Matt Graeber mattifestation

## ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS

Decompresses a Windows Defender AV signature database (.VDM file).

.DESCRIPTION

Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.

## SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName

$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)

$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex

## WSH_approved_list.txt
041e868e-0c7d-48c6-965f-5fd576530e5b
0438c02b-eb9c-4e42-81ad-407f6cd6cde1
078b1f7d-c34c-4b13-a7c3-9663901650f1
0abb2961-2cc1-4f1d-be8e-9d330d06b77d
0d7237e6-930f-4682-ad0a-52ebffd3aee3
0d972387-817b-46e7-913f-e9993ff401eb
0e770b12-7221-4a5d-86ee-77310a5506bb
0fa57208-5100-4cd6-955c-fe69f8898973
1080a020-2b47-4da9-8095-dbc9cefffc04
10cf2e12-1681-4c53-adc0-932c84832cd8

## ntasn1_notes.txt
Ordinal Export Symbol
------- -------------
1       RtlAsn1Encode
2       RtlAsn1EncodeAndAllocate
3       RtlAsn1Decode
4       RtlAsn1DecodeAndAllocate
5       RtlAsn1GetModuleHandle
6       ASN1_FindOidInfo
7       ASN1_FindOidInfoByEoid
8       CryptEncodeObjectEx

## Sysmon9Schema.dtd
<!DOCTYPE Sysmon [<!ELEMENT Sysmon (EventFiltering|HashAlgorithms|DriverName|ProcessAccessConfig|CheckRevocation|PipeMonitoringConfig)*>
<!ATTLIST Sysmon schemaversion CDATA #REQUIRED>
<!ELEMENT EventFiltering (RuleGroup|ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead|ProcessAccess|FileCreate|RegistryEvent|RegistryEvent|RegistryEvent|FileCreateStreamHash|PipeEvent|PipeEvent|WmiEvent|WmiEvent|WmiEvent)*>
<!ELEMENT RuleGroup (ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead|ProcessAccess|FileCreate|RegistryEvent|RegistryEvent|RegistryEvent|FileCreateStreamHash|PipeEvent|PipeEvent|WmiEvent|WmiEvent|WmiEvent)*>
<!ATTLIST RuleGroup groupRelation (and|or) #REQUIRED>
<!ATTLIST RuleGroup name CDATA #IMPLIED>
<!ELEMENT ProcessCreate (RuleName|UtcTime|ProcessGuid|ProcessId|Image|FileVersion|Description|Product|Company|CommandLine|CurrentDirectory|User|LogonGuid|LogonId|TerminalSessionId|I

## Microsoft-Windows-WER-Diag.manifest.xml
<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">
 <instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">
  <events>
   <provider name="Microsoft-Windows-WER-Diag" guid="{ad8aa069-a01b-40a0-ba40-948d1d8dedc5}" resourceFileName="Microsoft-Windows-WER-Diag" messageFileName="Microsoft-Windows-WER-Diag" symbol="MicrosoftWindowsWERDiag" source="Xml" >
    <keywords>
    </keywords>
    <tasks>
     <task name="task_0" message="$(string.task_task_0)" value="0"/>
    </tasks>
    <events>

## PSProcmon.psm1
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
    CloseKey              = 0x00000001
    QuerySecurityKey      = 0x00000002
    SetSecurityKey        = 0x00000004
    EnumerateValueKey     = 0x00000010
    QueryMultipleValueKey = 0x00000020
    SetInformationKey     = 0x00000040
    FlushKey              = 0x00000080

## WDAC_PolicyIDs.txt
PolicyIndex: 1
PolicyTypeID: a244370e-44c9-4c06-b551-f6016e563076
PolicyPath: System32\CodeIntegrity\SiPolicy.p7b

PolicyIndex: 2
PolicyTypeID: 2a5a0136-f09f-498e-99cc-51099011157c
PolicyPath: System32\CodeIntegrity\RvkSiPolicy.p7b

PolicyIndex: 3
PolicyTypeID: 976d12c8-cb9f-4730-be52-54600843238e

## process_image_logging.ps1
# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
$WINEVENT_KEYWORD_PROCESS = 0x10
$WINEVENT_KEYWORD_IMAGE   = 0x40

# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
# I'm going to limit collection to only image and process event
$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
$KernelProcessLog.ProviderLevel = 0xFF
$KernelProcessLog.IsEnabled = $true

## GetProcessStartKey.ps1
function Get-ProcessStartKey {
<#
.SYNOPSIS

Derives the process start key for one or more processes.

.DESCRIPTION

Get-ProcessStartKey derives the process start key for one or more processes. Process start keys were introduced in Win 10 1507 and are intended to serve as a locally unique identifier for a process. A process ID cannot be considered a unique identifier since process IDs are repeatable.