Skip to content

Instantly share code, notes, and snippets.

View sunnyc7's full-sized avatar

Sunny Chakraborty sunnyc7

46 followers · 165 following
  • NJ
View GitHub Profile
@mgraeber-rc
mgraeber-rc / ATPSiPolicy.xml
Created September 12, 2023 15:15
Recovered Microsoft Defender for Endpoint WDAC policy that is dropped to %windir%\System32\CodeIntegrity\ATPSiPolicy.p7b when "Restrict App Execution" is enabled for a device.
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
@odzhan
odzhan / lsa_extension.md
Last active July 31, 2022 23:10
LSA Extension Internals

LSA Extension Internals

About

I want to use lsasrv!LsaProtectMemory() inside the LSASS process to encrypt a block of memory and return the ciphertext. It's part of the LsapLsasrvIfTable interface in lsasrv.dll, but unless I'm mistaken can only be accessed by another LSA extension using the lsasrv!QueryLsaInterface() function. The following text is some basic information about the internal structures.

LsapLsasrvIfTable:
  dq offset LsaProtectMemory
  dq offset LsaUnprotectMemory

dq offset LsaIFreeReturnBuffer

@mgraeber-rc
mgraeber-rc / GenerateWHQLDriverRules.ps1
Created July 27, 2021 17:23
# Create a scratch directory as the destination for drivers that would have failed to load due to WHQL enforcement.
mkdir Drivers
# After a reboot, list all drivers that would have failed WHQL enforcement - i.e. event ID 3082 events
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; Id = 3082 } | ForEach-Object { "C:$($_.Properties[1].Value)" } | Sort-Object -Unique | Get-ChildItem | Copy-Item -Destination .\Drivers\
# Get signer information for all the affected drivers
$DriverSigners = Get-SystemDriver -ScanPath .\Drivers\ -NoScript -NoShadowCopy
# Build a WHQLPublisher allow rule for the WHQL signed drivers that will only allow WHQL-signed drivers issued to a specific vendor.
@mgraeber-rc
mgraeber-rc / SimulateInternetZoneTest.ps1
Created May 28, 2021 16:57
Example highlighting why attackers likely choose ISO/IMG as a delivery mechanism - it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes
Add-Type -OutputAssembly hello.exe -TypeDefinition @'
using System;
public class Hello {
public static void Main(string[] Args) {
System.Console.WriteLine("Hello, world!");
System.Console.Read();
}
}
'@
@mgraeber-rc
mgraeber-rc / AuditNonWindowsDrivers.xml
Created April 27, 2021 13:43
An audit-mode driver-only WDAC ruleset that will log driver loads of non-Windows-signed drivers. Microsoft-Windows-CodeIntegrity/Operational Event Log Event ID 3076
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.1.0</VersionEx>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
@wdormann
wdormann / checkaslr.py
Last active April 20, 2020 18:16
Check for running processes on Windows that have components that do not utilize ASLR
#!/usr/bin/env python
'''
Utility to check for processes running with non-ASLR-compatible components.
Run with Administrative privileges to get visibility into all processes.
(1a) psutil: https://pypi.org/project/psutil/
Installed via PIP
-OR-
(1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls
@NotMedic
NotMedic / Instructions.md
Created November 7, 2019 20:10
Headless Remote Chrome Debugging - Ichabod Chrome :)

Target

Start Chrome with the following flags:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

--remote-debugging-port=9222

--remote-debugging-address=0.0.0.0

@mattifestation
mattifestation / ExpandDefenderSig.ps1
Created March 28, 2019 20:17
Decompresses Windows Defender AV signatures for exploration purposes
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS
Decompresses a Windows Defender AV signature database (.VDM file).
.DESCRIPTION
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
@wdormann
wdormann / checkaslrfiles.py
Last active September 19, 2022 23:40
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
'''checkaslrfiles.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.
usage: checkaslrfiles.py <dir>
ex: checkaslr.py "C:\Program Files\"
requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''
@mattifestation
mattifestation / WmiEventConsumerClassDerivation.ps1
Last active November 15, 2023 18:21
function New-ActiveScriptEventConsumerClass {
<#
.SYNOPSIS
Creates an ActiveScriptEventConsumer WMI class in the namespace of your choosing.
.DESCRIPTION
New-ActiveScriptEventConsumerClass creates a clone of the ActiveScriptEventConsumer WMI event consumer class using the class name and namespace name of your choosing.