This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Process the specified input folder to find and execute usnjrnl_rewind.exe on MFT and UsnJrnl CSVs found. | |
The MFT and UsnJrnl must have been parsed with Eric Zimmerman's MFTEcmd. The specified input folder must contain one (and only one) parsed MFT CSV and one (and only one) parsed UsnJrnl CSV. | |
Rewinding the UsnJrnl is a technique introduced by CyberCX-DFIR (https://cybercx.com.au/blog/ntfs-usnjrnl-rewind/). | |
usnjrnl_rewind is a Python tool from CyberCX-DFIR (https://github.com/CyberCX-DFIR/usnjrnl_rewind). | |
.PARAMETER UsnJrnlRewindBinary | |
Specify the usnjrnl_rewind.exe binary full path. Can be found on GitHub, with instruction to compile from source using PyInstaller: https://github.com/Qazeer/usnjrnl_rewind_compiled | |
.PARAMETER InputDir | |
Specify the folder which contains the parsed MFT and UsnJrnl CSV. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[CmdletBinding()] | |
param | |
( | |
[Parameter(Mandatory = $true, | |
Position = 1, | |
HelpMessage = 'Specify the Microsoft Defender MPLog file to parse.')] | |
[String]$InputFile, | |
[Parameter(Mandatory = $true, | |
Position = 2, | |
HelpMessage = 'Specify the folder where the output file will be placed.')] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Recursively process the specified input folder to execute bmc-tools.exe over each Bitmap Cache subfolder(s) found. | |
This PowerShell script is basically a wrapper to make bmc-tools.exe output results to user specific folders. | |
bmc-tools is a RDP Bitmap Cache parser from ANSSI (https://github.com/ANSSI-FR/bmc-tools). | |
.PARAMETER bmcToolsBinary | |
Specify the bmc-tools.exe binary full path. Can be found on GitHub, with instruction to compile from source using PyInstaller: https://github.com/Qazeer/bmc-tools-compiled | |
.PARAMETER InputDir |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Recursively process the source directory to execute Winlogbeat once on all EVTX file(s) found. | |
This PowerShell script is basically a wrapper to make Winlogbeat recursive, with out a predefined set of EVTX files to look for. | |
.PARAMETER WinlogbeatBinary | |
Specify the winlogbeat.exe binary full path. The binary must be within the winlogbeat program folder. | |
.PARAMETER InputDir | |
Specify the folder which contains the EVTX file(s). The folder will be recursively processed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Recursively process the specified input folder to execute thumbcache_viewer_cmd.exe over each thumbcache subfolder(s) found. | |
This PowerShell script is basically a wrapper to make thumbcache_viewer_cmd.exe recursive, as the tool can natively only process a thumbcache subfolder | |
(and not multiple thumbcache subfolder(s) from the drive root or user profile folders). | |
Script inspired by the Move-KAPEConsoleHost_history.ps1 script from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 | |
.PARAMETER thumbcacheViewerBinary | |
Specify the thumbcache_viewer_cmd.exe binary full path. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Consolidate the Usage Log files (created by the .NET CLR upon assembly execution) from the specified Source Directory into a single CSV file. | |
Script inspired by the Move-KAPEConsoleHost_history.ps1 script from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 | |
.PARAMETER InputDir | |
Specify the folder which contains the Usage Log file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users. | |
.PARAMETER Destination | |
Specify the folder where the NetAssembly_UsageLogs.csv file will be placed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Convert PowerShell ConsoleHost_history.txt files from the specified Source Directory into a single CSV file. | |
Original script to copy the ConsoleHost_history.txt files from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 | |
.PARAMETER InputDir | |
Specify the folder which contains the ConsoleHost_history.txt file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users. | |
.PARAMETER Destination | |
Specify the folder where the ConsoleHost_histories.csv file will be placed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function ConvertTo-EncodedFilePath { | |
Param( | |
[Parameter(Mandatory=$True)][String]$FilePath | |
) | |
$FilePath = $FilePath.Replace('%', '%25') | |
$FilePath = $FilePath.Replace(':', '%3A') | |
$FilePath = $FilePath.Replace('/', '%2F') | |
$FilePath = $FilePath.Replace('?', '%3F') | |
$FilePath = $FilePath.Replace('#', '%23') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Description: Winlogbeat configuration to parse a single EVTX file to JSON. | |
# Authors: Thomas DIOT (_Qazeer) | |
# Version: 1.0 | |
# Last modified: 2022-12-05 | |
winlogbeat.event_logs: | |
- name: ${EVTX_FILE} | |
no_more_events: stop | |
winlogbeat.registry_file: "${OUTPUT_FOLDER}\\winlogbeat_registry_file.yml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-ADPropertySetsAttributes { | |
Param( | |
[Parameter(Mandatory=$False)][String]$Server = $null, | |
[Parameter(Mandatory=$False)][System.Management.Automation.PSCredential]$Credential = $null | |
) | |
$PSDefaultParameterValues = @{} | |
If ($Server) { | |
$PSDefaultParameterValues.Add("*-AD*:Server", $Server) | |
} |
NewerOlder