Purp1eW0lf/Pull_logs_and_zip.ps1

## Pull_logs_and_zip.ps1
#Ensure errors don't ruin anything for us
$ErrorActionPreference = "SilentlyContinue"


# Set variables
$DesktopPath = [Environment]::GetFolderPath("Desktop")

$basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"

$remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx"
$runkey = "C:\windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx"
$group_policy = "C:\windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx"
$bits = "C:\windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx"
$extra_security = "C:\windows\System32\winevt\Logs\Microsoft-Windows-Security-Netlogon%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx"


#Run as admin or else
function admin_check{
    if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole] "Administrator")) {
        # displays a great warning sign that you can't fuck around with
        Write-Warning "Insufficient permissions. Open Powershell as Admin please"
        Break
    }
    # if we're all good, let's fire it off
    else {basic_collection}
}

#execute basic collection of logs in $basic

function basic_collection {
    Copy-item $basic -destination $DesktopPath
    write-host "`nBasic logs collected`n" -ForegroundColor magenta
}

# interactive to ask user if they want more logs
function collect_more {
    #sleep so user doesn't get overwhelmed with text.
    sleep 1.5

    #present options
    write-host "`nWould you like to gather more logs?"
    write-host "`n[1] " -ForegroundColor magenta -NoNewline; write-host "Collect RDP and WinRM logs"
    write-host "[2] " -ForegroundColor magenta -NoNewline; write-host "Collect BITS logs"
    write-host "[3] " -ForegroundColor magenta -NoNewline; write-host "Collect Reg Run key log"
    write-host "[4] " -ForegroundColor magenta -NoNewline; write-host "Collect Group Policy logs"
    write-host "[5] " -ForegroundColor magenta -NoNewline; write-host "Collect extra security logs (if enabled)`n"

    write-host "[6] " -ForegroundColor magenta -NoNewline; write-host "All of the above`n"

    write-host "[7] " -ForegroundColor magenta -NoNewline; write-host "No extra logs thank you`n"

    #wait for user to input number option
    $question = read-host -prompt "Choose an option`n"

    # default option 7 to zip, if you space bar
    if ([string]::IsNullOrWhiteSpace($result)){
        zip}
    else {
        # just a fancy if/else
        $result = switch ( $question ){

            1 {Copy-item $remote_logs -destination $DesktopPath; zip}
            2 {Copy-item $bits -destination $DesktopPath; zip }
            3 {Copy-item $runkey -destination $DesktopPath; zip }
            4 {Copy-item $group_policy -destination $DesktopPath; zip}
            5 {Copy-item $extra_security -destination $DesktopPath; zip }
            6 {copy_all}
            7 {zip}
        }
    }
}

function copy_all{

    $All = $extra_security, $group_policy, $runkey, $bits, $remote_logs
    $Items = @($All);

    foreach ($item in $items){copy-item $item -destination $DesktopPath}
}


function zip{
    Get-ChildItem -Path $DesktopPath\*.evtx | Compress-Archive -DestinationPath $DesktopPath\$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip
    write-host "Your ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -ForegroundColor magenta ;

    #clean up evtxs
    Get-ChildItem -Path $DesktopPath\*.evtx | Remove-Item -Force -Confirm:$false

    #open up dir
    sleep 2; ii "$DesktopPath\$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip"
}

admin_check
collect_more
	#Ensure errors don't ruin anything for us
	$ErrorActionPreference = "SilentlyContinue"


	# Set variables
	$DesktopPath = [Environment]::GetFolderPath("Desktop")

	$basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"

	$remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx"
	$runkey = "C:\windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx"
	$group_policy = "C:\windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx"
	$bits = "C:\windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx"
	$extra_security = "C:\windows\System32\winevt\Logs\Microsoft-Windows-Security-Netlogon%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx"


	#Run as admin or else
	function admin_check{
	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
	[Security.Principal.WindowsBuiltInRole] "Administrator")) {
	# displays a great warning sign that you can't fuck around with
	Write-Warning "Insufficient permissions. Open Powershell as Admin please"
	Break
	}
	# if we're all good, let's fire it off
	else {basic_collection}
	}

	#execute basic collection of logs in $basic

	function basic_collection {
	Copy-item $basic -destination $DesktopPath
	write-host "`nBasic logs collected`n" -ForegroundColor magenta
	}

	# interactive to ask user if they want more logs
	function collect_more {
	#sleep so user doesn't get overwhelmed with text.
	sleep 1.5

	#present options
	write-host "`nWould you like to gather more logs?"
	write-host "`n[1] " -ForegroundColor magenta -NoNewline; write-host "Collect RDP and WinRM logs"
	write-host "[2] " -ForegroundColor magenta -NoNewline; write-host "Collect BITS logs"
	write-host "[3] " -ForegroundColor magenta -NoNewline; write-host "Collect Reg Run key log"
	write-host "[4] " -ForegroundColor magenta -NoNewline; write-host "Collect Group Policy logs"
	write-host "[5] " -ForegroundColor magenta -NoNewline; write-host "Collect extra security logs (if enabled)`n"

	write-host "[6] " -ForegroundColor magenta -NoNewline; write-host "All of the above`n"

	write-host "[7] " -ForegroundColor magenta -NoNewline; write-host "No extra logs thank you`n"

	#wait for user to input number option
	$question = read-host -prompt "Choose an option`n"

	# default option 7 to zip, if you space bar
	if ([string]::IsNullOrWhiteSpace($result)){
	zip}
	else {
	# just a fancy if/else
	$result = switch ( $question ){

	1 {Copy-item $remote_logs -destination $DesktopPath; zip}
	2 {Copy-item $bits -destination $DesktopPath; zip }
	3 {Copy-item $runkey -destination $DesktopPath; zip }
	4 {Copy-item $group_policy -destination $DesktopPath; zip}
	5 {Copy-item $extra_security -destination $DesktopPath; zip }
	6 {copy_all}
	7 {zip}
	}
	}
	}

	function copy_all{

	$All = $extra_security, $group_policy, $runkey, $bits, $remote_logs
	$Items = @($All);

	foreach ($item in $items){copy-item $item -destination $DesktopPath}
	}


	function zip{
	Get-ChildItem -Path $DesktopPath\*.evtx \| Compress-Archive -DestinationPath $DesktopPath\$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip
	write-host "Your ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -ForegroundColor magenta ;

	#clean up evtxs
	Get-ChildItem -Path $DesktopPath\*.evtx \| Remove-Item -Force -Confirm:$false

	#open up dir
	sleep 2; ii "$DesktopPath\$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip"
	}

	admin_check
	collect_more