Skip to content

Instantly share code, notes, and snippets.

View mgraeber-rc's full-sized avatar

Matt Graeber mgraeber-rc

87 followers · 0 following
View GitHub Profile
@mgraeber-rc
mgraeber-rc / gist:bfc80007cb8816d029ff116928a76e76
Created September 2, 2021 14:52
Extensions scrutinized by the AssocIsDangerous
.ade
.adp
.app
.asp
.bas
.bat
.cer
.chm
.cmd
.cnt
@mgraeber-rc
mgraeber-rc / EventDiff.ps1
Created May 28, 2021 14:45
Display only new event log events - I refer to this as event log differential analysis
# Log the time prior to executing the action.
# This will be used as parth of an event log XPath filter.
$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc)
# Do the thing now that you want to see potential relevant events surface...
$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly
# Allow a moment to allow events to populate
Start-Sleep -Seconds 5
@mgraeber-rc
mgraeber-rc / MDE_AppControl_KQL.txt
Created July 30, 2021 16:06
Example query to join AppControlCodeIntegrityPolicy MDE events with AppControlCodeIntegritySigningInformation events. The queries are semi-duplicative to address the way hashes are presented in an unintuitive fashion.
DeviceEvents
| where ActionType startswith "AppControlCodeIntegrityPolicy"
| extend Hash = SHA1
| join kind = inner (
DeviceEvents
| where ActionType == "AppControlCodeIntegritySigningInformation"
| extend VerificationError = extractjson("$.VerificationError", AdditionalFields, typeof(string))
| where VerificationError == "Explicitly denied by WDAC policy"
| extend PublisherName = extractjson("$.PublisherName", AdditionalFields, typeof(string))
| extend PublisherTBSHash = extractjson("$.PublisherTBSHash", AdditionalFields, typeof(string))
@mgraeber-rc
mgraeber-rc / Non_Microsoft_UserMode_Load_Audit.xml
Created March 1, 2021 17:06
A WDAC audit-mode policy that will log all non-Windows-signed PE loads
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.1.0</VersionEx>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule><Option>Enabled:Unsigned System Integrity Policy</Option></Rule>
<Rule><Option>Enabled:Audit Mode</Option></Rule>
<Rule><Option>Enabled:Advanced Boot Options Menu</Option></Rule>
@mgraeber-rc
mgraeber-rc / analysis.md
Created March 4, 2021 21:08
Basic dynamic malware analysis with AMSI events

Step 1) Start an AMSI ETW trace from an elevated command prompt

logman start trace AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) -o amsi.etl -ets

Step 2) Run your evil maldoc or script. Note: AMSI can capture runtime context of VBA, Excel4, JScript, VBScript, PowerShell, WMI, and .NET (4.8+) in-mem assembly loads

Step 3) Stop the AMSI trace

@mgraeber-rc
mgraeber-rc / CreateProcess.ps1
Created March 9, 2021 20:30
A simple CreateProcess wrapper for demonstrating starting a process with custom command-line arguments.
function Start-ProcessWithCommandLine {
<#
.SYNOPSIS
A simple CreateProcess wrapper for demonstrating starting a process with custom command-line arguments.
Author: Matt Graeber
Company: Red Canary, Inc.
.PARAMETER ApplicationName
@mgraeber-rc
mgraeber-rc / {0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}.xml
Created September 14, 2023 18:54
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktop
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Base Policy" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>0.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</PolicyID>
<BasePolicyID>{0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
@mgraeber-rc
mgraeber-rc / {0939ED82-BFD5-4D32-B58E-D31D3C49715A}.xml
Created September 14, 2023 18:55
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktopTestSupplemental
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Supplemental Policy" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>0.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{0939ED82-BFD5-4D32-B58E-D31D3C49715A}</PolicyID>
<BasePolicyID>{0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID>
<Rules>
<Rule>
<Option>Disabled:Runtime FilePath Rule Protection</Option>
</Rule>
@mgraeber-rc
mgraeber-rc / {1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}.xml
Created September 14, 2023 18:56
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktopEvaluation
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Base Policy" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>0.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</PolicyID>
<BasePolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
@mgraeber-rc
mgraeber-rc / {1939ED82-BFD5-4D32-B58E-D31D3C49715A}.xml
Created September 14, 2023 18:57
Recovered WDAC Inbox Policy: VerifiedAndReputableDesktopEvaluationTestSupplemental
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Supplemental Policy" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>0.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{1939ED82-BFD5-4D32-B58E-D31D3C49715A}</PolicyID>
<BasePolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID>
<Rules>
<Rule>
<Option>Disabled:Runtime FilePath Rule Protection</Option>
</Rule>