Matt Graeber mgraeber-rc

## LayoutNewSubTechniques.ps1
Invoke-WebRequest -Uri https://attack.mitre.org/docs/subtechniques/subtechniques-crosswalk.json |
  Select-Object -ExpandProperty Content |
  ConvertFrom-Json |
  ForEach-Object {
    $OldTID = Get-Member -InputObject $_ -MemberType NoteProperty -Name T* |
    Select-Object -ExpandProperty Name;

    [PSCustomObject] @{ OldTID = $OldTID; NewTID = $_.$OldTID[0].id; Explanation = $_.$OldTID[0].explanation } } |
  Sort-Object NewTID, OldTID

## CS_Beacon_TEARDROP_Config.json
{
  "BeaconType": [
    "HTTPS"
  ],
  "Port": 443,
  "SleepTime": 5000,
  "MaxGetSize": 1049611,
  "Jitter": 99,
  "MaxDNS": 255,
  "C2Server": "static.rennorigroup.com,/api/v1/meemes/latest",

## powershell_structured_query.xml
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID='4688')]]
      and
      *[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe']]
    </Select>
    <Select Path="Microsoft-Windows-PowerShell/Operational">
      *[System[(EventID='4104')]]
      and

## Non_Microsoft_Driver_Load_Audit.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
    <Rule>

## log_nothing.xml
<Sysmon schemaversion="4.50">
    <HashAlgorithms>md5,sha256</HashAlgorithms>
    <EventFiltering>
        <!--Event ID 1: Process creation-->
        <ProcessCreate onmatch="include"></ProcessCreate>
        <!--Event ID 2: A process changed a file creation time-->
        <FileCreateTime onmatch="include"></FileCreateTime>
        <!--Event ID 3: Network connection-->
        <NetworkConnect onmatch="include"></NetworkConnect>
        <!--Event ID 5: Process terminated-->

## Windows_Application_Control_Mitigation_Coverage.json
{
	"name": "Windows Application Control Mitigation Coverage",
	"versions": {
		"attack": "9",
		"navigator": "4.3",
		"layer": "4.2"
	},
	"domain": "enterprise-attack",
	"description": "Techniques on Windows endpoints that would be prevented, mitigated, or detected by the enforcement of an application control/application allowlisting solution.\n\nAuthor: Matt Graeber, Red Canary",
	"filters": {

## DefaultWindows_Audit.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.1.0</VersionEx>
  <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
  <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>

## GenerateWHQLDriverRules.ps1
# Create a scratch directory as the destination for drivers that would have failed to load due to WHQL enforcement.
mkdir Drivers

# After a reboot, list all drivers that would have failed WHQL enforcement - i.e. event ID 3082 events
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; Id = 3082 } | ForEach-Object { "C:$($_.Properties[1].Value)" } | Sort-Object -Unique | Get-ChildItem | Copy-Item -Destination .\Drivers\

# Get signer information for all the affected drivers
$DriverSigners = Get-SystemDriver -ScanPath .\Drivers\ -NoScript -NoShadowCopy

# Build a WHQLPublisher allow rule for the WHQL signed drivers that will only allow WHQL-signed drivers issued to a specific vendor.

## AuditNonWindowsDrivers.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.1.0</VersionEx>
  <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
  <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>

## AllowAllRuleAdded.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Audit Mode</Option>
	Invoke-WebRequest -Uri https://attack.mitre.org/docs/subtechniques/subtechniques-crosswalk.json \|
	Select-Object -ExpandProperty Content \|
	ConvertFrom-Json \|
	ForEach-Object {
	$OldTID = Get-Member -InputObject $_ -MemberType NoteProperty -Name T* \|
	Select-Object -ExpandProperty Name;

	[PSCustomObject] @{ OldTID = $OldTID; NewTID = $_.$OldTID[0].id; Explanation = $_.$OldTID[0].explanation } } \|
	Sort-Object NewTID, OldTID
	{
	"BeaconType": [
	"HTTPS"
	],
	"Port": 443,
	"SleepTime": 5000,
	"MaxGetSize": 1049611,
	"Jitter": 99,
	"MaxDNS": 255,
	"C2Server": "static.rennorigroup.com,/api/v1/meemes/latest",
	<QueryList>
	<Query Id="0" Path="Security">
	<Select Path="Security">
	*[System[(EventID='4688')]]
	and
	*[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe']]
	</Select>
	<Select Path="Microsoft-Windows-PowerShell/Operational">
	*[System[(EventID='4104')]]
	and
	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.0.0</VersionEx>
	<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	<Rule>
	<Sysmon schemaversion="4.50">
	<HashAlgorithms>md5,sha256</HashAlgorithms>
	<EventFiltering>
	<!--Event ID 1: Process creation-->
	<ProcessCreate onmatch="include"></ProcessCreate>
	<!--Event ID 2: A process changed a file creation time-->
	<FileCreateTime onmatch="include"></FileCreateTime>
	<!--Event ID 3: Network connection-->
	<NetworkConnect onmatch="include"></NetworkConnect>
	<!--Event ID 5: Process terminated-->
	{
	"name": "Windows Application Control Mitigation Coverage",
	"versions": {
	"attack": "9",
	"navigator": "4.3",
	"layer": "4.2"
	},
	"domain": "enterprise-attack",
	"description": "Techniques on Windows endpoints that would be prevented, mitigated, or detected by the enforcement of an application control/application allowlisting solution.\n\nAuthor: Matt Graeber, Red Canary",
	"filters": {
	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.1.0</VersionEx>
	<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
	<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	# Create a scratch directory as the destination for drivers that would have failed to load due to WHQL enforcement.
	mkdir Drivers

	# After a reboot, list all drivers that would have failed WHQL enforcement - i.e. event ID 3082 events
	Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; Id = 3082 } \| ForEach-Object { "C:$($_.Properties[1].Value)" } \| Sort-Object -Unique \| Get-ChildItem \| Copy-Item -Destination .\Drivers\

	# Get signer information for all the affected drivers
	$DriverSigners = Get-SystemDriver -ScanPath .\Drivers\ -NoScript -NoShadowCopy

	# Build a WHQLPublisher allow rule for the WHQL signed drivers that will only allow WHQL-signed drivers issued to a specific vendor.