Matt Graeber mgraeber-rc
mgraeber-rc
/ gist:bfc80007cb8816d029ff116928a76e76
Created
September 2, 2021 14:52
Extensions scrutinized by the AssocIsDangerous
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .ade | |
| .adp | |
| .app | |
| .asp | |
| .bas | |
| .bat | |
| .cer | |
| .chm | |
| .cmd | |
| .cnt |
mgraeber-rc
/ AllowAllRuleAdded.xml
Created
August 31, 2021 14:48
Resulting driver deny policy resulting from a few tweaks of Microsoft's supplied policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> | |
| <Option>Enabled:Audit Mode</Option> |
mgraeber-rc
/ MDE_AppControl_KQL.txt
Created
July 30, 2021 16:06
Example query to join AppControlCodeIntegrityPolicy MDE events with AppControlCodeIntegritySigningInformation events. The queries are semi-duplicative to address the way hashes are presented in an unintuitive fashion.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DeviceEvents | |
| | where ActionType startswith "AppControlCodeIntegrityPolicy" | |
| | extend Hash = SHA1 | |
| | join kind = inner ( | |
| DeviceEvents | |
| | where ActionType == "AppControlCodeIntegritySigningInformation" | |
| | extend VerificationError = extractjson("$.VerificationError", AdditionalFields, typeof(string)) | |
| | where VerificationError == "Explicitly denied by WDAC policy" | |
| | extend PublisherName = extractjson("$.PublisherName", AdditionalFields, typeof(string)) | |
| | extend PublisherTBSHash = extractjson("$.PublisherTBSHash", AdditionalFields, typeof(string)) |
mgraeber-rc
/ GenerateWHQLDriverRules.ps1
Created
July 27, 2021 17:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a scratch directory as the destination for drivers that would have failed to load due to WHQL enforcement. | |
| mkdir Drivers | |
| # After a reboot, list all drivers that would have failed WHQL enforcement - i.e. event ID 3082 events | |
| Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; Id = 3082 } | ForEach-Object { "C:$($_.Properties[1].Value)" } | Sort-Object -Unique | Get-ChildItem | Copy-Item -Destination .\Drivers\ | |
| # Get signer information for all the affected drivers | |
| $DriverSigners = Get-SystemDriver -ScanPath .\Drivers\ -NoScript -NoShadowCopy | |
| # Build a WHQLPublisher allow rule for the WHQL signed drivers that will only allow WHQL-signed drivers issued to a specific vendor. |
mgraeber-rc
/ DefaultWindows_Audit.xml
Last active
July 29, 2021 00:41
Modified default window-only audit WDAC with WHQL rules removed
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.1.0</VersionEx> | |
| <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
| <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> |
mgraeber-rc
/ SimulateInternetZoneTest.ps1
Created
May 28, 2021 16:57
Example highlighting why attackers likely choose ISO/IMG as a delivery mechanism - it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -OutputAssembly hello.exe -TypeDefinition @' | |
| using System; | |
| public class Hello { | |
| public static void Main(string[] Args) { | |
| System.Console.WriteLine("Hello, world!"); | |
| System.Console.Read(); | |
| } | |
| } | |
| '@ |
mgraeber-rc
/ EventDiff.ps1
Created
May 28, 2021 14:45
Display only new event log events - I refer to this as event log differential analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Log the time prior to executing the action. | |
| # This will be used as parth of an event log XPath filter. | |
| $DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc) | |
| # Do the thing now that you want to see potential relevant events surface... | |
| $null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly | |
| # Allow a moment to allow events to populate | |
| Start-Sleep -Seconds 5 |
mgraeber-rc
/ Windows_Application_Control_Mitigation_Coverage.json
Created
May 27, 2021 13:44
MITRE ATT&CK Navigator Layer - Windows Application Control Mitigation Coverage: Techniques on Windows endpoints that would be prevented, mitigated, or detected by the enforcement of an application control/application allowlisting solution.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "Windows Application Control Mitigation Coverage", | |
| "versions": { | |
| "attack": "9", | |
| "navigator": "4.3", | |
| "layer": "4.2" | |
| }, | |
| "domain": "enterprise-attack", | |
| "description": "Techniques on Windows endpoints that would be prevented, mitigated, or detected by the enforcement of an application control/application allowlisting solution.\n\nAuthor: Matt Graeber, Red Canary", | |
| "filters": { |
mgraeber-rc
/ AuditNonWindowsDrivers.xml
Created
April 27, 2021 13:43
An audit-mode driver-only WDAC ruleset that will log driver loads of non-Windows-signed drivers. Microsoft-Windows-CodeIntegrity/Operational Event Log Event ID 3076
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.1.0</VersionEx> | |
| <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
| <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> |
mgraeber-rc
/ powershell_structured_query.xml
Created
March 16, 2021 17:33
Example custom event view I used to display only relevant PowerShell logs for a demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <QueryList> | |
| <Query Id="0" Path="Security"> | |
| <Select Path="Security"> | |
| *[System[(EventID='4688')]] | |
| and | |
| *[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe']] | |
| </Select> | |
| <Select Path="Microsoft-Windows-PowerShell/Operational"> | |
| *[System[(EventID='4104')]] | |
| and |