I hereby claim:
- I am qazeer on github.
- I am qazeer (https://keybase.io/qazeer) on keybase.
- I have a public key ASCUAMWCjK9LHAZwmtkNTxYi2-NJ8ctb6tcqfaEFkEeHzQo
To claim this, I am signing this object:
[CmdletBinding()] | |
param | |
( | |
[Parameter(Mandatory = $true, | |
Position = 1, | |
HelpMessage = 'Specify the Microsoft Defender MPLog file to parse.')] | |
[String]$InputFile, | |
[Parameter(Mandatory = $true, | |
Position = 2, | |
HelpMessage = 'Specify the folder where the output file will be placed.')] |
<# | |
.SYNOPSIS | |
Recursively process the specified input folder to execute bmc-tools.exe over each Bitmap Cache subfolder(s) found. | |
This PowerShell script is basically a wrapper to make bmc-tools.exe output results to user specific folders. | |
bmc-tools is a RDP Bitmap Cache parser from ANSSI (https://github.com/ANSSI-FR/bmc-tools). | |
.PARAMETER bmcToolsBinary | |
Specify the bmc-tools.exe binary full path. Can be found on GitHub, with instruction to compile from source using PyInstaller: https://github.com/Qazeer/bmc-tools-compiled | |
.PARAMETER InputDir |
<# | |
.SYNOPSIS | |
Recursively process the source directory to execute Winlogbeat once on all EVTX file(s) found. | |
This PowerShell script is basically a wrapper to make Winlogbeat recursive, with out a predefined set of EVTX files to look for. | |
.PARAMETER WinlogbeatBinary | |
Specify the winlogbeat.exe binary full path. The binary must be within the winlogbeat program folder. | |
.PARAMETER InputDir | |
Specify the folder which contains the EVTX file(s). The folder will be recursively processed. |
<# | |
.SYNOPSIS | |
Recursively process the specified input folder to execute thumbcache_viewer_cmd.exe over each thumbcache subfolder(s) found. | |
This PowerShell script is basically a wrapper to make thumbcache_viewer_cmd.exe recursive, as the tool can natively only process a thumbcache subfolder | |
(and not multiple thumbcache subfolder(s) from the drive root or user profile folders). | |
Script inspired by the Move-KAPEConsoleHost_history.ps1 script from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 | |
.PARAMETER thumbcacheViewerBinary | |
Specify the thumbcache_viewer_cmd.exe binary full path. |
<# | |
.SYNOPSIS | |
Consolidate the Usage Log files (created by the .NET CLR upon assembly execution) from the specified Source Directory into a single CSV file. | |
Script inspired by the Move-KAPEConsoleHost_history.ps1 script from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 | |
.PARAMETER InputDir | |
Specify the folder which contains the Usage Log file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users. | |
.PARAMETER Destination | |
Specify the folder where the NetAssembly_UsageLogs.csv file will be placed. |
<# | |
.SYNOPSIS | |
Convert PowerShell ConsoleHost_history.txt files from the specified Source Directory into a single CSV file. | |
Original script to copy the ConsoleHost_history.txt files from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 | |
.PARAMETER InputDir | |
Specify the folder which contains the ConsoleHost_history.txt file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users. | |
.PARAMETER Destination | |
Specify the folder where the ConsoleHost_histories.csv file will be placed. |
function ConvertTo-EncodedFilePath { | |
Param( | |
[Parameter(Mandatory=$True)][String]$FilePath | |
) | |
$FilePath = $FilePath.Replace('%', '%25') | |
$FilePath = $FilePath.Replace(':', '%3A') | |
$FilePath = $FilePath.Replace('/', '%2F') | |
$FilePath = $FilePath.Replace('?', '%3F') | |
$FilePath = $FilePath.Replace('#', '%23') |
# Description: Winlogbeat configuration to parse a single EVTX file to JSON. | |
# Authors: Thomas DIOT (_Qazeer) | |
# Version: 1.0 | |
# Last modified: 2022-12-05 | |
winlogbeat.event_logs: | |
- name: ${EVTX_FILE} | |
no_more_events: stop | |
winlogbeat.registry_file: "${OUTPUT_FOLDER}\\winlogbeat_registry_file.yml" |
function Get-ADPropertySetsAttributes { | |
Param( | |
[Parameter(Mandatory=$False)][String]$Server = $null, | |
[Parameter(Mandatory=$False)][System.Management.Automation.PSCredential]$Credential = $null | |
) | |
$PSDefaultParameterValues = @{} | |
If ($Server) { | |
$PSDefaultParameterValues.Add("*-AD*:Server", $Server) | |
} |
I hereby claim:
To claim this, I am signing this object: