Created
February 17, 2022 00:00
-
-
Save Purp1eW0lf/e0b757e66d5da629c1d03e2941fa5b4b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Ensure errors don't ruin anything for us | |
$ErrorActionPreference = "SilentlyContinue" | |
# Set variables | |
$DesktopPath = [Environment]::GetFolderPath("Desktop") | |
$basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
$remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" | |
$runkey = "C:\windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx" | |
$group_policy = "C:\windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx" | |
$bits = "C:\windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx" | |
$extra_security = "C:\windows\System32\winevt\Logs\Microsoft-Windows-Security-Netlogon%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx" | |
#Run as admin or else | |
function admin_check{ | |
if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` | |
[Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
# displays a great warning sign that you can't fuck around with | |
Write-Warning "Insufficient permissions. Open Powershell as Admin please" | |
Break | |
} | |
# if we're all good, let's fire it off | |
else {basic_collection} | |
} | |
#execute basic collection of logs in $basic | |
function basic_collection { | |
Copy-item $basic -destination $DesktopPath | |
write-host "`nBasic logs collected`n" -ForegroundColor magenta | |
} | |
# interactive to ask user if they want more logs | |
function collect_more { | |
#sleep so user doesn't get overwhelmed with text. | |
sleep 1.5 | |
#present options | |
write-host "`nWould you like to gather more logs?" | |
write-host "`n[1] " -ForegroundColor magenta -NoNewline; write-host "Collect RDP and WinRM logs" | |
write-host "[2] " -ForegroundColor magenta -NoNewline; write-host "Collect BITS logs" | |
write-host "[3] " -ForegroundColor magenta -NoNewline; write-host "Collect Reg Run key log" | |
write-host "[4] " -ForegroundColor magenta -NoNewline; write-host "Collect Group Policy logs" | |
write-host "[5] " -ForegroundColor magenta -NoNewline; write-host "Collect extra security logs (if enabled)`n" | |
write-host "[6] " -ForegroundColor magenta -NoNewline; write-host "All of the above`n" | |
write-host "[7] " -ForegroundColor magenta -NoNewline; write-host "No extra logs thank you`n" | |
#wait for user to input number option | |
$question = read-host -prompt "Choose an option`n" | |
# default option 7 to zip, if you space bar | |
if ([string]::IsNullOrWhiteSpace($result)){ | |
zip} | |
else { | |
# just a fancy if/else | |
$result = switch ( $question ){ | |
1 {Copy-item $remote_logs -destination $DesktopPath; zip} | |
2 {Copy-item $bits -destination $DesktopPath; zip } | |
3 {Copy-item $runkey -destination $DesktopPath; zip } | |
4 {Copy-item $group_policy -destination $DesktopPath; zip} | |
5 {Copy-item $extra_security -destination $DesktopPath; zip } | |
6 {copy_all} | |
7 {zip} | |
} | |
} | |
} | |
function copy_all{ | |
$All = $extra_security, $group_policy, $runkey, $bits, $remote_logs | |
$Items = @($All); | |
foreach ($item in $items){copy-item $item -destination $DesktopPath} | |
} | |
function zip{ | |
Get-ChildItem -Path $DesktopPath\*.evtx | Compress-Archive -DestinationPath $DesktopPath\$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip | |
write-host "Your ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -ForegroundColor magenta ; | |
#clean up evtxs | |
Get-ChildItem -Path $DesktopPath\*.evtx | Remove-Item -Force -Confirm:$false | |
#open up dir | |
sleep 2; ii "$DesktopPath\$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" | |
} | |
admin_check | |
collect_more |
Author
Purp1eW0lf
commented
Feb 17, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment