├── BAM
└── readme.md
├── Logs
├── 2022_May_31_Tue_UTC+00.zip
└── readme.md
├── README.md
├── SRUM
└── readme.md
├── Velociraptor
└── readme.md
├── amcache
└── readme.md
├── browser
├── Edge_History
└── readme.md
├── cerutil
└── readme.md
├── cmdline_history
└── readme.md
├── jump lists
├── 5f7b5f1e01b83767.automaticDestinations-ms
├── 9b9cdc69c1c24e2b.automaticDestinations-ms
├── f01b4d95cf55d32a.automaticDestinations-ms
└── readme.md
└── prefetch
├── MIMIKATZ.EXE-7BBED31C.pf
├── PECmd.exe
├── mimikatz.exe
└── readme.md
/BAM/readme.md:
--------------------------------------------------------------------------------
1 | # Background Activity Moderator
2 |
3 | ## To Prepare
4 | Fire up calc!
5 |
6 | ```powershell
7 | calc.exe
8 | ```
9 | ## To invesigate
10 |
11 | Two options
12 |
13 | You can query the resgistry directly. But notice you don't get timestamps or the SIDs converted to usernames
14 |
15 |
16 | ```powershell
17 | reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings" /s
18 | ```
19 |
20 |
21 | Or, use this PowerShell Script
22 | * I made a small correction to the existing script, as a path had changed
23 |
24 | ```powershell
25 | # Download
26 | wget -usebasicparsing https://raw.githubusercontent.com/mgreen27/Invoke-LiveResponse/master/Content/Other/Get-BAMParser.ps1 -outfile Get-BAMParser.ps1
27 | #Use
28 | ./Get-BAMParser.ps1
29 | ```
30 |
31 | ## Example output
32 | 
33 |
34 | 
35 |
--------------------------------------------------------------------------------
/Logs/2022_May_31_Tue_UTC+00.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Purp1eW0lf/quickforensics/4bba42a4bdc7117d4eba8d375b3f2923eb574171/Logs/2022_May_31_Tue_UTC+00.zip
--------------------------------------------------------------------------------
/Logs/readme.md:
--------------------------------------------------------------------------------
1 | # EVTXs
2 |
3 | # To Prepare
4 |
5 | ```powershell
6 | wget -useb https://gist.githubusercontent.com/Purp1eW0lf/e0b757e66d5da629c1d03e2941fa5b4b/raw/098f624370b9a096e0ef7d32ca71b11e183266ae/Pull_logs_and_zip.ps1 -outfile Pull_logs_and_zip.ps1
7 | ```
8 | 
ii
9 |
10 | Pull chainsaw binary
11 | https://github.com/countercept/chainsaw/releases/tag/v1.1.7
12 |
13 | # Chainsaw
14 |
15 | ```bash
16 | chainsaw hunt ./Collected_Data --rules ./sigma_rules/ --mapping ./mapping_files/sigma-mapping.yml --full --lateral-all --col-width 100
17 | ```
18 |
19 | 
20 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Quick forensics
2 | Supporting repo for [Huntress' Tradecraft Tuesday 2022 June](https://www.huntress.com/resources/tradecraft-tuesday?wchannelid=zy8dl5egyy&wmediaid=s5rb646tl8)
3 |
4 | 
5 |
--------------------------------------------------------------------------------
/SRUM/readme.md:
--------------------------------------------------------------------------------
1 | # SRUM
2 |
3 | Already examined how to leverage this artefact
4 | https://twitter.com/Purp1eW0lf/status/1504491533487296517
5 |
6 | # To Prepare
7 | Pull Eric Zimmerman's parsing tool
8 | ```
9 | wget -usebasicparsing https://f001.backblazeb2.com/file/EricZimmermanTools/SrumECmd.zip -outfile ./SrumECmd.zip;
10 | expand-archive ./SrumECmd.zip . ;
11 | ls *.exe, *.dat
12 | ```
13 |
14 | ## To Investigate
15 | Grab the srum file
16 | ```
17 | C:\Windows\System32\sru\SRUDB.dat
18 | ```
19 |
20 | Deploy the parser
21 |
22 | ```
23 | .\SrumECmd.exe -f .\SRUDB.dat --csv .
24 | ```
25 |
26 | ## Example output
27 | 
28 | 
29 | 
30 | 
31 |
--------------------------------------------------------------------------------
/Velociraptor/readme.md:
--------------------------------------------------------------------------------
1 | # Velociraptor
2 |
3 | ## To Prepare
4 |
5 | ```powershell
6 | wget -useb https://github.com/Velocidex/velociraptor/releases/download/v0.6.4-2/velociraptor-v0.6.4-2-windows-amd64.exe -outfile velo.exe
7 |
8 | #fire up
9 | .\velo.exe gui
10 |
11 |
12 | ```
13 |
14 | ## To investigate
15 |
16 | We can use many of our past cases, leveraging Velociraptor to get the answers quickly
17 |
18 | 
19 |
20 | 
21 |
--------------------------------------------------------------------------------
/amcache/readme.md:
--------------------------------------------------------------------------------
1 | # Amcache
2 |
3 | ## To Prepare
4 |
5 | ## To investgate
6 |
7 | ```wget -usebasicparsing https://f001.backblazeb2.com/file/EricZimmermanTools/AmcacheParser.zip -outfile AmcacheParser.zip ;
8 | Expand-Archive ./AmcacheParser.zip . ;
9 | ls *.exe, *.hve
10 | ```
11 | ## Example output
12 |
13 | 
14 |
--------------------------------------------------------------------------------
/browser/Edge_History:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Purp1eW0lf/quickforensics/4bba42a4bdc7117d4eba8d375b3f2923eb574171/browser/Edge_History
--------------------------------------------------------------------------------
/browser/readme.md:
--------------------------------------------------------------------------------
1 | # Brower forensics
2 |
3 | Locations
4 | ```
5 | Chrome :\Users\*\AppData\Local\Google\Chrome\User Data\Default\History
6 | Edge C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History
7 | Safari /System/Volumes/Data/Users/*/Library/Safari/History.db , Downloads.plist
8 | Firefox C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\Downloads.json, Places.sqlite
9 | ```
10 |
11 | [Thread for how to analyse in detail](https://twitter.com/Purp1eW0lf/status/1498359576739164167?s=20&t=nLxtOHrh5uw79X5Bn92Efw)
12 |
13 | But in short:
14 |
15 | ```bash
16 | sqlite3 [history file]
17 | .mode line
18 | select * from downloads;
19 | ```
20 |
21 | 
22 |
--------------------------------------------------------------------------------
/cerutil/readme.md:
--------------------------------------------------------------------------------
1 | # Certutil cache
2 |
3 | ## To prepare
4 |
5 | ```powershell
6 | certutil.exe -urlcache -split -f https://github.com/BloodHoundAD/SharpHound/releases/download/v1.0.3/SharpHound-v1.0.3.zip sharphound.zip
7 | certutil.exe -urlcache -split -f https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 PowerUp.ps1
8 | ```
9 | 
10 |
11 | ## To investigate
12 |
13 | Go looking for what's going on there
14 | ```powershell
15 | certutil.exe -urlcache |
16 | select-string -Pattern 'ocsp|wininet|winhttp|complete|update|r3' -NotMatch |
17 | sort
18 | ```
19 |
20 | 
21 |
22 | ## Example output
23 |
24 | 
25 |
26 |
27 | ## Dig Deeper
28 |
29 | If we look in ProcMon, there's an interesting record of certutil activity
30 | 
31 |
32 | ```
33 | C:\Users\*\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\
34 | ```
35 |
36 | Looking ourselves, we find some files that do not explain themselves
37 |
38 | 
39 |
40 | However, if we collected and then `STRINGS` these files, we'd see a breakdown of the cerutil activity
41 |
42 | 
43 |
--------------------------------------------------------------------------------
/cmdline_history/readme.md:
--------------------------------------------------------------------------------
1 | # Cmdline History
2 |
3 | ## Cmd history
4 |
5 | If a threat actor leaves their session open, you can retrieve the commands they ran
6 |
7 | ```cmd
8 | doskey /history
9 | ```
10 |
11 | 
12 |
13 | If they close the prompt, then you are out of luck and will have to image the machine and use volatilty to pull out the commands run
14 |
15 | ## Powershell history
16 |
17 | Other than the PowerShell Operational log (EVTX), you can leverage PSReadline History
18 |
19 | I have written in detail about this elsewhere: https://labs.jumpsec.com/no-logs-no-problem-incident-response-without-windows-event-logs/#PSReadLine
20 |
21 | ```powershell
22 | $Users = (Gci C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt).FullName;
23 | $Pasts = @($Users);
24 | foreach ($Past in $Pasts) {
25 | write-host "`n----User Pwsh History Path $Past---" -ForegroundColor Magenta;
26 | get-content $Past
27 | }
28 | ```
29 |
30 | 
31 |
--------------------------------------------------------------------------------
/jump lists/5f7b5f1e01b83767.automaticDestinations-ms:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Purp1eW0lf/quickforensics/4bba42a4bdc7117d4eba8d375b3f2923eb574171/jump lists/5f7b5f1e01b83767.automaticDestinations-ms
--------------------------------------------------------------------------------
/jump lists/9b9cdc69c1c24e2b.automaticDestinations-ms:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Purp1eW0lf/quickforensics/4bba42a4bdc7117d4eba8d375b3f2923eb574171/jump lists/9b9cdc69c1c24e2b.automaticDestinations-ms
--------------------------------------------------------------------------------
/jump lists/f01b4d95cf55d32a.automaticDestinations-ms:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Purp1eW0lf/quickforensics/4bba42a4bdc7117d4eba8d375b3f2923eb574171/jump lists/f01b4d95cf55d32a.automaticDestinations-ms
--------------------------------------------------------------------------------
/jump lists/readme.md:
--------------------------------------------------------------------------------
1 | # Jump Lists
2 |
3 | ## To Prepare
4 | Open up some files like you have GUI access
5 |
6 | ```powershell
7 | echo 'test data' >> example_file.ps1
8 | notepad example_file.ps1
9 | ```
10 |
11 | ## To investigate
12 |
13 | Two ways
14 |
15 | ### Quick and stupid way, my favourite
16 | ```
17 | strings C:\Users\Frank\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\* |sort
18 | ```
19 |
20 | ### Right way
21 |
22 | Copy all related items
23 | ```powershell
24 | copy-item C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ . -recurse -verbose ```
25 | ```
26 |
27 | Then use Eric's tool
28 |
29 | ```powershell
30 | #install
31 | wget -usebasicparsing https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip -outfile JLECmd.zip;
32 | Expand-Archive ./JLECmd.zip . ;
33 | ls JLECmd.exe
34 |
35 | # run and export to HTML
36 | .\JLECmd.exe -d C:\Users\frank\AppData\Roaming\Microsoft\Windows\Recent --all --mp --withDir --html ./
37 |
38 | #run and export to CSV. export to HTML is also an option
39 | .\JLECmd.exe -d C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\ --all --mp --withDir --csv ./ -q
40 |
41 | # if you have collected the -ms files elsewhere, run .\JLECmd.exe -d .\Collected_Data\ --all --mp --withDir --csv ./
42 |
43 | #open the HTML report
44 | iex .\20220531113327_JLECmd_Automatic_Output_for_\index.xhtml
45 |
46 | #or read the csv with selective headers
47 | Import-Csv .\*.csv |
48 | select TargetIDAbsolutePath,InteractionCount,CreationTime,LastModified,TargetCreated,Targetmodified,TargetAccessed |
49 | sort InteractionCount -desc
50 | ```
51 |
52 | ## Example output
53 |
54 | 
55 |
56 | 
57 |
--------------------------------------------------------------------------------
/prefetch/MIMIKATZ.EXE-7BBED31C.pf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Purp1eW0lf/quickforensics/4bba42a4bdc7117d4eba8d375b3f2923eb574171/prefetch/MIMIKATZ.EXE-7BBED31C.pf
--------------------------------------------------------------------------------
/prefetch/PECmd.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Purp1eW0lf/quickforensics/4bba42a4bdc7117d4eba8d375b3f2923eb574171/prefetch/PECmd.exe
--------------------------------------------------------------------------------
/prefetch/mimikatz.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Purp1eW0lf/quickforensics/4bba42a4bdc7117d4eba8d375b3f2923eb574171/prefetch/mimikatz.exe
--------------------------------------------------------------------------------
/prefetch/readme.md:
--------------------------------------------------------------------------------
1 | # Prefetch
2 |
3 | Prefetch files can be found on workstatons here:
4 | `C:\Windows\Prefetch\x.pf`
5 |
6 | Prefetch is totally absent on Windows SERVERS. Enable with the following
7 | ```powershell
8 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f;
9 | reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" /v MaxPrefetchFiles /t REG_DWORD /d 8192 /f;
10 | Enable-MMAgent –OperationAPI;
11 | net start sysmain
12 | ```
13 |
14 | ## Leveraging Prefetch
15 |
16 | Install
17 | ```powershell
18 | # Click link about to download, or use the following PowerShell
19 | wget -usebasicparsing https://f001.backblazeb2.com/file/EricZimmermanTools/PECmd.zip -outfile PECmd.zip ;
20 | Expand-Archive ./PECmd.zip . ;
21 | ls *.exe, *.pf
22 | ```
23 |
24 | Usage
25 | ```powershell
26 | .\PECmd.exe -f ./*.pf -mp
27 | ```
28 |
29 | 
30 |
31 | 
32 |
33 | 
34 |
--------------------------------------------------------------------------------