mattifestation/AntimalwareBlight

Stars
130
Rank 277,575 (Top 6 %)
Language
PowerShell
License
BSD 3-Clause "New...
Created over 2 years ago
Updated almost 2 years ago

mattifestation/AntimalwareBlight

mattifestation

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Execute PowerShell code at the antimalware-light protection level.

Use this PowerShell module to execute PowerShell code at the antimalware-light protection level. This code was highlighted in the Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem REcon talk as well as Black Hat USA 2022. This module needs to run elevated. The purpose of this module is to highlight how the antimalware-light protection anti-tampering feature is only as strong as the weakest vendor's ELAM driver.

Thank you to the Microsoft Defender research team for working with me on this issue! When in doubt, if MSRC won't fix something because it's not a security boundary, the Defender team still likely cares very much!

Load the module:

Import-Module .\AntimalwareBlight.psm1

View its exported functions:

Get-Command -Module AntimalwareBlight

View help for the module's functions:

Get-Help Invoke-AntimalwareLightCommand -Full

Note: Invoke-AntimalwareLightCommand is deliberately not fully weaponized. It is up to the user to locate an overly permissive ELAM driver that permits Microsoft-signed code (TBS hash: E17764C39F2AFD7114F8528D2F9783D9A591F6679715EECE730A262CF5CFD3B3)

PowerShellArsenal

A PowerShell Module Dedicated to Reverse Engineering

CimSweep

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

PIC_Bindshell

Position Independent Windows Shellcode Written in C

WMI_Backdoor

A PoC WMI backdoor presented at Black Hat 2015

PSSysmonTools

Sysmon Tools for PowerShell

PSReflect

Easily define in-memory enums, structs, and Win32 functions in PowerShell

WDACTools

A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies

WinPETools

A module designed to simplify the creation, customization, and deployment of bootable Windows Preinstallation Environment (WinPE) images.

BHUSA2018_Sysmon

All materials from our Black Hat 2018 "Subverting Sysmon" talk

DeviceGuardBypassMitigationRules

A reference Device Guard code integrity policy consisting of FilePublisher deny rules for published Device Guard configuration bypasses

PoCSubjectInterfacePackage

A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks.

BCD

BCD is a module to interact with boot configuration data (BCD) either locally or remotely using the ROOT/WMI:Bcd* WMI classes. The functionality of the functions in this module mirror that of bcdedit.exe.

WDACPolicies

A collection of Windows software baseline notes with corresponding Windows Defender Application Control (WDAC) policies

TCGLogTools

A set of tools to retrieve and parse TCG measured boot logs. Microsoft refers to these as Windows Boot Confirguration Logs (WBCL). In order to retrieve these logs, you must be running at least Windows 8 with the TPM enabled.

WindowsEventLogMetadata

Event metadata collected across all manifest-based ETW providers on Window 10 1903

ShellcodeExec

A simple shellcode runner

CatalogTools

A PowerShell module to assist in parsing and managing catalog files.

UnicornPowerShell

A PowerShell binding for the Unicorn Engine

MSFTTraceMessageFormat

All TMF files that I extracted from Microsoft PDBs.

mattifestation