C:\Windows\System32\cscui.dll	CSCOptions_RunDLLW
	C:\Windows\System32\cscui.dll	CSCOptions_RunDLLA
	C:\Windows\System32\cscui.dll	CSCOptions_RunDLL
	C:\Windows\System32\devmgr.dll	DeviceProblenWizard_RunDLLW
	$Source = @'
	using System;
	using System.Runtime.InteropServices;
	using System.Text;

	public class Win32Native {
	[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
	public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags);

	[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
	# Run the following from an elevated PowerShell session

	# This hashtable will be used to store access rights granted to each group.
	$PrincipalGrouping = @{}

	# Enumerate all installed event logs
	Get-WinEvent -ListLog * \| ForEach-Object {
	$LogName = $_.LogName

	# Convert the security descriptor SDDL string to a security descriptor object.
	#region Attack validations
	wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe

	Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe

	$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
	Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
	$CimSession \| Remove-CimSession

	winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword
	filter Expand-DefenderAVSignatureDB {
	<#
	.SYNOPSIS

	Decompresses a Windows Defender AV signature database (.VDM file).

	.DESCRIPTION

	Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
	Import-Module HgsDiagnostics
	$GetHgsTrace = Get-Command Get-HgsTrace
	$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() \| Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
	Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName

	$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot \| Sort-Object -Property LastWriteTime -Descending \| Select-Object -First 1 \| Select-Object -ExpandProperty FullName
	$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)

	$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
	$ParsedTCGLog.TcgData.Children \| Sort-Object -Property PcrIndex \| Group-Object -Property PcrIndex
	# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
	[Flags()]
	enum RegistryOptions {
	CloseKey = 0x00000001
	QuerySecurityKey = 0x00000002
	SetSecurityKey = 0x00000004
	EnumerateValueKey = 0x00000010
	QueryMultipleValueKey = 0x00000020
	SetInformationKey = 0x00000040
	FlushKey = 0x00000080
	PolicyIndex: 1
	PolicyTypeID: a244370e-44c9-4c06-b551-f6016e563076
	PolicyPath: System32\CodeIntegrity\SiPolicy.p7b

	PolicyIndex: 2
	PolicyTypeID: 2a5a0136-f09f-498e-99cc-51099011157c
	PolicyPath: System32\CodeIntegrity\RvkSiPolicy.p7b

	PolicyIndex: 3
	PolicyTypeID: 976d12c8-cb9f-4730-be52-54600843238e
	# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
	$WINEVENT_KEYWORD_PROCESS = 0x10
	$WINEVENT_KEYWORD_IMAGE = 0x40

	# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
	# I'm going to limit collection to only image and process event
	$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
	$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
	$KernelProcessLog.ProviderLevel = 0xFF
	$KernelProcessLog.IsEnabled = $true