Matt Graeber's repositories
PowerShellArsenal
A PowerShell Module Dedicated to Reverse Engineering
PIC_Bindshell
Position Independent Windows Shellcode Written in C
WMI_Backdoor
A PoC WMI backdoor presented at Black Hat 2015
PSSysmonTools
Sysmon Tools for PowerShell
WinPETools
A module designed to simplify the creation, customization, and deployment of bootable Windows Preinstallation Environment (WinPE) images.
BHUSA2018_Sysmon
All materials from our Black Hat 2018 "Subverting Sysmon" talk
AntimalwareBlight
Execute PowerShell code at the antimalware-light protection level.
DeviceGuardBypassMitigationRules
A reference Device Guard code integrity policy consisting of FilePublisher deny rules for published Device Guard configuration bypasses
PoCSubjectInterfacePackage
A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks.
WDACPolicies
A collection of Windows software baseline notes with corresponding Windows Defender Application Control (WDAC) policies
TCGLogTools
A set of tools to retrieve and parse TCG measured boot logs. Microsoft refers to these as Windows Boot Confirguration Logs (WBCL). In order to retrieve these logs, you must be running at least Windows 8 with the TPM enabled.
WindowsEventLogMetadata
Event metadata collected across all manifest-based ETW providers on Window 10 1903
ShellcodeExec
A simple shellcode runner
CatalogTools
A PowerShell module to assist in parsing and managing catalog files.
UnicornPowerShell
A PowerShell binding for the Unicorn Engine
MSFTTraceMessageFormat
All TMF files that I extracted from Microsoft PDBs.