Thomas DIOT Qazeer

## ConvertWindowsDefenderMPLogTo-CSV.ps1
[CmdletBinding()]
param
(
    [Parameter(Mandatory = $true,
               Position = 1,
               HelpMessage = 'Specify the Microsoft Defender MPLog file to parse.')]
    [String]$InputFile,
    [Parameter(Mandatory = $true,
               Position = 2,
               HelpMessage = 'Specify the folder where the output file will be placed.')]

## Execute-BmcTools.ps1
<#
    .SYNOPSIS
        Recursively process the specified input folder to execute bmc-tools.exe over each Bitmap Cache subfolder(s) found.
        This PowerShell script is basically a wrapper to make bmc-tools.exe output results to user specific folders.
        bmc-tools is a RDP Bitmap Cache parser from ANSSI (https://github.com/ANSSI-FR/bmc-tools).

    .PARAMETER bmcToolsBinary
        Specify the bmc-tools.exe binary full path. Can be found on GitHub, with instruction to compile from source using PyInstaller: https://github.com/Qazeer/bmc-tools-compiled

    .PARAMETER InputDir

## Execute-Winlogbeat.ps1
<#
    .SYNOPSIS
        Recursively process the source directory to execute Winlogbeat once on all EVTX file(s) found.
        This PowerShell script is basically a wrapper to make Winlogbeat recursive, with out a predefined set of EVTX files to look for.

    .PARAMETER WinlogbeatBinary
        Specify the winlogbeat.exe binary full path. The binary must be within the winlogbeat program folder.

    .PARAMETER InputDir
        Specify the folder which contains the EVTX file(s). The folder will be recursively processed.

## Execute-ThumbcacheViewer.ps1
<#
    .SYNOPSIS
        Recursively process the specified input folder to execute thumbcache_viewer_cmd.exe over each thumbcache subfolder(s) found.
        This PowerShell script is basically a wrapper to make thumbcache_viewer_cmd.exe recursive, as the tool can natively only process a thumbcache subfolder
        (and not multiple thumbcache subfolder(s) from the drive root or user profile folders).
        Script inspired by the Move-KAPEConsoleHost_history.ps1 script from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1

    .PARAMETER thumbcacheViewerBinary
        Specify the thumbcache_viewer_cmd.exe binary full path.

## ConvertUsageLogsTo-CSV.ps1
<#
    .SYNOPSIS
        Consolidate the Usage Log files (created by the .NET CLR upon assembly execution) from the specified Source Directory into a single CSV file.
        Script inspired by the Move-KAPEConsoleHost_history.ps1 script from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1

    .PARAMETER InputDir
        Specify the folder which contains the Usage Log file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users.

    .PARAMETER Destination
        Specify the folder where the NetAssembly_UsageLogs.csv file will be placed.

## ConvertPSHistoryTo-CSV.ps1
<#
    .SYNOPSIS
        Convert PowerShell ConsoleHost_history.txt files from the specified Source Directory into a single CSV file.
        Original script to copy the ConsoleHost_history.txt files from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1

    .PARAMETER InputDir
        Specify the folder which contains the ConsoleHost_history.txt file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users.

    .PARAMETER Destination
        Specify the folder where the ConsoleHost_histories.csv file will be placed.

## Restore-VelociraptorKapeTargetsCollectionTimestamps.ps1
function ConvertTo-EncodedFilePath {
    Param(
        [Parameter(Mandatory=$True)][String]$FilePath
    )

    $FilePath = $FilePath.Replace('%', '%25')
    $FilePath = $FilePath.Replace(':', '%3A')
    $FilePath = $FilePath.Replace('/', '%2F')
    $FilePath = $FilePath.Replace('?', '%3F')
    $FilePath = $FilePath.Replace('#', '%23')

## Winlogbeat_Windows_single_EVTX_to_JSON.yml
# Description: Winlogbeat configuration to parse a single EVTX file to JSON.
# Authors: Thomas DIOT (_Qazeer)
# Version: 1.0
# Last modified: 2022-12-05

winlogbeat.event_logs:
  - name: ${EVTX_FILE}
    no_more_events: stop

winlogbeat.registry_file: "${OUTPUT_FOLDER}\\winlogbeat_registry_file.yml"

## Get-ADPropertySetsAttributes.ps1
function Get-ADPropertySetsAttributes {
    Param(
        [Parameter(Mandatory=$False)][String]$Server = $null,
        [Parameter(Mandatory=$False)][System.Management.Automation.PSCredential]$Credential = $null
    )

    $PSDefaultParameterValues = @{}
    If ($Server) {
        $PSDefaultParameterValues.Add("*-AD*:Server", $Server)
    }

## keybase.md

      
        
          
            
              
              1 file
            
          
          
            
              
              0 forks
            
          
          
            
              
              0 comments
            
          
          
            
              
              0 stars
            
          
        
        
          
              
          
          
            
                Qazeer
                / keybase.md
            
            
              Created
              March 2, 2022 15:13
            
          
        
      
        
  
      
    Keybase proof

I hereby claim:

I am qazeer on github.
I am qazeer (https://keybase.io/qazeer) on keybase.
I have a public key ASCUAMWCjK9LHAZwmtkNTxYi2-NJ8ctb6tcqfaEFkEeHzQo

To claim this, I am signing this object:
	[CmdletBinding()]
	param
	(
	[Parameter(Mandatory = $true,
	Position = 1,
	HelpMessage = 'Specify the Microsoft Defender MPLog file to parse.')]
	[String]$InputFile,
	[Parameter(Mandatory = $true,
	Position = 2,
	HelpMessage = 'Specify the folder where the output file will be placed.')]
	<#
	.SYNOPSIS
	Recursively process the specified input folder to execute bmc-tools.exe over each Bitmap Cache subfolder(s) found.
	This PowerShell script is basically a wrapper to make bmc-tools.exe output results to user specific folders.
	bmc-tools is a RDP Bitmap Cache parser from ANSSI (https://github.com/ANSSI-FR/bmc-tools).

	.PARAMETER bmcToolsBinary
	Specify the bmc-tools.exe binary full path. Can be found on GitHub, with instruction to compile from source using PyInstaller: https://github.com/Qazeer/bmc-tools-compiled

	.PARAMETER InputDir
	<#
	.SYNOPSIS
	Recursively process the source directory to execute Winlogbeat once on all EVTX file(s) found.
	This PowerShell script is basically a wrapper to make Winlogbeat recursive, with out a predefined set of EVTX files to look for.

	.PARAMETER WinlogbeatBinary
	Specify the winlogbeat.exe binary full path. The binary must be within the winlogbeat program folder.

	.PARAMETER InputDir
	Specify the folder which contains the EVTX file(s). The folder will be recursively processed.
	<#
	.SYNOPSIS
	Consolidate the Usage Log files (created by the .NET CLR upon assembly execution) from the specified Source Directory into a single CSV file.
	Script inspired by the Move-KAPEConsoleHost_history.ps1 script from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1

	.PARAMETER InputDir
	Specify the folder which contains the Usage Log file(s). Ideally, the C:\ or C:\Users\|Utilisateurs\|Usuarios\|Benutzer directory in order to grab the file(s) from all users.

	.PARAMETER Destination
	Specify the folder where the NetAssembly_UsageLogs.csv file will be placed.
	<#
	.SYNOPSIS
	Convert PowerShell ConsoleHost_history.txt files from the specified Source Directory into a single CSV file.
	Original script to copy the ConsoleHost_history.txt files from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1

	.PARAMETER InputDir
	Specify the folder which contains the ConsoleHost_history.txt file(s). Ideally, the C:\ or C:\Users\|Utilisateurs\|Usuarios\|Benutzer directory in order to grab the file(s) from all users.

	.PARAMETER Destination
	Specify the folder where the ConsoleHost_histories.csv file will be placed.
	function ConvertTo-EncodedFilePath {
	Param(
	[Parameter(Mandatory=$True)][String]$FilePath
	)

	$FilePath = $FilePath.Replace('%', '%25')
	$FilePath = $FilePath.Replace(':', '%3A')
	$FilePath = $FilePath.Replace('/', '%2F')
	$FilePath = $FilePath.Replace('?', '%3F')
	$FilePath = $FilePath.Replace('#', '%23')
	# Description: Winlogbeat configuration to parse a single EVTX file to JSON.
	# Authors: Thomas DIOT (_Qazeer)
	# Version: 1.0
	# Last modified: 2022-12-05

	winlogbeat.event_logs:
	- name: ${EVTX_FILE}
	no_more_events: stop

	winlogbeat.registry_file: "${OUTPUT_FOLDER}\\winlogbeat_registry_file.yml"
	function Get-ADPropertySetsAttributes {
	Param(
	[Parameter(Mandatory=$False)][String]$Server = $null,
	[Parameter(Mandatory=$False)][System.Management.Automation.PSCredential]$Credential = $null
	)

	$PSDefaultParameterValues = @{}
	If ($Server) {
	$PSDefaultParameterValues.Add("-AD:Server", $Server)
	}