This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter Get-AppPackageTriageInfo { | |
<# | |
.SYNOPSIS | |
A tool to perform rapid triage of decompressed application packages (.msix and .appx files). | |
.DESCRIPTION | |
Get-AppPackageTriageInfo parses key information from an uncompressed application package (.msix and .appx) without needing to first install it. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ID | Name | MitigatedByAppControl | Notes | |
---|---|---|---|---|
T1001 | Data Obfuscation | Not Applicable | Relevant sub-techniques addressed below | |
T1001.001 | Junk Data | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
T1001.002 | Steganography | Limited | If custom attacker code were necessary to perform this technique, it would be prevented. | |
T1001.003 | Protocol Impersonation | Limited | If custom attacker code were necessary to perform this technique, it would be prevented. | |
T1003 | OS Credential Dumping | Not Applicable | Relevant sub-techniques addressed below | |
T1003.001 | LSASS Memory | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
T1003.002 | Security Account Manager | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
T1003.003 | NTDS | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
T1003.004 | LSA Secrets | Limited | Built-in utilities exist to perform this technique. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter Send-AmsiContent { | |
<# | |
.SYNOPSIS | |
Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider. | |
Author: Matt Graeber | |
Company: Red Canary | |
.DESCRIPTION |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add-Type -OutputAssembly hello.exe -TypeDefinition @' | |
using System; | |
public class Hello { | |
public static void Main(string[] Args) { | |
System.Console.WriteLine("Hello, world!"); | |
System.Console.Read(); | |
} | |
} | |
'@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Author: Matt Graeber | |
# Company: Red Canary | |
# To start a trace, run the following from an elevated command prompt: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
# To stop the trace, run the following: logman stop AMSITrace -ets | |
# Example usage: Get-AMSIEvent -Path .\AMSITrace.etl | |
function Get-AMSIEvent { | |
param ( |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.0.0</VersionEx> | |
<PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> | |
<Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Supplemental Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>0.0.0.0</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{2678656C-05EF-481F-BC5B-EBD8C991502D}</PolicyID> | |
<BasePolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Supplemental Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>0.0.0.0</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{1678656C-05EF-481F-BC5B-EBD8C991502D}</PolicyID> | |
<BasePolicyID>{0283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Supplemental Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>0.0.0.0</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{1939ED82-BFD5-4D32-B58E-D31D3C49715A}</PolicyID> | |
<BasePolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Disabled:Runtime FilePath Rule Protection</Option> | |
</Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyType="Base Policy" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>0.0.0.0</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</PolicyID> | |
<BasePolicyID>{1283AC0F-FFF1-49AE-ADA1-8A933130CAD6}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> |
NewerOlder