-
-
Save kevinelwell/b40c6545d6cc843e342a80aa6d48b5cb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Meta | |
| Date: 2023 January 7th | |
| Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) | |
| Company: Huntress Labs | |
| Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. | |
| Notes: | |
| Will trigger AV as it's technically credential dumping. | |
| Also relies on having internet access, to wget TSCopy | |
| Kudos for TrustedSec's TScopy.exe tool, which this script leverages: https://github.com/trustedsec/tscopy | |
| #> | |
| # check admin | |
| function admin_check{ | |
| if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` | |
| [Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "Insufficient permissions. Run this Powershell script as Admin please" | |
| Break | |
| } | |
| # if we're all good, let's fire it off | |
| else {Collect_via_Reg} | |
| } | |
| # Collect basic hives | |
| function Collect_via_Reg{ | |
| #print to re-assure user things are happening until ZIP | |
| write-host "`n`nHuntress "-NoNewline -ForegroundColor green ; write-host "Registry collection script is running...`n`n"; | |
| #Ensure errors don't ruin anything for us | |
| $ErrorActionPreference = "SilentlyContinue" | |
| $progressPreference = 'silentlyContinue' | |
| # Make the various directories, to be neat and tidy | |
| mkdir c:\ir, C:\ir\Collected_ntuser_files, C:\ir\Collected_UsrClass_files, C:\ir\amcache | |
| # save the registry files | |
| reg save HKLM\Software c:\ir\Software | |
| reg save HKLM\System c:\ir\System | |
| reg save HKLM\SECURITY c:\ir\SECURITY | |
| reg save HKLM\SAM C:\ir\SAM | |
| #Next Stage | |
| Collect_via_TSCopy | |
| } | |
| ## TSCopy for further registry hives | |
| function Collect_via_TSCopy{ | |
| # pull TScropy exe this way, because invoke-webrequests progress bar is slow and I am a bad scripter | |
| (New-Object Net.WebClient).DownloadFile("https://github.com/trustedsec/tscopy/raw/master/dist/TScopy_x64.exe", "C:\ir\TScopy_x64.exe"); | |
| # each user's ntuser.dat | |
| C:\ir\TScopy_x64.exe -f c:\users\*\ntuser.dat* -o C:\ir\Collected_ntuser_files | |
| # each user's usrclass.dat | |
| C:\ir\TScopy_x64.exe -f C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat* -o C:\ir\Collected_UsrClass_files | |
| # collect amcache hive | |
| C:\ir\TScopy_x64.exe -f C:\Windows\AppCompat\Programs\Amcache.hve -o C:\ir\amcache | |
| # Next stage | |
| Zip_Collected | |
| } | |
| # zip it all up | |
| function Zip_Collected{ | |
| #Delete excess files | |
| rm C:\IR\TScopy_x64.exe | |
| #Tree for a directory map | |
| tree C:\IR /f >> C:\IR\tree_output.txt | |
| # Get current user's desktop to save zip to. | |
| $DesktopPath = [Environment]::GetFolderPath("Desktop") | |
| Get-ChildItem -Path C:\ir | Compress-Archive -DestinationPath $DesktopPath\Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip | |
| write-host "`n`nYour ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip`n`n" -ForegroundColor green ; | |
| # Clean up C:\IR on host after ZIP | |
| Remove-Item "C:\IR" -Recurse -force | |
| # Open up dir | |
| sleep 2; ii "$DesktopPath\Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" | |
| } | |
| #Execute main function in silence | |
| Admin_Check | out-null |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment