sasqwatch
/ EmulateProcExpDotNetEnumeration.ps1
Created
January 22, 2019 18:27
— forked from mattifestation/EmulateProcExpDotNetEnumeration.ps1
Replicates the data collected when enumerating .NET Assemblies in Process Explorer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman start trace dotNetAssemblyTrace2 -p "Microsoft-Windows-DotNETRuntimeRundown" "LoaderRundownKeyword, StartRundownKeyword" win:Informational -o dotNetAssemblyTrace2.etl -ets | |
| Start-Sleep -Seconds 5 | |
| logman stop dotNetAssemblyTrace2 -ets | |
| $EnumeratedCLRRuntimes = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=187)]]' | |
| $EnumeratedAppDomains = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=157)]]' | |
| $EnumeratedAssemblies = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=155)]]' | |
| $EnumeratedModules = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=153)]]' |
sasqwatch
/ GetPEFeature.ps1
Created
January 22, 2019 18:27
— forked from mattifestation/GetPEFeature.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Get-PEFeature { | |
| <# | |
| .SYNOPSIS | |
| Retrieves key features from PE files that can be used to build detections. | |
| .DESCRIPTION | |
| Get-PEFeature extracts key features of PE files that are relevant to building detections. |
sasqwatch
/ AMSIScriptContentRetrieval.ps1
Created
January 22, 2019 18:29
— forked from mattifestation/AMSIScriptContentRetrieval.ps1
PoC code used to demonstrate extracting script contents using the AMSI ETW provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script author: Matt Graeber (@mattifestation) | |
| # logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # Do your malicious things here that would be logged by AMSI | |
| # logman stop AMSITrace -ets | |
| $OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
| $OSArch = $OSArchProperty.OSArchitecture | |
| $OSPointerSize = 32 | |
| if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
sasqwatch
/ wldp_interesting_rundll32_invocations.txt
Created
January 22, 2019 18:29
— forked from mattifestation/wldp_interesting_rundll32_invocations.txt
DLLs and export functions that wldp.dll finds interesting when invoked with rundll32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| StorageUsage.dll,GetStorageUsageInfo | |
| acmigration.dll,ApplyMigrationShims | |
| acproxy.DLL,PerformAutochkOperations | |
| ppioobe.dll,setupcalendaraccountforuser | |
| edgehtml.dll,#125 | |
| edgehtml.dll,#133 | |
| davclnt.dll,davsetcookie | |
| appxdeploymentextensions.onecore.dll,shellrefresh | |
| pla.dll,plahost | |
| aeinv.dll,updatesoftwareinventory |
sasqwatch
/ UEFISecDatabaseParser.ps1
Created
January 22, 2019 18:29
— forked from mattifestation/UEFISecDatabaseParser.ps1
Parses signature data from the pk, kek, db, and dbx UEFI variables.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-UEFIDatabaseSigner { | |
| <# | |
| .SYNOPSIS | |
| Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders. | |
| .DESCRIPTION | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause |
sasqwatch
/ LoadInMemoryModule.ps1
Created
January 22, 2019 18:29
— forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
| # Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
| $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
| $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
| $TypeBuilder.CreateType() | |
| $HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
sasqwatch
/ GetSecureBootPolicy.ps1
Created
January 22, 2019 18:30
— forked from mattifestation/GetSecureBootPolicy.ps1
Partially-completed Secure Boot policy parser. I need help with parsing our the BCD element values.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-SecureBootPolicy { | |
| <# | |
| .SYNOPSIS | |
| Parses a Secure Boot policy. | |
| .DESCRIPTION | |
| Get-SecureBootPolicy parses either the default, system Secure Boot policy or a policy passed as a byte array. The byte array must be a raw, unsigned policy. |
sasqwatch
/ PowerShellDSCLateralMovement.ps1
Created
January 22, 2019 18:32
— forked from mattifestation/PowerShellDSCLateralMovement.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This idea originated from this blog post on Invoke DSC Resources directly: | |
| # https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/ | |
| <# | |
| $MOFContents = @' | |
| instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref | |
| { | |
| ResourceID = "[Script]ScriptExample"; | |
| GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True"; | |
| TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True"; |
sasqwatch
/ PowerShellHostFinder.ps1
Created
January 22, 2019 18:40
— forked from mattifestation/PowerShellHostFinder.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matt Graeber, SpecterOps | |
| ls C:\* -Recurse -Include '*.exe', '*.dll' -ErrorAction SilentlyContinue | % { | |
| try { | |
| $Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName) | |
| if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') { | |
| $_.FullName | |
| } | |
| } catch {} | |
| } |
sasqwatch
/ CILStreamObfuscation.ps1
Created
January 22, 2019 18:40
— forked from mattifestation/CILStreamObfuscation.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ${🤷} = New-Object Reflection.Emit.DynamicMethod('💩', [UInt32], @([UInt32], [UInt32])) | |
| ${🤔} = ${🤷}.GetILGenerator() | |
| @(@(2, 275120805),@(3, 275120805),@(88, -261739867),@(42, 23440101)) | % { | |
| ${🤔}.Emit([Activator]::CreateInstance([System.Reflection.Emit.OpCode], [Reflection.BindingFlags] 'NonPublic, Instance', $null, @(($_[0] -as [System.Reflection.Emit.OpCode].Assembly.GetType('System.Reflection.Emit.OpCodeValues')), $_[1]), $null)) | |
| } | |
| ${💩} = ${🤷}.CreateDelegate([Func``3[UInt32, UInt32, UInt32]]) | |
| ${💩}.Invoke(2,3) |