Skip to content

Instantly share code, notes, and snippets.

@Qazeer
Qazeer / Execute-UsnJrnlRewind.ps1
Created September 15, 2024 18:49
Process the specified input folder to find and execute usnjrnl_rewind.exe on MFT and UsnJrnl CSVs found
<#
.SYNOPSIS
Process the specified input folder to find and execute usnjrnl_rewind.exe on MFT and UsnJrnl CSVs found.
The MFT and UsnJrnl must have been parsed with Eric Zimmerman's MFTEcmd. The specified input folder must contain one (and only one) parsed MFT CSV and one (and only one) parsed UsnJrnl CSV.
Rewinding the UsnJrnl is a technique introduced by CyberCX-DFIR (https://cybercx.com.au/blog/ntfs-usnjrnl-rewind/).
usnjrnl_rewind is a Python tool from CyberCX-DFIR (https://github.com/CyberCX-DFIR/usnjrnl_rewind).
.PARAMETER UsnJrnlRewindBinary
Specify the usnjrnl_rewind.exe binary full path. Can be found on GitHub, with instruction to compile from source using PyInstaller: https://github.com/Qazeer/usnjrnl_rewind_compiled
.PARAMETER InputDir
Specify the folder which contains the parsed MFT and UsnJrnl CSV.
@Qazeer
Qazeer / ConvertWindowsDefenderMPLogTo-CSV.ps1
Created August 6, 2023 05:58
Roughly parse a Windows Defender MPLog file into a CSV file.
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true,
Position = 1,
HelpMessage = 'Specify the Microsoft Defender MPLog file to parse.')]
[String]$InputFile,
[Parameter(Mandatory = $true,
Position = 2,
HelpMessage = 'Specify the folder where the output file will be placed.')]
@Qazeer
Qazeer / Execute-BmcTools.ps1
Created August 2, 2023 14:03
Recursively process the specified input folder to execute bmc-tools.exe over each Bitmap Cache subfolder(s) found.
<#
.SYNOPSIS
Recursively process the specified input folder to execute bmc-tools.exe over each Bitmap Cache subfolder(s) found.
This PowerShell script is basically a wrapper to make bmc-tools.exe output results to user specific folders.
bmc-tools is a RDP Bitmap Cache parser from ANSSI (https://github.com/ANSSI-FR/bmc-tools).
.PARAMETER bmcToolsBinary
Specify the bmc-tools.exe binary full path. Can be found on GitHub, with instruction to compile from source using PyInstaller: https://github.com/Qazeer/bmc-tools-compiled
.PARAMETER InputDir
@Qazeer
Qazeer / Execute-Winlogbeat.ps1
Created July 9, 2023 16:37
Recursively process the source directory to execute Winlogbeat once on all EVTX file(s) found.
<#
.SYNOPSIS
Recursively process the source directory to execute Winlogbeat once on all EVTX file(s) found.
This PowerShell script is basically a wrapper to make Winlogbeat recursive, with out a predefined set of EVTX files to look for.
.PARAMETER WinlogbeatBinary
Specify the winlogbeat.exe binary full path. The binary must be within the winlogbeat program folder.
.PARAMETER InputDir
Specify the folder which contains the EVTX file(s). The folder will be recursively processed.
@Qazeer
Qazeer / Execute-ThumbcacheViewer.ps1
Created July 8, 2023 13:56
Recursively process the specified input folder to execute thumbcache_viewer_cmd.exe over each thumbcache subfolder(s) found.
<#
.SYNOPSIS
Recursively process the specified input folder to execute thumbcache_viewer_cmd.exe over each thumbcache subfolder(s) found.
This PowerShell script is basically a wrapper to make thumbcache_viewer_cmd.exe recursive, as the tool can natively only process a thumbcache subfolder
(and not multiple thumbcache subfolder(s) from the drive root or user profile folders).
Script inspired by the Move-KAPEConsoleHost_history.ps1 script from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1
.PARAMETER thumbcacheViewerBinary
Specify the thumbcache_viewer_cmd.exe binary full path.
@Qazeer
Qazeer / ConvertUsageLogsTo-CSV.ps1
Created July 6, 2023 22:41
Convert .NET Usage Log files (created by the .NET CLR upon assembly execution) from the specified Source Directory into a single CSV file.
<#
.SYNOPSIS
Consolidate the Usage Log files (created by the .NET CLR upon assembly execution) from the specified Source Directory into a single CSV file.
Script inspired by the Move-KAPEConsoleHost_history.ps1 script from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1
.PARAMETER InputDir
Specify the folder which contains the Usage Log file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users.
.PARAMETER Destination
Specify the folder where the NetAssembly_UsageLogs.csv file will be placed.
@Qazeer
Qazeer / ConvertPSHistoryTo-CSV.ps1
Created July 6, 2023 22:38
Convert PowerShell ConsoleHost_history.txt files from the specified Source Directory into a single CSV file.
<#
.SYNOPSIS
Convert PowerShell ConsoleHost_history.txt files from the specified Source Directory into a single CSV file.
Original script to copy the ConsoleHost_history.txt files from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1
.PARAMETER InputDir
Specify the folder which contains the ConsoleHost_history.txt file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users.
.PARAMETER Destination
Specify the folder where the ConsoleHost_histories.csv file will be placed.
@Qazeer
Qazeer / Restore-VelociraptorKapeTargetsCollectionTimestamps.ps1
Created January 2, 2023 22:24
PowerShell script to restore the files timestamps ($SI MAC) from a Velociraptor KapeTargets offline collection
function ConvertTo-EncodedFilePath {
Param(
[Parameter(Mandatory=$True)][String]$FilePath
)
$FilePath = $FilePath.Replace('%', '%25')
$FilePath = $FilePath.Replace(':', '%3A')
$FilePath = $FilePath.Replace('/', '%2F')
$FilePath = $FilePath.Replace('?', '%3F')
$FilePath = $FilePath.Replace('#', '%23')
# Description: Winlogbeat configuration to parse a single EVTX file to JSON.
# Authors: Thomas DIOT (_Qazeer)
# Version: 1.0
# Last modified: 2022-12-05
winlogbeat.event_logs:
- name: ${EVTX_FILE}
no_more_events: stop
winlogbeat.registry_file: "${OUTPUT_FOLDER}\\winlogbeat_registry_file.yml"
@Qazeer
Qazeer / Get-ADPropertySetsAttributes.ps1
Created September 5, 2022 19:14
Powershell cmdlet to enumerate the attributes in Active Directory property sets
function Get-ADPropertySetsAttributes {
Param(
[Parameter(Mandatory=$False)][String]$Server = $null,
[Parameter(Mandatory=$False)][System.Management.Automation.PSCredential]$Credential = $null
)
$PSDefaultParameterValues = @{}
If ($Server) {
$PSDefaultParameterValues.Add("*-AD*:Server", $Server)
}