Matt Graeber mgraeber-rc
mgraeber-rc
/ GetAppPackageTriageInfo.ps1
Created
December 28, 2023 18:46
A tool to perform rapid triage of decompressed application packages (.msix and .appx files).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Get-AppPackageTriageInfo { | |
| <# | |
| .SYNOPSIS | |
| A tool to perform rapid triage of decompressed application packages (.msix and .appx files). | |
| .DESCRIPTION | |
| Get-AppPackageTriageInfo parses key information from an uncompressed application package (.msix and .appx) without needing to first install it. |
mgraeber-rc
/ {2678656C-05EF-481F-BC5B-EBD8C991502D}.xml
Created
September 14, 2023 18:59
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktopEvaluationFlightSupplemental
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Supplemental Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>0.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <PolicyID>{2678656C-05EF-481F-BC5B-EBD8C991502D}</PolicyID> | |
| <BasePolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> |
mgraeber-rc
/ {1678656C-05EF-481F-BC5B-EBD8C991502D}.xml
Created
September 14, 2023 18:58
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktopFlightSupplemental
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Supplemental Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>0.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <PolicyID>{1678656C-05EF-481F-BC5B-EBD8C991502D}</PolicyID> | |
| <BasePolicyID>{0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> |
mgraeber-rc
/ {1939ED82-BFD5-4D32-B58E-D31D3C49715A}.xml
Created
September 14, 2023 18:57
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktopEvaluationTestSupplemental
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Supplemental Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>0.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <PolicyID>{1939ED82-BFD5-4D32-B58E-D31D3C49715A}</PolicyID> | |
| <BasePolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
| <Rules> | |
| <Rule> | |
| <Option>Disabled:Runtime FilePath Rule Protection</Option> | |
| </Rule> |
mgraeber-rc
/ {1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}.xml
Created
September 14, 2023 18:56
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktopEvaluation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Base Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>0.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <PolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</PolicyID> | |
| <BasePolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> |
mgraeber-rc
/ {0939ED82-BFD5-4D32-B58E-D31D3C49715A}.xml
Created
September 14, 2023 18:55
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktopTestSupplemental
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Supplemental Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>0.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <PolicyID>{0939ED82-BFD5-4D32-B58E-D31D3C49715A}</PolicyID> | |
| <BasePolicyID>{0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
| <Rules> | |
| <Rule> | |
| <Option>Disabled:Runtime FilePath Rule Protection</Option> | |
| </Rule> |
mgraeber-rc
/ {0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}.xml
Created
September 14, 2023 18:54
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktop
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Base Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>0.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <PolicyID>{0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</PolicyID> | |
| <BasePolicyID>{0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> |
mgraeber-rc
/ ATPSiPolicy.xml
Created
September 12, 2023 15:15
Recovered Microsoft Defender for Endpoint WDAC policy that is dropped to %windir%\System32\CodeIntegrity\ATPSiPolicy.p7b when "Restrict App Execution" is enabled for a device.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> | |
| <Rule> |
mgraeber-rc
/ AMSITools.psm1
Created
November 10, 2021 18:41
Get-AMSIEvent and Send-AmsiContent are helper functions used to validate AMSI ETW events. Note: because this script contains the word AMSI, it will flag most AV engines. Add an exception on a test system accordingly in order to get this to work.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Send-AmsiContent { | |
| <# | |
| .SYNOPSIS | |
| Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider. | |
| Author: Matt Graeber | |
| Company: Red Canary | |
| .DESCRIPTION |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matt Graeber | |
| # Company: Red Canary | |
| # To start a trace, run the following from an elevated command prompt: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # To stop the trace, run the following: logman stop AMSITrace -ets | |
| # Example usage: Get-AMSIEvent -Path .\AMSITrace.etl | |
| function Get-AMSIEvent { | |
| param ( |
NewerOlder