Skip to content

Instantly share code, notes, and snippets.

View mgraeber-rc's full-sized avatar

Matt Graeber mgraeber-rc

87 followers · 0 following
View GitHub Profile
@mgraeber-rc
mgraeber-rc / LayoutNewSubTechniques.ps1
Created March 31, 2020 17:44
Making the new sub-technique JSON a little more readable for me
Invoke-WebRequest -Uri https://attack.mitre.org/docs/subtechniques/subtechniques-crosswalk.json |
Select-Object -ExpandProperty Content |
ConvertFrom-Json |
ForEach-Object {
$OldTID = Get-Member -InputObject $_ -MemberType NoteProperty -Name T* |
Select-Object -ExpandProperty Name;
[PSCustomObject] @{ OldTID = $OldTID; NewTID = $_.$OldTID[0].id; Explanation = $_.$OldTID[0].explanation } } |
Sort-Object NewTID, OldTID
@mgraeber-rc
mgraeber-rc / CS_Beacon_TEARDROP_Config.json
Created December 22, 2020 16:23
Extracted Cobalt Strike Beacon config for 3cfbf519913d703a802423e6e3fb734abf8297971caccc7ae45df172196b6e84 from this post: https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/
{
"BeaconType": [
"HTTPS"
],
"Port": 443,
"SleepTime": 5000,
"MaxGetSize": 1049611,
"Jitter": 99,
"MaxDNS": 255,
"C2Server": "static.rennorigroup.com,/api/v1/meemes/latest",
@mgraeber-rc
mgraeber-rc / MITRE_Attack_WindowsAppControl.csv
Created February 8, 2021 18:58
Windows-specific MITRE ATT&CK techniques application control prevention assessment. This is a first attempt to assess the extent to which application control solutions would mitigate/prevent attack techniques. Note: this highly subjective assessment assumes a system that enforces an application control solution that at a minimum allows all Windo…
ID Name MitigatedByAppControl Notes
T1001 Data Obfuscation Not Applicable Relevant sub-techniques addressed below
T1001.001 Junk Data No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1001.002 Steganography Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1001.003 Protocol Impersonation Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1003 OS Credential Dumping Not Applicable Relevant sub-techniques addressed below
T1003.001 LSASS Memory Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.002 Security Account Manager Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.003 NTDS Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.004 LSA Secrets Limited Built-in utilities exist to perform this technique.
@mgraeber-rc
mgraeber-rc / Non_Microsoft_Driver_Load_Audit.xml
Created February 26, 2021 17:38
A WDAC audit-mode policy that will log all non-Windows-signed driver loads and any driver that is not WHQL or EV signed.
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
@mgraeber-rc
mgraeber-rc / Non_Microsoft_UserMode_Load_Audit.xml
Created March 1, 2021 17:06
A WDAC audit-mode policy that will log all non-Windows-signed PE loads
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.1.0</VersionEx>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule><Option>Enabled:Unsigned System Integrity Policy</Option></Rule>
<Rule><Option>Enabled:Audit Mode</Option></Rule>
<Rule><Option>Enabled:Advanced Boot Options Menu</Option></Rule>
@mgraeber-rc
mgraeber-rc / analysis.md
Created March 4, 2021 21:08
Basic dynamic malware analysis with AMSI events

Step 1) Start an AMSI ETW trace from an elevated command prompt

logman start trace AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) -o amsi.etl -ets

Step 2) Run your evil maldoc or script. Note: AMSI can capture runtime context of VBA, Excel4, JScript, VBScript, PowerShell, WMI, and .NET (4.8+) in-mem assembly loads

Step 3) Stop the AMSI trace

@mgraeber-rc
mgraeber-rc / CreateProcess.ps1
Created March 9, 2021 20:30
A simple CreateProcess wrapper for demonstrating starting a process with custom command-line arguments.
function Start-ProcessWithCommandLine {
<#
.SYNOPSIS
A simple CreateProcess wrapper for demonstrating starting a process with custom command-line arguments.
Author: Matt Graeber
Company: Red Canary, Inc.
.PARAMETER ApplicationName
@mgraeber-rc
mgraeber-rc / log_nothing.xml
Created March 16, 2021 14:43
A sysmon configuration that defaults to logging nothing. I use this as a baseline configuration for testing purposes where I can selectively turn on log sources by changing "include" to "exclude"
<Sysmon schemaversion="4.50">
<HashAlgorithms>md5,sha256</HashAlgorithms>
<EventFiltering>
<!--Event ID 1: Process creation-->
<ProcessCreate onmatch="include"></ProcessCreate>
<!--Event ID 2: A process changed a file creation time-->
<FileCreateTime onmatch="include"></FileCreateTime>
<!--Event ID 3: Network connection-->
<NetworkConnect onmatch="include"></NetworkConnect>
<!--Event ID 5: Process terminated-->
@mgraeber-rc
mgraeber-rc / powershell_structured_query.xml
Created March 16, 2021 17:33
Example custom event view I used to display only relevant PowerShell logs for a demo
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID='4688')]]
and
*[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe']]
</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational">
*[System[(EventID='4104')]]
and
@mgraeber-rc
mgraeber-rc / AuditNonWindowsDrivers.xml
Created April 27, 2021 13:43
An audit-mode driver-only WDAC ruleset that will log driver loads of non-Windows-signed drivers. Microsoft-Windows-CodeIntegrity/Operational Event Log Event ID 3076
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.1.0</VersionEx>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>