CaledoniaProject

## index.js
const sqlite3 = require('sqlite3')
const fs = require('fs')

let dbpath = 'common.db'
let finished = 0, total = 0

let mydb = new sqlite3.Database(dbpath)
if (fs.existsSync(dbpath)) {
   fs.unlinkSync(dbpath)
}

## mac-setup.sh
#!/bin/bash

echo Setting up ComputerName and HostName
sudo scutil --set ComputerName XXX
sudo scutil --set HostName XXX

echo Disable spotlight
sudo mdutil -a -i off

echo Disable guest account

## test.ps1
$code = @'
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;

namespace RegRoutines

## dump_audit.sql
SELECT [sa].[name] as audit_name, [sas].[name] as audit_spec_name, [sasd].[audit_action_name] as action, [dp].[name] as username, [o].[name] as tablename
FROM sys.server_audits sa
JOIN sys.database_audit_specifications sas ON sa.audit_guid = sas.audit_guid
JOIN sys.database_audit_specification_details as sasd ON sas.database_specification_id = sasd.database_specification_id
JOIN sys.database_principals dp ON dp.principal_id = sasd.audited_principal_id
JOIN sys.objects o ON o.object_id = sasd.major_id

## ts.py
import pefile

pe = pefile.PE("test.exe")
pe.FILE_HEADER.TimeDateStamp = 1348054607
pe.write("new.exe")

## TI-Search-Shortcuts.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                CaledoniaProject
                / TI-Search-Shortcuts.md
            
            
              Created
              March 25, 2019 14:06
                — forked from Neo23x0/TI-Search-Shortcuts.md
            
              
                Search Engine Shortcuts
              
          
    Search Engine Shortcuts

Use Manage Search Engines in your browser to add these search engines.
You can then use the 'keyword' in the URL bar to do a quick lookup. Find more details about managing your search engines in Chrome here.
e.g.
Type
v dad8ebcbb5fa6721ccad45b81874e22c


## SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName

$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)

$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex

## PSProcmon.psm1
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
    CloseKey              = 0x00000001
    QuerySecurityKey      = 0x00000002
    SetSecurityKey        = 0x00000004
    EnumerateValueKey     = 0x00000010
    QueryMultipleValueKey = 0x00000020
    SetInformationKey     = 0x00000040
    FlushKey              = 0x00000080

## process_image_logging.ps1
# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
$WINEVENT_KEYWORD_PROCESS = 0x10
$WINEVENT_KEYWORD_IMAGE   = 0x40

# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
# I'm going to limit collection to only image and process event
$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
$KernelProcessLog.ProviderLevel = 0xFF
$KernelProcessLog.IsEnabled = $true

## GetProcessStartKey.ps1
function Get-ProcessStartKey {
<#
.SYNOPSIS

Derives the process start key for one or more processes.

.DESCRIPTION

Get-ProcessStartKey derives the process start key for one or more processes. Process start keys were introduced in Win 10 1507 and are intended to serve as a locally unique identifier for a process. A process ID cannot be considered a unique identifier since process IDs are repeatable.
	const sqlite3 = require('sqlite3')
	const fs = require('fs')

	let dbpath = 'common.db'
	let finished = 0, total = 0

	let mydb = new sqlite3.Database(dbpath)
	if (fs.existsSync(dbpath)) {
	fs.unlinkSync(dbpath)
	}
	#!/bin/bash

	echo Setting up ComputerName and HostName
	sudo scutil --set ComputerName XXX
	sudo scutil --set HostName XXX

	echo Disable spotlight
	sudo mdutil -a -i off

	echo Disable guest account
	$code = @'
	using Microsoft.Win32;
	using System;
	using System.Collections.Generic;
	using System.ComponentModel;
	using System.Linq;
	using System.Runtime.InteropServices;
	using System.Text;

	namespace RegRoutines
	SELECT [sa].[name] as audit_name, [sas].[name] as audit_spec_name, [sasd].[audit_action_name] as action, [dp].[name] as username, [o].[name] as tablename
	FROM sys.server_audits sa
	JOIN sys.database_audit_specifications sas ON sa.audit_guid = sas.audit_guid
	JOIN sys.database_audit_specification_details as sasd ON sas.database_specification_id = sasd.database_specification_id
	JOIN sys.database_principals dp ON dp.principal_id = sasd.audited_principal_id
	JOIN sys.objects o ON o.object_id = sasd.major_id
	import pefile

	pe = pefile.PE("test.exe")
	pe.FILE_HEADER.TimeDateStamp = 1348054607
	pe.write("new.exe")
	Import-Module HgsDiagnostics
	$GetHgsTrace = Get-Command Get-HgsTrace
	$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() \| Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
	Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName

	$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot \| Sort-Object -Property LastWriteTime -Descending \| Select-Object -First 1 \| Select-Object -ExpandProperty FullName
	$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)

	$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
	$ParsedTCGLog.TcgData.Children \| Sort-Object -Property PcrIndex \| Group-Object -Property PcrIndex
	# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
	[Flags()]
	enum RegistryOptions {
	CloseKey = 0x00000001
	QuerySecurityKey = 0x00000002
	SetSecurityKey = 0x00000004
	EnumerateValueKey = 0x00000010
	QueryMultipleValueKey = 0x00000020
	SetInformationKey = 0x00000040
	FlushKey = 0x00000080
	# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
	$WINEVENT_KEYWORD_PROCESS = 0x10
	$WINEVENT_KEYWORD_IMAGE = 0x40

	# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
	# I'm going to limit collection to only image and process event
	$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
	$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
	$KernelProcessLog.ProviderLevel = 0xFF
	$KernelProcessLog.IsEnabled = $true
	function Get-ProcessStartKey {
	<#
	.SYNOPSIS

	Derives the process start key for one or more processes.

	.DESCRIPTION

	Get-ProcessStartKey derives the process start key for one or more processes. Process start keys were introduced in Win 10 1507 and are intended to serve as a locally unique identifier for a process. A process ID cannot be considered a unique identifier since process IDs are repeatable.