Pinned Repositories
AntimalwareBlight
Execute PowerShell code at the antimalware-light protection level.
BHUSA2018_Sysmon
All materials from our Black Hat 2018 "Subverting Sysmon" talk
CimSweep
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
PIC_Bindshell
Position Independent Windows Shellcode Written in C
PowerShellArsenal
A PowerShell Module Dedicated to Reverse Engineering
PSReflect
Easily define in-memory enums, structs, and Win32 functions in PowerShell
PSSysmonTools
Sysmon Tools for PowerShell
WDACTools
A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
WinPETools
A module designed to simplify the creation, customization, and deployment of bootable Windows Preinstallation Environment (WinPE) images.
WMI_Backdoor
A PoC WMI backdoor presented at Black Hat 2015
mattifestation's Repositories
mattifestation/PowerShellArsenal
A PowerShell Module Dedicated to Reverse Engineering
mattifestation/CimSweep
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
mattifestation/PIC_Bindshell
Position Independent Windows Shellcode Written in C
mattifestation/WMI_Backdoor
A PoC WMI backdoor presented at Black Hat 2015
mattifestation/PSSysmonTools
Sysmon Tools for PowerShell
mattifestation/WDACTools
A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
mattifestation/PSReflect
Easily define in-memory enums, structs, and Win32 functions in PowerShell
mattifestation/WinPETools
A module designed to simplify the creation, customization, and deployment of bootable Windows Preinstallation Environment (WinPE) images.
mattifestation/AntimalwareBlight
Execute PowerShell code at the antimalware-light protection level.
mattifestation/BHUSA2018_Sysmon
All materials from our Black Hat 2018 "Subverting Sysmon" talk
mattifestation/DeviceGuardBypassMitigationRules
A reference Device Guard code integrity policy consisting of FilePublisher deny rules for published Device Guard configuration bypasses
mattifestation/PoCSubjectInterfacePackage
A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks.
mattifestation/TCGLogTools
A set of tools to retrieve and parse TCG measured boot logs. Microsoft refers to these as Windows Boot Confirguration Logs (WBCL). In order to retrieve these logs, you must be running at least Windows 8 with the TPM enabled.
mattifestation/WDACPolicies
A collection of Windows software baseline notes with corresponding Windows Defender Application Control (WDAC) policies
mattifestation/BCD
BCD is a module to interact with boot configuration data (BCD) either locally or remotely using the ROOT/WMI:Bcd* WMI classes. The functionality of the functions in this module mirror that of bcdedit.exe.
mattifestation/WindowsEventLogMetadata
Event metadata collected across all manifest-based ETW providers on Window 10 1903
mattifestation/CatalogTools
A PowerShell module to assist in parsing and managing catalog files.
mattifestation/ShellcodeExec
A simple shellcode runner
mattifestation/capstone
Capstone disassembly framework: Core + Python + Ocaml + Java + C# bindings
mattifestation/UnicornPowerShell
A PowerShell binding for the Unicorn Engine
mattifestation/MSFTTraceMessageFormat
All TMF files that I extracted from Microsoft PDBs.
mattifestation/mattifestation