Skip to content

Instantly share code, notes, and snippets.

@mattifestation

mattifestation/MDE_DataCollection_Scripts.md

Last active August 12, 2025 10:14
Show Gist options
  • Save mattifestation/11fb1bd37fff9a80803d7b39a43553ee to your computer and use it in GitHub Desktop.
Save mattifestation/11fb1bd37fff9a80803d7b39a43553ee to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. mattifestation revised this gist Oct 27, 2021. 1 changed file with 42 additions and 1 deletion.
    43 changes: 42 additions & 1 deletion MDE_DataCollection_Scripts.md
    View file
    Original file line number Diff line number Diff line change
    @@ -55,4 +55,45 @@ Issuer : CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporati
    Subject : CN=Microsoft Windows Defender Advanced Threat Protection, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    ```

    Here is a link to `046a3caf-d9ec-4da6-a32a-fb148992596a.ps1` in VT: https://www.virustotal.com/gui/file/d871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803/details
    Here is a link to `046a3caf-d9ec-4da6-a32a-fb148992596a.ps1` in VT: https://www.virustotal.com/gui/file/d871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803/details

    And because the scripts are signed, I can allow all of them to execute in a robust fashion with WDAC. This is the code integrity policy that I merged into my master policy that allows these scripts to execute:

    ```xml
    <?xml version="1.0" encoding="utf-8"?>
    <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
    <VersionEx>10.0.0.0</VersionEx>
    <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
    <Rules />
    <!--EKUS-->
    <EKUs />
    <!--File Rules-->
    <FileRules />
    <!--Signers-->
    <Signers>
    <Signer ID="ID_SIGNER_DEFENDER_FOR_ENDPOINT" Name="Microsoft Code Signing PCA 2011">
    <CertRoot Type="TBS" Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" />
    <CertPublisher Value="Microsoft Windows Defender Advanced Threat Protection" />
    </Signer>
    </Signers>
    <!--Driver Signing Scenarios-->
    <SigningScenarios>
    <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 10-27-2021">
    <ProductSigners />
    </SigningScenario>
    <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 10-27-2021">
    <ProductSigners>
    <AllowedSigners>
    <AllowedSigner SignerId="ID_SIGNER_DEFENDER_FOR_ENDPOINT" />
    </AllowedSigners>
    </ProductSigners>
    </SigningScenario>
    </SigningScenarios>
    <UpdatePolicySigners />
    <CiSigners>
    <CiSigner SignerId="ID_SIGNER_DEFENDER_FOR_ENDPOINT" />
    </CiSigners>
    <HvciOptions>0</HvciOptions>
    <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
    </SiPolicy>
    ```
  2. mattifestation created this gist Oct 27, 2021.
    58 changes: 58 additions & 0 deletions MDE_DataCollection_Scripts.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,58 @@
    Microsoft Defender for Endpoint does a great job of ensuring the integrity of the scripts they push and execute.

    First, they ensure that the script to execute matches the expected file hash. Example:

    ```
    powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read);$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803')) { exit 323;}; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' }"
    ```

    Cleaned up PowerShell:
    ```powershell
    & {
    $OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8
    $scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read)
    $calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256
    if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803')) {
    exit 323; # ERROR_DATA_CHECKSUM_ERROR
    }
    . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1'
    }
    ```

    `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection` is also only accessible by SYSTEM.

    Also, each script is signed with a `Microsoft Windows Defender Advanced Threat Protection` certificate which makes validation and enforcement with application control _so_ much easier!

    ```
    > Get-AuthenticodeSignature 046a3caf-d9ec-4da6-a32a-fb148992596a.ps1 | Select-Object -ExpandProperty SignerCertificate | Format-List *
    EnhancedKeyUsageList : {Code Signing (1.3.6.1.5.5.7.3.3), 1.3.6.1.4.1.311.76.47.1}
    DnsNameList : {Microsoft Windows Defender Advanced Threat Protection}
    SendAsTrustedIssuer : False
    Archived : False
    Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
    System.Security.Cryptography.Oid...}
    FriendlyName :
    IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    NotAfter : 1/27/2022 3:50:22 PM
    NotBefore : 1/28/2021 3:50:22 PM
    HasPrivateKey : False
    PrivateKey :
    PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
    RawData : {48, 130, 6, 21...}
    SerialNumber : 3300000205FC5081544065EFB0000000000205
    SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
    SignatureAlgorithm : System.Security.Cryptography.Oid
    Thumbprint : 1FF064E13C25D7B5C83549F1562DD64181C4443A
    Version : 3
    Handle : 3221047460208
    Issuer : CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    Subject : CN=Microsoft Windows Defender Advanced Threat Protection, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    ```

    Here is a link to `046a3caf-d9ec-4da6-a32a-fb148992596a.ps1` in VT: https://www.virustotal.com/gui/file/d871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803/details