Matt Graeber's Projects
Execute PowerShell code at the antimalware-light protection level.
BCD is a module to interact with boot configuration data (BCD) either locally or remotely using the ROOT/WMI:Bcd* WMI classes. The functionality of the functions in this module mirror that of bcdedit.exe.
All materials from our Black Hat 2018 "Subverting Sysmon" talk
Capstone disassembly framework: Core + Python + Ocaml + Java + C# bindings
A PowerShell module to assist in parsing and managing catalog files.
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
A reference Device Guard code integrity policy consisting of FilePublisher deny rules for published Device Guard configuration bypasses
All TMF files that I extracted from Microsoft PDBs.
Position Independent Windows Shellcode Written in C
A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks.
A PowerShell Module Dedicated to Reverse Engineering
Easily define in-memory enums, structs, and Win32 functions in PowerShell
Sysmon Tools for PowerShell
A simple shellcode runner
A set of tools to retrieve and parse TCG measured boot logs. Microsoft refers to these as Windows Boot Confirguration Logs (WBCL). In order to retrieve these logs, you must be running at least Windows 8 with the TPM enabled.
A PowerShell binding for the Unicorn Engine
A collection of Windows software baseline notes with corresponding Windows Defender Application Control (WDAC) policies
A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
Event metadata collected across all manifest-based ETW providers on Window 10 1903
A module designed to simplify the creation, customization, and deployment of bootable Windows Preinstallation Environment (WinPE) images.
A PoC WMI backdoor presented at Black Hat 2015