├── Browser_History_Hindsight.ps1 ├── CLEAN_ALL_USERS_TMP.ps1 ├── Get-BrowserData.ps1 ├── Get_RecyleBin ├── Linux_File_Seach.bash ├── Log4j_Linux.bash ├── PSFalcon_Runscript_loop_1_0_OLD_PUBLIC.ps1 ├── PSFalcon_Runscript_loop_2_0_PUBLIC.ps1 ├── README.md ├── RECON IR.ps1 ├── RTR_browsinghistoryview.ps1 ├── Remote_Bitlocker_lock.ps1 ├── SET_ACL_FORCE_DELETE.ps1 ├── SHOW_DISK_SPACE ├── Wavesor_AKA_WebNav.ps1 ├── Win10_etl_2_pcap.ps1 ├── WinPMEM_Portable.ps1 └── srum_dump2.ps1 /Browser_History_Hindsight.ps1: -------------------------------------------------------------------------------- 1 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 2 | 3 | 4 | echo '-------------------------'; 5 | echo 'BE SURE TO ADD -Timeout=600 in the runscript options before you run this script'; 6 | echo 'Example :'; 7 | echo 'runscript -CloudFile="Browser_History_Hindsight" -Timeout=600'; 8 | echo '-------------------------'; 9 | echo "[+] INFO: Fetching Latest 4 Users Chrome,Edge History" 10 | 11 | Stop-process -name hindsight -Force 12 | 13 | New-Item -Path 'C:\windows\Temp\ftech_temp' -ItemType Directory | Out-Null 14 | Invoke-WebRequest -Uri "https://github.com/obsidianforensics/hindsight/releases/download/v2021.12/hindsight.exe" -OutFile "C:\windows\Temp\ftech_temp\hindsight.exe" 15 | 16 | 17 | Get-ChildItem -Directory -Path "C:\Users\$_" -ErrorAction SilentlyContinue -Force | Sort LastWriteTime -Descending | Select-Object -First 4 | ForEach-Object { 18 | echo "[+] INFO: Dumping $_ MSEdge/Chrome" 19 | New-Item -Path "C:\windows\Temp\ftech_temp\$_ Chrome" -ItemType Directory | Out-Null 20 | New-Item -Path "C:\windows\Temp\ftech_temp\$_ Edge" -ItemType Directory | Out-Null 21 | Start-Process -FilePath "C:\windows\Temp\ftech_temp\hindsight.exe" -ArgumentList " -i `"c:\Users\$_\AppData\Local\Microsoft\Edge\User Data\Default`" -o `"C:\windows\Temp\ftech_temp\$_ Edge`" " -WorkingDirectory "C:\windows\Temp\ftech_temp\$_ Edge" -Verbose -WindowStyle Hidden 22 | Start-Process -FilePath "C:\windows\Temp\ftech_temp\hindsight.exe" -ArgumentList " -i `"c:\Users\$_\AppData\Local\Google\Chrome\User Data\Default`" -o `"C:\windows\Temp\ftech_temp\$_ Chrome`" " -WorkingDirectory "C:\windows\Temp\ftech_temp\$_ Chrome" -Verbose -WindowStyle Hidden 23 | 24 | } 25 | 26 | echo "[+] INFO: Waiting upto 5 minutes for Hindsight to complete" 27 | Wait-Process -Name hindsight -Timeout 300 28 | 29 | 30 | Get-ChildItem -Path "C:\windows\Temp\ftech_temp" -filter *.xlsx 31 | 32 | Get-ChildItem C:\windows\Temp\ftech_temp\ -filter *.xlsx | 33 | Compress-Archive -Destination C:\windows\Temp\ftech_temp\hindsight.zip -Force 34 | 35 | echo "type: " 36 | echo "get C:\windows\Temp\ftech_temp\hindsight.zip" 37 | echo "Password is infected. When Download is complete the type:" 38 | echo "rm C:\windows\Temp\ftech_temp -force" 39 | -------------------------------------------------------------------------------- /CLEAN_ALL_USERS_TMP.ps1: -------------------------------------------------------------------------------- 1 | # replace GeoComply with the string you want to search for and destroy! 2 | 3 | function Write-Message { 4 | <# 5 | .SYNOPSIS 6 | Prints colored messages depending on type 7 | .PARAMETER TYPE 8 | Type of error message to be prepended to the message and sets the color 9 | .PARAMETER MESSAGE 10 | Message to be output 11 | #> 12 | [CmdletBinding()] 13 | param ( 14 | [string] 15 | $Type, 16 | 17 | [string] 18 | $Message 19 | ) 20 | 21 | if (($TYPE) -eq ("INFO")) { $Tag = "INFO" ; $Color = "Green"} 22 | if (($TYPE) -eq ("WARNING")) { $Tag = "WARNING" ; $Color = "Yellow"} 23 | if (($TYPE) -eq ("ERROR")) { $Tag = "ERROR" ; $Color = "Red"} 24 | Write-Host (Get-Date -UFormat "%m/%d/%Y %T") [+] "$Tag" : "$Message" -ForegroundColor $Color 25 | echo "$Message" 26 | } 27 | 28 | 29 | 30 | Write-Message -Message "Running Windows Cleanmgr" -Type "INFO" 31 | 32 | 33 | $strKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches" 34 | $strValueName = "StateFlags0065" 35 | $subkeys = Get-ChildItem -Path $strKeyPath -Name 36 | 37 | ForEach($subkey in $subkeys){ 38 | $null = New-ItemProperty ` 39 | -Path $strKeyPath\$subkey ` 40 | -Name $strValueName ` 41 | -PropertyType DWord ` 42 | -Value 2 ` 43 | -ea SilentlyContinue ` 44 | -wa SilentlyContinue 45 | } 46 | 47 | Start-Process cleanmgr ` 48 | -ArgumentList "/sagerun:65" ` 49 | -Wait ` 50 | -NoNewWindow ` 51 | -ErrorAction SilentlyContinue ` 52 | -WarningAction SilentlyContinue 53 | 54 | ForEach($subkey in $subkeys){ 55 | $null = Remove-ItemProperty ` 56 | -Path $strKeyPath\$subkey ` 57 | -Name $strValueName ` 58 | -ea SilentlyContinue ` 59 | -wa SilentlyContinue 60 | } 61 | 62 | 63 | 64 | 65 | 66 | 67 | Function Set-Owner { 68 | <# 69 | .SYNOPSIS 70 | Changes owner of a file or folder to another user or group. 71 | 72 | .DESCRIPTION 73 | Changes owner of a file or folder to another user or group. 74 | 75 | .PARAMETER Path 76 | The folder or file that will have the owner changed. 77 | 78 | .PARAMETER Account 79 | Optional parameter to change owner of a file or folder to specified account. 80 | 81 | Default value is 'Builtin\Administrators' 82 | 83 | .PARAMETER Recurse 84 | Recursively set ownership on subfolders and files beneath given folder. 85 | 86 | .NOTES 87 | Name: Set-Owner 88 | Author: Boe Prox 89 | Version History: 90 | 1.0 - Boe Prox 91 | - Initial Version 92 | 93 | .EXAMPLE 94 | Set-Owner -Path C:\temp\test.txt 95 | 96 | Description 97 | ----------- 98 | Changes the owner of test.txt to Builtin\Administrators 99 | 100 | .EXAMPLE 101 | Set-Owner -Path C:\temp\test.txt -Account 'Domain\bprox 102 | 103 | Description 104 | ----------- 105 | Changes the owner of test.txt to Domain\bprox 106 | 107 | .EXAMPLE 108 | Set-Owner -Path C:\temp -Recurse 109 | 110 | Description 111 | ----------- 112 | Changes the owner of all files and folders under C:\Temp to Builtin\Administrators 113 | 114 | .EXAMPLE 115 | Get-ChildItem C:\Temp | Set-Owner -Recurse -Account 'Domain\bprox' 116 | 117 | Description 118 | ----------- 119 | Changes the owner of all files and folders under C:\Temp to Domain\bprox 120 | #> 121 | [cmdletbinding( 122 | SupportsShouldProcess = $True 123 | )] 124 | Param ( 125 | [parameter(ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)] 126 | [Alias('FullName')] 127 | [string[]]$Path, 128 | [parameter()] 129 | [string]$Account = 'Builtin\Administrators', 130 | [parameter()] 131 | [switch]$Recurse 132 | ) 133 | Begin { 134 | #Prevent Confirmation on each Write-Debug command when using -Debug 135 | If ($PSBoundParameters['Debug']) { 136 | $DebugPreference = 'Continue' 137 | } 138 | Try { 139 | [void][TokenAdjuster] 140 | } Catch { 141 | $AdjustTokenPrivileges = @" 142 | using System; 143 | using System.Runtime.InteropServices; 144 | 145 | public class TokenAdjuster 146 | { 147 | [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] 148 | internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, 149 | ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen); 150 | [DllImport("kernel32.dll", ExactSpelling = true)] 151 | internal static extern IntPtr GetCurrentProcess(); 152 | [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] 153 | internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr 154 | phtok); 155 | [DllImport("advapi32.dll", SetLastError = true)] 156 | internal static extern bool LookupPrivilegeValue(string host, string name, 157 | ref long pluid); 158 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 159 | internal struct TokPriv1Luid 160 | { 161 | public int Count; 162 | public long Luid; 163 | public int Attr; 164 | } 165 | internal const int SE_PRIVILEGE_DISABLED = 0x00000000; 166 | internal const int SE_PRIVILEGE_ENABLED = 0x00000002; 167 | internal const int TOKEN_QUERY = 0x00000008; 168 | internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; 169 | public static bool AddPrivilege(string privilege) 170 | { 171 | try 172 | { 173 | bool retVal; 174 | TokPriv1Luid tp; 175 | IntPtr hproc = GetCurrentProcess(); 176 | IntPtr htok = IntPtr.Zero; 177 | retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); 178 | tp.Count = 1; 179 | tp.Luid = 0; 180 | tp.Attr = SE_PRIVILEGE_ENABLED; 181 | retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); 182 | retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); 183 | return retVal; 184 | } 185 | catch (Exception ex) 186 | { 187 | throw ex; 188 | } 189 | } 190 | public static bool RemovePrivilege(string privilege) 191 | { 192 | try 193 | { 194 | bool retVal; 195 | TokPriv1Luid tp; 196 | IntPtr hproc = GetCurrentProcess(); 197 | IntPtr htok = IntPtr.Zero; 198 | retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); 199 | tp.Count = 1; 200 | tp.Luid = 0; 201 | tp.Attr = SE_PRIVILEGE_DISABLED; 202 | retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); 203 | retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); 204 | return retVal; 205 | } 206 | catch (Exception ex) 207 | { 208 | throw ex; 209 | } 210 | } 211 | } 212 | "@ 213 | Add-Type $AdjustTokenPrivileges 214 | } 215 | 216 | #Activate necessary admin privileges to make changes without NTFS perms 217 | [void][TokenAdjuster]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions 218 | [void][TokenAdjuster]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking 219 | [void][TokenAdjuster]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions 220 | } 221 | Process { 222 | ForEach ($Item in $Path) { 223 | Write-Verbose "FullName: $Item" 224 | #The ACL objects do not like being used more than once, so re-create them on the Process block 225 | $DirOwner = New-Object System.Security.AccessControl.DirectorySecurity 226 | $DirOwner.SetOwner([System.Security.Principal.NTAccount]$Account) 227 | $FileOwner = New-Object System.Security.AccessControl.FileSecurity 228 | $FileOwner.SetOwner([System.Security.Principal.NTAccount]$Account) 229 | $DirAdminAcl = New-Object System.Security.AccessControl.DirectorySecurity 230 | $FileAdminAcl = New-Object System.Security.AccessControl.DirectorySecurity 231 | $AdminACL = New-Object System.Security.AccessControl.FileSystemAccessRule('Builtin\Administrators','FullControl','ContainerInherit,ObjectInherit','InheritOnly','Allow') 232 | $FileAdminAcl.AddAccessRule($AdminACL) 233 | $DirAdminAcl.AddAccessRule($AdminACL) 234 | Try { 235 | $Item = Get-Item -LiteralPath $Item -Force -ErrorAction Stop 236 | If (-NOT $Item.PSIsContainer) { 237 | If ($PSCmdlet.ShouldProcess($Item, 'Set File Owner')) { 238 | Try { 239 | $Item.SetAccessControl($FileOwner) 240 | } Catch { 241 | Write-Warning "Couldn't take ownership of $($Item.FullName)! Taking FullControl of $($Item.Directory.FullName)" 242 | $Item.Directory.SetAccessControl($FileAdminAcl) 243 | $Item.SetAccessControl($FileOwner) 244 | } 245 | } 246 | } Else { 247 | If ($PSCmdlet.ShouldProcess($Item, 'Set Directory Owner')) { 248 | Try { 249 | $Item.SetAccessControl($DirOwner) 250 | } Catch { 251 | Write-Warning "Couldn't take ownership of $($Item.FullName)! Taking FullControl of $($Item.Parent.FullName)" 252 | $Item.Parent.SetAccessControl($DirAdminAcl) 253 | $Item.SetAccessControl($DirOwner) 254 | } 255 | } 256 | If ($Recurse) { 257 | [void]$PSBoundParameters.Remove('Path') 258 | Get-ChildItem $Item -Force | Set-Owner @PSBoundParameters 259 | } 260 | } 261 | } Catch { 262 | Write-Warning "$($Item): $($_.Exception.Message)" 263 | } 264 | } 265 | } 266 | End { 267 | #Remove priviledges that had been granted 268 | [void][TokenAdjuster]::RemovePrivilege("SeRestorePrivilege") 269 | [void][TokenAdjuster]::RemovePrivilege("SeBackupPrivilege") 270 | [void][TokenAdjuster]::RemovePrivilege("SeTakeOwnershipPrivilege") 271 | } 272 | } 273 | 274 | 275 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 276 | 277 | (Get-ChildItem -Path 'C:\Users\' -Depth 0 -Force -Directory ).Fullname | 278 | ForEach-Object { 279 | 280 | 281 | Write-Message -Message "Setting permissions to SYSTEM for $_" -Type "INFO" 282 | 283 | 284 | Set-Owner -Recurse -Account '.\SYSTEM' -Path "$_\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\" 285 | Set-Owner -Recurse -Account '.\SYSTEM' -Path "$_\AppData\Local\History\" 286 | Set-Owner -Recurse -Account '.\SYSTEM' -Path "$_\AppData\Local\Temp\" 287 | Set-Owner -Recurse -Account '.\SYSTEM' -Path "$_\AppData\Roaming\Microsoft\Windows\Cookies\" 288 | Set-Owner -Recurse -Account '.\SYSTEM' -Path "$_\AppData\Roaming\Microsoft\Windows\Recent\" 289 | Set-Owner -Recurse -Account '.\SYSTEM' -Path "$_\Local Settings\Temporary Internet Files\" 290 | 291 | 292 | Write-Message -Message "Removing... $_ Temp Files" -Type "INFO" 293 | 294 | Remove-Item "$_\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\" -Force -Recurse 295 | Remove-Item "$_\AppData\Local\History\" -Force -Recurse 296 | Remove-Item "$_\AppData\Local\Temp\" -Force -Recurse 297 | Remove-Item "$_\AppData\Roaming\Microsoft\Windows\Cookies\" -Force -Recurse 298 | Remove-Item "$_\AppData\Roaming\Microsoft\Windows\Recent\" -Force -Recurse 299 | Remove-Item "$_\Local Settings\Temporary Internet Files\" -Force -Recurse 300 | 301 | } 302 | 303 | 304 | 305 | echo "ALL DONE" 306 | 307 | -------------------------------------------------------------------------------- /Get-BrowserData.ps1: -------------------------------------------------------------------------------- 1 | function Get-BrowserData { 2 | <# 3 | .SYNOPSIS 4 | Dumps Browser Information 5 | Original Author: u/424f424f 6 | Modified by: 51Ev34S 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | Optional Dependencies: None 10 | .DESCRIPTION 11 | Enumerates browser history or bookmarks for a Chrome, Edge (Chromium) Internet Explorer, 12 | and/or Firefox browsers on Windows machines. 13 | .PARAMETER Browser 14 | The type of browser to enumerate, 'Chrome', 'Edge', 'IE', 'Firefox' or 'All' 15 | .PARAMETER Datatype 16 | Type of data to enumerate, 'History' or 'Bookmarks' 17 | .PARAMETER UserName 18 | Specific username to search browser information for. 19 | .PARAMETER Search 20 | Term to search for 21 | .EXAMPLE 22 | PS C:\> Get-BrowserData 23 | Enumerates browser information for all supported browsers for all current users. 24 | .EXAMPLE 25 | PS C:\> Get-BrowserData -Browser IE -Datatype Bookmarks -UserName user1 26 | Enumerates bookmarks for Internet Explorer for the user 'user1'. 27 | .EXAMPLE 28 | PS C:\> Get-BrowserData -Browser All -Datatype History -UserName user1 -Search 'github' 29 | Enumerates bookmarks for Internet Explorer for the user 'user1' and only returns 30 | results matching the search term 'github'. 31 | #> 32 | [CmdletBinding()] 33 | Param 34 | ( 35 | [Parameter(Position = 0)] 36 | [String[]] 37 | [ValidateSet('Chrome', 'EdgeChromium', 'IE', 'FireFox', 'All')] 38 | $Browser = 'All', 39 | [Parameter(Position = 1)] 40 | [String[]] 41 | [ValidateSet('History', 'Bookmarks', 'All')] 42 | $DataType = 'All', 43 | [Parameter(Position = 2)] 44 | [String] 45 | $UserName = '', 46 | [Parameter(Position = 3)] 47 | [String] 48 | $Search = '' 49 | ) 50 | 51 | function ConvertFrom-Json20([object] $item) { 52 | #http://stackoverflow.com/a/29689642 53 | Add-Type -AssemblyName System.Web.Extensions 54 | $ps_js = New-Object System.Web.Script.Serialization.JavaScriptSerializer 55 | return , $ps_js.DeserializeObject($item) 56 | } 57 | 58 | function Get-ChromeHistory { 59 | $Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" 60 | if (-not (Test-Path -Path $Path)) { 61 | Write-Verbose "[!] Could not find Chrome History for username: $UserName" 62 | } 63 | $Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' 64 | $Value = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" | Select-String -AllMatches $regex | ForEach-Object { ($_.Matches).Value } | Sort-Object -Unique 65 | $Value | ForEach-Object { 66 | $Key = $_ 67 | if ($Key -match $Search) { 68 | New-Object -TypeName PSObject -Property @{ 69 | User = $UserName 70 | Browser = 'Chrome' 71 | DataType = 'History' 72 | Data = $_ 73 | } 74 | } 75 | } 76 | } 77 | 78 | function Get-ChromeBookmarks { 79 | $Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" 80 | if (-not (Test-Path -Path $Path)) { 81 | Write-Verbose "[!] Could not find FireFox Bookmarks for username: $UserName" 82 | } 83 | else { 84 | $Json = Get-Content $Path 85 | $Output = ConvertFrom-Json20($Json) 86 | $Jsonobject = $Output.roots.bookmark_bar.children 87 | $Jsonobject.url | Sort-Object -Unique | ForEach-Object { 88 | if ($_ -match $Search) { 89 | New-Object -TypeName PSObject -Property @{ 90 | User = $UserName 91 | Browser = 'Chrome' 92 | DataType = 'Bookmark' 93 | Data = $_ 94 | } 95 | } 96 | } 97 | } 98 | } 99 | 100 | function Get-EdgeChromiumHistory { 101 | $Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Microsoft\Edge\User Data\Default\History" 102 | if (-not (Test-Path -Path $Path)) { 103 | Write-Verbose "[!] Could not find Chrome History for username: $UserName" 104 | } 105 | $Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' 106 | $Value = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Microsoft\Edge\User Data\Default\History" | Select-String -AllMatches $regex | ForEach-Object { ($_.Matches).Value } | Sort-Object -Unique 107 | $Value | ForEach-Object { 108 | $Key = $_ 109 | if ($Key -match $Search) { 110 | New-Object -TypeName PSObject -Property @{ 111 | User = $UserName 112 | Browser = 'Edge(Chromium)' 113 | DataType = 'History' 114 | Data = $_ 115 | } 116 | } 117 | } 118 | } 119 | 120 | function Get-EdgeChromiumBookmarks { 121 | $Path = "$Env:systemdrive\Users\$UserName\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks" 122 | if (-not (Test-Path -Path $Path)) { 123 | Write-Verbose "[!] Could not find FireFox Bookmarks for username: $UserName" 124 | } 125 | else { 126 | $Json = Get-Content $Path 127 | $Output = ConvertFrom-Json20($Json) 128 | $Jsonobject = $Output.roots.bookmark_bar.children 129 | $Jsonobject.url | Sort-Object -Unique | ForEach-Object { 130 | if ($_ -match $Search) { 131 | New-Object -TypeName PSObject -Property @{ 132 | User = $UserName 133 | Browser = 'Edge(Chromium)' 134 | DataType = 'Bookmark' 135 | Data = $_ 136 | } 137 | } 138 | } 139 | } 140 | } 141 | 142 | function Get-InternetExplorerHistory { 143 | #https://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ 144 | $Null = New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS 145 | $Paths = Get-ChildItem 'HKU:\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } 146 | 147 | ForEach ($Path in $Paths) { 148 | $User = ([System.Security.Principal.SecurityIdentifier] $Path.PSChildName).Translate( [System.Security.Principal.NTAccount]) | Select-Object -ExpandProperty Value 149 | $Path = $Path | Select-Object -ExpandProperty PSPath 150 | $UserPath = "$Path\Software\Microsoft\Internet Explorer\TypedURLs" 151 | if (-not (Test-Path -Path $UserPath)) { 152 | Write-Verbose "[!] Could not find IE History for SID: $Path" 153 | } 154 | else { 155 | Get-Item -Path $UserPath -ErrorAction SilentlyContinue | ForEach-Object { 156 | $Key = $_ 157 | $Key.GetValueNames() | ForEach-Object { 158 | $Value = $Key.GetValue($_) 159 | if ($Value -match $Search) { 160 | New-Object -TypeName PSObject -Property @{ 161 | User = $UserName 162 | Browser = 'IE' 163 | DataType = 'History' 164 | Data = $Value 165 | } 166 | } 167 | } 168 | } 169 | } 170 | } 171 | } 172 | 173 | function Get-InternetExplorerBookmarks { 174 | $URLs = Get-ChildItem -Path "$Env:systemdrive\Users\" -Filter "*.url" -Recurse -ErrorAction SilentlyContinue 175 | ForEach ($URL in $URLs) { 176 | if ($URL.FullName -match 'Favorites') { 177 | $User = $URL.FullName.split('\')[2] 178 | Get-Content -Path $URL.FullName | ForEach-Object { 179 | try { 180 | if ($_.StartsWith('URL')) { 181 | # parse the .url body to extract the actual bookmark location 182 | $URL = $_.Substring($_.IndexOf('=') + 1) 183 | ​ 184 | if ($URL -match $Search) { 185 | New-Object -TypeName PSObject -Property @{ 186 | User = $User 187 | Browser = 'IE' 188 | DataType = 'Bookmark' 189 | Data = $URL 190 | } 191 | } 192 | } 193 | } 194 | catch { 195 | Write-Verbose "Error parsing url: $_" 196 | } 197 | } 198 | } 199 | } 200 | } 201 | 202 | function Get-FireFoxHistory { 203 | $Path = "$Env:systemdrive\Users\$UserName\AppData\Roaming\Mozilla\Firefox\Profiles\" 204 | if (-not (Test-Path -Path $Path)) { 205 | Write-Verbose "[!] Could not find FireFox History for username: $UserName" 206 | } 207 | else { 208 | $Profiles = Get-ChildItem -Path "$Path\*.default\" -ErrorAction SilentlyContinue 209 | $Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?' 210 | $Value = Get-Content $Profiles\places.sqlite | Select-String -Pattern $Regex -AllMatches | Select-Object -ExpandProperty Matches | Sort-Object -Unique 211 | $Value.Value | ForEach-Object { 212 | if ($_ -match $Search) { 213 | ForEach-Object { 214 | New-Object -TypeName PSObject -Property @{ 215 | User = $UserName 216 | Browser = 'Firefox' 217 | DataType = 'History' 218 | Data = $_ 219 | } 220 | } 221 | } 222 | } 223 | } 224 | } 225 | 226 | if (!$UserName) { 227 | $UserName = "$ENV:USERNAME" 228 | } 229 | if (($Browser -Contains 'All') -or ($Browser -Contains 'Chrome')) { 230 | if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { 231 | Get-ChromeHistory 232 | } 233 | if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) { 234 | Get-ChromeBookmarks 235 | } 236 | } 237 | if (($Browser -Contains 'All') -or ($Browser -Contains 'Edge')) { 238 | if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { 239 | Get-EdgeChromiumHistory 240 | } 241 | if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) { 242 | Get-EdgeChromiumBookmarks 243 | } 244 | } 245 | if (($Browser -Contains 'All') -or ($Browser -Contains 'IE')) { 246 | if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { 247 | Get-InternetExplorerHistory 248 | } 249 | if (($DataType -Contains 'All') -or ($DataType -Contains 'Bookmarks')) { 250 | Get-InternetExplorerBookmarks 251 | } 252 | } 253 | if (($Browser -Contains 'All') -or ($Browser -Contains 'FireFox')) { 254 | if (($DataType -Contains 'All') -or ($DataType -Contains 'History')) { 255 | Get-FireFoxHistory 256 | } 257 | } 258 | } 259 | 260 | 261 | (Get-ChildItem "c:\Users" | Sort-Object LastWriteTime -Descending | Select-Object Name -first 1).Name |ForEach-Object { 262 | Write-Host Checking: $_ 263 | Get-BrowserData -UserName $_ 264 | } 265 | -------------------------------------------------------------------------------- /Get_RecyleBin: -------------------------------------------------------------------------------- 1 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 2 | 3 | 4 | echo '-------------------------'; 5 | echo "[+] INFO: Dumping Recycle Bin only 3 paths deep" 6 | echo '-------------------------'; 7 | 8 | (Get-ChildItem -Path 'C:\$Recycle.Bin' -Force -Recurse -depth 3 ) | select * | ForEach-Object { 9 | if (($_).Name -match '\$I') { 10 | $VarMeta = "$((Get-Content ($_).FullName) -replace '.*\u0001.','' -replace '\u0000','')" 11 | Clear-Variable -Name varPath 12 | } 13 | if (($_).Name -match 'S-.-.-.'){ 14 | $VarUser = "$((New-Object System.Security.Principal.SecurityIdentifier(($_).BaseName)).Translate([System.Security.Principal.NTAccount]).value)" 15 | } 16 | if (($_).Name -match '\$R'){ 17 | Clear-Variable -Name varPath 18 | } else { 19 | $varPath = "$($_.FullName)" 20 | Write-Output "$($VarUser)`t$($VarMeta)`t$($varPath)" 21 | Clear-Variable -Name varPath,VarMeta 22 | } 23 | 24 | } 25 | -------------------------------------------------------------------------------- /Linux_File_Seach.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | locate "log4j*.jar" 2> /dev/null 3 | lsof -w| grep -ia log4j 4 | 5 | # start AT and wait 6 | echo If you get errors with AT command you may need to install it or start atd manualy 7 | systemctl start atd 8 | sleep 20 9 | 10 | if test -f "/tmp/at.out" 11 | then 12 | echo '/tmp/at.out found showing contents' 13 | cat /tmp/at.out 14 | echo "ALL DONE $Env:computername $HOST " 15 | else 16 | echo /tmp/at.out not found running search 17 | # kill any searches 18 | killall -9 find 2> /dev/null 19 | echo 'find / -iname "log4j*.jar" | tee -a /tmp/at.out' > /tmp/at.sh 20 | at now + 1 minutes < /tmp/at.sh 21 | fi 22 | 23 | 24 | # too slow ... look at open files and there paths / ALL subfolders! 25 | # for i in `lsof -F n | grep ^n/ | cut -c2- | sort -u | grep -vE "(\.so$)" | xargs dirname|grep -iavE "(\bdev\b|proc|^\/$)"|sort -u`;do echo Path: "${i}" ;find "${i}" -iname "log4j*.jar" ;done 2> /dev/null 26 | -------------------------------------------------------------------------------- /Log4j_Linux.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 3 | locate "log4j*.jar" 2> /dev/null 4 | lsof -w| grep -ia log4j 5 | 6 | # start AT and wait 7 | echo If you get errors with AT command you may need to install it or start atd manualy 8 | systemctl start atd 9 | sleep 20 10 | 11 | if test -f "/tmp/at.out" 12 | then 13 | echo '/tmp/at.out found showing contents' 14 | cat /tmp/at.out 15 | echo "ALL DONE $Env:computername $HOST " 16 | else 17 | echo /tmp/at.out not found running search 18 | # kill any searches 19 | killall -9 find 2> /dev/null 20 | echo 'find / -iname "log4j*.jar" | tee -a /tmp/at.out' > /tmp/at.sh 21 | at now + 1 minutes < /tmp/at.sh 22 | fi 23 | 24 | 25 | # too slow ... look at open files and there paths / ALL subfolders! 26 | # for i in `lsof -F n | grep ^n/ | cut -c2- | sort -u | grep -vE "(\.so$)" | xargs dirname|grep -iavE "(\bdev\b|proc|^\/$)"|sort -u`;do echo Path: "${i}" ;find "${i}" -iname "log4j*.jar" ;done 2> /dev/null 27 | -------------------------------------------------------------------------------- /PSFalcon_Runscript_loop_1_0_OLD_PUBLIC.ps1: -------------------------------------------------------------------------------- 1 | #ChangeLog: 2 | # 2020/11/24: inital pre-alpha: 3 | # *added count of hostsname in filter so you can get an idea of how may host are vvalid from the target list 4 | # *added script name as argument 5 | 6 | #Todo: 7 | # sort out oneoff aid lookup issue.. 8 | # increase timeout on error and retry aid ? 9 | # return if host is online via aid 10 | # all scripts must output "ALL DONE" as the last step 11 | # set isolate true/false flag .... ?????? 12 | # set debug flag for all DEBUG lines 13 | # logging of output/error to uniq file name along with input file hostnames 14 | # sort out if offline_que is possible 15 | # check auth 16 | # check script name 17 | # check script for "ALL DONE" as last few lines 18 | # change [+] to MSF style for error output etc .. 19 | 20 | 21 | # timout for runscript to complete/connect ? 22 | $VARTIMEOUT=90 23 | # keys to auth for API 24 | $key = "731e9XXXXXXXXXXXXXXXXXX774" 25 | $secret = "0GXXXXXXXXXXXXXXXXXXXXXXXAQ" 26 | # Scriptname to execute on hosts 27 | $SCRIPTNAME="WeXXXXXXXXXXXXXXXXXXser" 28 | # RTR group to be added (this can take upto 20min to apply even if host is online ) 29 | $RTRGROUPID="2580XXXXXXXXXXXXXXXXXXXXX29efa1" 30 | 31 | 32 | 33 | # resetting Variables 34 | Clear-Variable Request -Scope Global 35 | Clear-Variable HostId -Scope Global 36 | Clear-Variable Batch -Scope Global 37 | Clear-Variable filter -Scope Global 38 | 39 | 40 | 41 | 42 | # FUNCTIONS ############################################################################################## 43 | 44 | function CHECKER { 45 | foreach ($AID in $HostId) { 46 | $HOSTNAME = (Get-CsHostInfo -Id $AID).resources.hostname 47 | # DEBUG Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Hostname of $AID is $HOSTNAME 48 | if (($Request.combined.resources.$AID.stdout) -match "ALL DONE") { 49 | # DEBUG Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Removing aid: $AID host: $HOSTNAME from the list$ 50 | $global:HostId = $HostId | Where-Object { $_ –ne "$AID" } 51 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Showing output of command for hostname: $HOSTNAME `t aid: $AID 52 | Write-Host $Request.combined.resources.$AID.stdout -ForegroundColor Green | out-string -Width 9999 53 | } ELSE { 54 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] ERROR: Hostname: $HOSTNAME `t output is null host likly not online or in RTR group stderr: ($Request.combined.resources.$AID.stderr) -ForegroundColor Red 55 | } 56 | } 57 | } 58 | 59 | function RUNIT { 60 | 61 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Batch initializing a RTR session on ($HostId | Measure-Object -Line).Lines hostnames for script $SCRIPTNAME ... 62 | $global:Batch = Start-RtrBatch -Id $HostId 63 | 64 | if (($Batch.batch_id).Length -eq "" ) { 65 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] WARNING: Unable to get any sessions -ForegroundColor Yellow 66 | } ELSE { 67 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Batch id is: $Batch.batch_id 68 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Attempting to run scripts on (($HostId | Measure-Object -Line).Lines) HostIds with a $VARTIMEOUT second timeout... -ForegroundColor Green 69 | # WARNING WARNING WARNING WARNING !!!!! IF YOU ADD -verbose -debug it breaks the output of the $Request it would seem! 70 | $global:Request = Send-RtrCommand -Id $Batch.batch_id -Command runscript -String "-CloudFile='$SCRIPTNAME'" -Timeout $VARTIMEOUT 71 | 72 | #return 73 | } 74 | 75 | 76 | 77 | } 78 | 79 | 80 | function Enumerate-ObjectProperties { 81 | 82 | $script:Level = 1 83 | 84 | param ( 85 | 86 | [psobject] $Object, 87 | 88 | [int32] $Depth = 10, 89 | 90 | [string] $Root 91 | 92 | ) 93 | 94 | 95 | 96 | Write-Output $($Object.PSObject.Properties | Format-Table @{ Label = 'Type'; Expression = { "[$($($_.TypeNameOfValue).Split('.')[-1])]" } }, Name, Value -AutoSize -Wrap | Out-String) 97 | 98 | 99 | 100 | foreach ($Property in $Object.PSObject.Properties) { 101 | 102 | # Strings always have a single property "Length". Do not enumerate this. 103 | 104 | if (($Property.TypeNameOfValue -ne 'System.String') -and ($($Object.$($Property.Name).PSObject.Properties)) -and ($Level -le $Depth)) { 105 | 106 | $NewRoot = $($($Root + '.' + $($Property.Name)).Trim('.')) 107 | 108 | $Level++ 109 | 110 | Write-Output "Property: $($NewRoot) (Level: $Level)" 111 | 112 | Enumerate-ObjectProperties -Object $($Object.$($Property.Name)) -Root $NewRoot 113 | 114 | $Level-- 115 | 116 | } 117 | 118 | } 119 | 120 | } 121 | 122 | 123 | 124 | 125 | 126 | # MAIN ############################################################################################## 127 | Out-Default; Clear-Host; 128 | 129 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: All uploaded scripts must have '''echo "ALL DONE"''' at the end to ensure they run properly -ForegroundColor Yellow 130 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Geting auth token 131 | Get-CsToken -Id "$key" -Secret "$secret" 132 | 133 | 134 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Opening input file for hostsnames 135 | cd "$env:TEMP" 136 | Start-Process notepad.exe input.txt -NoNewWindow -Wait 137 | [string[]]$INPUTFILE = Get-Content -Path 'input.txt' 138 | 139 | foreach($i in $INPUTFILE) { 140 | $filter = $filter + "hostname:'$i'," 141 | } 142 | 143 | 144 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Resolving ([regex]::Matches($filter, "hostname" )).count Ids of hostnames 145 | 146 | 147 | $global:Batch 148 | 149 | $global:HostId = (Get-CsHostId -Filter "$filter" -OutVariable Batch ).resources 150 | 151 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Got (($HostId | Measure-Object -Line).Lines) HostIds 152 | 153 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Unhiding Ids from UI 154 | Show-CsHost -Id $HostId | Out-Null 155 | 156 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Adding hostnames to INVESTIGATE group 157 | Add-CsGroupMember -Id $RTRGROUPID -Hosts $HostId | Out-Null 158 | 159 | 160 | #Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Isolating hostnames until script is done! 161 | #Start-CsContain -Id $HostId 162 | 163 | 164 | if ((([regex]::Matches($filter, "hostname" )).count) -eq (($HostId | Measure-Object -Line).Lines)) { Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Resolved all hostnames successfully -ForegroundColor Green 165 | } ELSE { 166 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] ERROR: Unable to resolve all hostnames in input file be sure hostnames are in CS and not hidden -ForegroundColor Red 167 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] WARNING: Looking up ([regex]::Matches($filter, "hostname" )).count hostnames -ForegroundColor Yellow 168 | foreach($i in $INPUTFILE) { 169 | $AIDLOOKUP = (Get-CsHostId -Filter "hostname:'$i',").resources 170 | #Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Hostname: $i aid: $AIDLOOKUP 171 | if ($AIDLOOKUP.Length -eq 0) { 172 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] ERROR: Hostname: $i faild aid lookup this host may be hidden -ForegroundColor Red 173 | } 174 | } 175 | } 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | While($HostId.count -ne 0){ 184 | RUNIT 185 | CHECKER 186 | 187 | if ($HostId.count -eq 0) { 188 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: ($HostId).count hostnames to run process complete! -ForegroundColor Green 189 | break 190 | } ELSE { 191 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] WARNING: Waiting $VARTIMEOUT seconds to retry ($HostId).count hostnames -ForegroundColor Yellow 192 | Start-Sleep -Seconds $VARTIMEOUT 193 | } 194 | } 195 | 196 | 197 | 198 | # Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Running Confirm-RtrBatch to get status of job 199 | # Confirm-RtrBatch -Id $Batch.batch_id 200 | 201 | # Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Removing Ids from INVESTIGATE group 202 | #Remove-CsGroupMember -Id $RTRGROUPID -Hosts $HostId 203 | 204 | # Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: UnIsolating hostnames 205 | #Stop-CsContain -Id $HostId -Verbose -Debug 206 | 207 | # use Enumerate-ObjectProperties functoin to sort out any issues with object/varables etc... 208 | #Enumerate-ObjectProperties -Object $Request 209 | 210 | -------------------------------------------------------------------------------- /PSFalcon_Runscript_loop_2_0_PUBLIC.ps1: -------------------------------------------------------------------------------- 1 | #██╗ ██╗ █████╗ ██████╗ ███╗ ██╗██╗███╗ ██╗ ██████╗ 2 | #██║ ██║██╔══██╗██╔══██╗████╗ ██║██║████╗ ██║██╔════╝ 3 | #██║ █╗ ██║███████║██████╔╝██╔██╗ ██║██║██╔██╗ ██║██║ ███╗ 4 | #██║███╗██║██╔══██║██╔══██╗██║╚██╗██║██║██║╚██╗██║██║ ██║ 5 | #╚███╔███╔╝██║ ██║██║ ██║██║ ╚████║██║██║ ╚████║╚██████╔╝ 6 | # ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═══╝ ╚═════╝ 7 | ### DO NOT SHARE THIS SCRIPT IT HAS PA$$WORDS IN IT !!!! 8 | 9 | 10 | 11 | # Refrence: https://www.reddit.com/r/PowerShell/comments/867755/function_to_write_to_global_variable/ 12 | # https://www.reddit.com/r/crowdstrike/comments/l6yed2/psfalcon2_run_script/ 13 | 14 | # INIT ############################################################################################## 15 | 16 | # timout for runscript to complete/connect ? 17 | #$VARTIMEOUT = "600" 18 | $VARTIMEOUT = "600" 19 | # keys to auth for API 20 | $key = "XXXXXXXXXXXXXXXXXXX" 21 | $secret = "XXXXXXXXXXXXXXXXXXXXXXX" 22 | # Scriptname to execute on hosts 23 | $SCRIPTNAME = "Remote_Bitlocker_Secure_Wipe" 24 | # RTR group to be added (this can take upto 20min to apply even if host is online ) 25 | $RTRGROUPID = "XXXXXXXXXXXXXXXXXXXXXXXXXXX" 26 | 27 | # Destination cloud 28 | $CLOUD = "us-1" 29 | 30 | # Child environment to use for authentication in multi-CID configurations 31 | $MEMBERCID = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 32 | 33 | 34 | 35 | 36 | # FUNCTIONS ############################################################################################## 37 | 38 | function Get-CSInputFile { 39 | <# 40 | .SYNOPSIS 41 | Opens input file for list of hostnames separated by new lines 42 | .PARAMETER CSFILEPATH 43 | File Path of input file 44 | #> 45 | [CmdletBinding()] 46 | param ( 47 | [string] 48 | $CSFilePath 49 | ) 50 | Write-Message -Message "Opening input file $CSFilePath for hostsnames" -Type "INFO" 51 | Start-Process notepad.exe "$CSFilePath" -NoNewWindow -Wait 52 | [string[]]$CSFilePath = Get-Content -Path "$CSFilePath" 53 | foreach($i in $CSFilePath) { 54 | $filter = $filter + "hostname:'$i'," 55 | } 56 | return $filter 57 | } 58 | 59 | 60 | 61 | 62 | function Write-Message { 63 | <# 64 | .SYNOPSIS 65 | Prints colored messages depending on type 66 | .PARAMETER TYPE 67 | Type of error message to be prepended to the message and sets the color 68 | .PARAMETER MESSAGE 69 | Message to be output 70 | #> 71 | [CmdletBinding()] 72 | param ( 73 | [string] 74 | $Type, 75 | 76 | [string] 77 | $Message 78 | ) 79 | 80 | if (($TYPE) -eq ("INFO")) { $Tag = "INFO" ; $Color = "Green"} 81 | if (($TYPE) -eq ("WARNING")) { $Tag = "WARNING" ; $Color = "Yellow"} 82 | if (($TYPE) -eq ("ERROR")) { $Tag = "ERROR" ; $Color = "Red"} 83 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] "$Tag" : "$Message" -ForegroundColor $Color 84 | } 85 | 86 | 87 | 88 | 89 | function Critical-Error { 90 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] ERROR: There has been a Critical Error -ForegroundColor Red 91 | exit 92 | } 93 | 94 | 95 | 96 | 97 | function Enumerate-ObjectProperties { 98 | 99 | $script:Level = 1 100 | 101 | param ( 102 | 103 | [psobject] $Object, 104 | 105 | [int32] $Depth = 10, 106 | 107 | [string] $Root 108 | 109 | ) 110 | 111 | 112 | 113 | Write-Output $($Object.PSObject.Properties | Format-Table @{ Label = 'Type'; Expression = { "[$($($_.TypeNameOfValue).Split('.')[-1])]" } }, Name, Value -AutoSize -Wrap | Out-String) 114 | 115 | 116 | 117 | foreach ($Property in $Object.PSObject.Properties) { 118 | 119 | # Strings always have a single property "Length". Do not enumerate this. 120 | 121 | if (($Property.TypeNameOfValue -ne 'System.String') -and ($($Object.$($Property.Name).PSObject.Properties)) -and ($Level -le $Depth)) { 122 | 123 | $NewRoot = $($($Root + '.' + $($Property.Name)).Trim('.')) 124 | 125 | $Level++ 126 | 127 | Write-Output "Property: $($NewRoot) (Level: $Level)" 128 | 129 | Enumerate-ObjectProperties -Object $($Object.$($Property.Name)) -Root $NewRoot 130 | 131 | $Level-- 132 | 133 | } 134 | 135 | } 136 | 137 | } 138 | 139 | 140 | 141 | function Get-CSIds { 142 | <# 143 | .SYNOPSIS 144 | Gets a list of Ids from a filter input 145 | .PARAMETER CSHOSTS 146 | List of host in filter format 147 | #> 148 | [CmdletBinding()] 149 | param ( 150 | [string] 151 | $CSHOSTS 152 | ) 153 | 154 | 155 | $CSHostList = Get-FalconHost -Filter "$CSHOSTS" 156 | foreach($i in $CSHostList) { 157 | $CSIds = $CSIds + "$i," 158 | } 159 | # trim trailing , in list of AIDs 160 | $CSIds = $CSIds -replace ',$','' 161 | 162 | return $CSIds 163 | } 164 | 165 | 166 | 167 | 168 | # MAIN ############################################################################################## 169 | 170 | Write-Message -Message "Setting location to $VARCD" -Type "WARNING" 171 | $VARCD = (Get-Location) 172 | 173 | Write-Message -Message "Updating PSFalcon" -Type "WARNING" 174 | Update-Module -Name PSFalcon 175 | 176 | 177 | 178 | 179 | Out-Default 180 | 181 | # want to keep scroll back 182 | #Clear-Host 183 | 184 | # install Module if not exist 185 | 186 | If(-not(Get-InstalledModule PSFalcon -ErrorAction silentlycontinue)){ 187 | Write-Message -Message "Downloading PSFalcon" -Type "WARNING" 188 | 189 | $downloadUri = (Invoke-RestMethod -Method GET -Uri "https://api.github.com/repos/CrowdStrike/psfalcon/releases/latest").zipball_url 190 | Invoke-WebRequest -Uri $downloadUri -Out "$VARCD\psfalcon.zip" 191 | Expand-Archive -Path "$VARCD\psfalcon.zip" -DestinationPath "$VARCD\psfalcon" -Force 192 | Install-Module -Name PSFalcon -Scope CurrentUser 193 | } 194 | 195 | 196 | Import-Module -Name PSFalcon 197 | 198 | #bug in Clear-Host to sleep to let screen clear properly 199 | Start-Sleep -s 1 200 | 201 | Write-Message -Message "All uploaded scripts must have echo ALL DONE at the end to ensure they run properly" -Type "WARNING" 202 | 203 | # IMPORT MODULE 204 | 205 | 206 | 207 | try { 208 | Write-Message -Message "Loading PSFalcon Module" -Type "INFO" 209 | Import-Module -Name PSFalcon -ErrorAction Stop 210 | } catch { 211 | Write-Message -Message "import-Module -Name PSFalcon failed please install PSFalcon and dependencies" -Type "ERROR" 212 | Write-Error $_ 213 | } 214 | 215 | 216 | # REQUEST TOKEN 217 | 218 | Write-Message -Message "Requesting Authentication Token" -Type "INFO" 219 | 220 | try { 221 | Request-FalconToken -ClientId "$key" -ClientSecret "$secret" -Cloud "$CLOUD" -ErrorAction Stop 222 | } catch { 223 | Write-Message -Message "Requesting Authentication Token failed trying with CID $MEMBERCID" -Type "WARNING" 224 | try { 225 | Request-FalconToken -ClientId "$key" -ClientSecret "$secret" -Cloud "$CLOUD" -ClientSecret "$MEMBERCID" 226 | } catch { Write-Message -Message "Requesting Authentication Token failed with CID $MEMBERCID" -Type "ERROR" 227 | Write-Error $_ 228 | Critical_Error; 229 | } 230 | } 231 | 232 | 233 | # TEST CONNECTIVITY 234 | try { 235 | Get-FalconCCID | Out-Null 236 | } catch { 237 | Write-Message -Message "Token Test Failed" -Type "ERROR" 238 | Write-Error $_ 239 | Critical_Error; 240 | } 241 | 242 | 243 | # OPEN INPUT FILE 244 | 245 | $GetCSInputFileOutput = Get-CSInputFile -CSFilePath "$env:TEMP\input.txt" 246 | 247 | # get host count 248 | $HostCount = ([regex]::Matches($GetCSInputFileOutput, "hostname" )).count 249 | 250 | Write-Message -Message "Resolving $HostCount ids " -Type "INFO" 251 | 252 | # NOT WORKING !?!?!?! $CSIdsOut = Get-CSIds -CSHOSTS "$GetCSInputFileOutput" 253 | # working but not really $CSIdsOut = Get-FalconHost -Filter "$GetCSInputFileOutput" 254 | 255 | # trim trailing , in list of AIDs 256 | $GetCSInputFileOutput = $GetCSInputFileOutput -replace ',$','' 257 | 258 | $CSIdsOut = Get-CSIds -CSHOSTS "$GetCSInputFileOutput" 259 | 260 | 261 | 262 | 263 | #convert CSIdsOut to an array 264 | $CSIdsOut = $CSIdsOut -split ',' 265 | 266 | #count resolved CSIdsOut and compare 267 | 268 | $CSIdsOutCount = $CSIdsOut.count 269 | 270 | if (($CSIdsOutCount) -eq ($HostCount)) { 271 | Write-Message -Message "Resolved all hostnames successfully" -Type "INFO" 272 | } ELSE { 273 | Write-Message -Message "Unable to resolve all hostnames in input file be sure hostnames are in CS and not hidden. Resolved $CSIdsOutCount of $HostCount hosts" -Type "WARNING" 274 | } 275 | 276 | 277 | Write-Message -Message "Running script: $SCRIPTNAME on $CSIdsOutCount hosts with maximum timeout of $VARTIMEOUT seconds" -Type "INFO" 278 | Invoke-FalconRTR -Command runscript -Arguments "-CloudFile=$SCRIPTNAME" -HostIds $CSIdsOut -QueueOffline $True -Timeout $VARTIMEOUT | Out-File -FilePath "$VARCD\output.txt" -Width 999999999 279 | 280 | 281 | Start-Sleep -Seconds 5 282 | 283 | Write-Message -Message "Showing contents of $VARCD\output.txt " -Type "INFO" 284 | 285 | Get-Content "$VARCD\output.txt" 286 | 287 | Write-Message -Message "Open the CSV below or run the Get-FalconQueue again to get status output to a new CSV file" -Type "INFO" 288 | Get-FalconQueue -Verbose 289 | 290 | 291 | Get-FalconQueue | Where-Object name -like *.exe 292 | 293 | exit 294 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # More Stuff: 2 | 3 | https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting 4 | 5 | https://github.com/freeload101/SCRIPTS/tree/master/Bash/CS_BADGER 6 | 7 | # CrowdStrike_RTR_Powershell_Scripts 8 | 9 | RTR_browsinghistoryview.ps1 10 | ![image](https://user-images.githubusercontent.com/4307863/182012315-44fd283d-8219-491d-8d61-c4d5d27bbf13.png) 11 | 12 | Getting into RTR scripting 13 | 14 | 15 | * add my Rekall / yara scrtipts ( full powershell ) 16 | * search / find a IR powershell script ( I have url some place ... I just can't find it .. ) 17 | * https://github.com/KurtDeGreeff/PlayPowershell ( add anything cool from here ) 18 | * RTR to zip all the info up and pull it down ( some code I saw for this some place .. ? ) 19 | 20 | Reference: 21 | 22 | https://github.com/meirwah/awesome-incident-response 23 | 24 | https://github.com/rshipp/awesome-malware-analysis 25 | 26 | 27 | https://github.com/KurtDeGreeff/PlayPowershell 28 | 29 | https://github.com/PolarBearGod/CrowdStrike-RTR-Scripts 30 | 31 | https://github.com/bk-CS/PSFalcon 32 | 33 | https://github.com/bk-cs/PSFalcon/tree/master/real-time-response 34 | 35 | 36 | ----------- 37 | 38 | 39 | https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts/blob/main/PSFalcon_Runscript_loop_PUBLIC.ps1 40 | 41 | 42 | auto retry 43 | 44 | hostname input 45 | 46 | string "ALL DONE" to verify scripts completed 47 | 48 | add to RTR group 49 | 50 | 51 | --- 52 | 53 | 54 | ``` 55 | foreach ($Property in (Get-CimInstance Win32_Process )) { 56 | if (((Invoke-CimMethod -InputObject $Property -MethodName GetOwner).User) -eq "USERNAMEHERE" ) { 57 | Write-Output Killing $Property.ProcessId 58 | Stop-Process -Id $Property.ProcessId -Force 59 | } 60 | } 61 | Write-Output "ALL DONE"``` 62 | -------------------------------------------------------------------------------- /RECON IR.ps1: -------------------------------------------------------------------------------- 1 | 2 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 3 | echo '-------------------------'; 4 | echo "[+] INFO: CPU Usage TOP 20" 5 | echo '-------------------------'; 6 | Get-Process | Sort CPU -descending | Select -first 20 -Property ID, ProcessName, Description, CPU 7 | 8 | echo '-------------------------'; 9 | echo "[+] INFO: Installed Software" 10 | echo '-------------------------'; 11 | Get-WmiObject -Class Win32_Product | Where-Object { $_.Vendor -notmatch 'Palo|Levi|Adobe|Microsoft|dell|cybersafe|displaylink|VPSX|python|mimecast|forcepoint|google|crowdstrike|Oracle|cisco|ServiceNow|Asmedia' } | Select-Object -ExpandProperty Name 12 | echo '-------------------------'; 13 | echo "[+] INFO: Showing Default Chrome Plugins" 14 | echo '-------------------------'; 15 | 16 | $UserPaths = (Get-WmiObject win32_userprofile | Where-Object localpath -notmatch 'Windows').localpath 17 | foreach ($Path in $UserPaths) { 18 | # Google Chrome extension path 19 | $ExtPath = $Path + '\' + '\AppData\Local\Google\Chrome\User Data\Default\Extensions' 20 | if (Test-Path $ExtPath) { 21 | # Username 22 | $Username = $Path | Split-Path -Leaf 23 | # Extension folders 24 | $ExtFolders = Get-Childitem $ExtPath | Where-Object Name -ne 'Temp' 25 | foreach ($Folder in $ExtFolders) { 26 | # Extension version folders 27 | $VerFolders = Get-Childitem $Folder.FullName 28 | foreach ($Version in $VerFolders) { 29 | # Check for json manifest 30 | if (Test-Path -Path ($Version.FullName + '\manifest.json')) { 31 | $Manifest = Get-Content ($Version.FullName + '\manifest.json') | ConvertFrom-Json 32 | # If extension name looks like an App name 33 | if ($Manifest.name -like '__MSG*') { 34 | $AppId = ($Manifest.name -replace '__MSG_','').Trim('_') 35 | # Check locales folders for additional json 36 | @('\_locales\en_US\', '\_locales\en\') | ForEach-Object { 37 | if (Test-Path -Path ($Version.Fullname + $_ + 'messages.json')) { 38 | $AppManifest = Get-Content ($Version.Fullname + $_ + 39 | 'messages.json') | ConvertFrom-Json 40 | # Check json for potential app names and save the first one found 41 | @($AppManifest.appName.message, $AppManifest.extName.message, 42 | $AppManifest.extensionName.message, $AppManifest.app_name.message, 43 | $AppManifest.application_title.message, $AppManifest.$AppId.message) | 44 | ForEach-Object { 45 | if (($_) -and (-not($ExtName))) { 46 | $ExtName = $_ 47 | } 48 | } 49 | } 50 | } 51 | } 52 | else { 53 | # Capture extension name 54 | $ExtName = $Manifest.name 55 | } 56 | # Output formatted string 57 | 58 | Write-Output (($Path | Split-Path -Leaf) + ": " + [string] $ExtName + 59 | " v" + $Manifest.version + " (" + $Folder.name + ")") |Select-String -Pattern "(aapocclcgogkmnckokdopfmhonfmgoek|aohghmighlieiainnegkcijnfilokake|apdfllckaahabafndbhieahigkjlhalf|blpcfgokakmgnkcojhhkbfbldkacnbeo|felcaaldnbdncclmgdcncolpebgiejap|ghbmnnjooekpmoecnnnilnnbdlolhkhi|nmmhkkegccagdldgiimedpiccmgmieda|pjkljhegncpnkpknbcohdijeoejaedia|pkedcjkdefgpdelpbcmbmeomcjbeemfm)" -NotMatch 60 | # Reset extension name for next lookup 61 | if ($ExtName) { 62 | Remove-Variable -Name ExtName 63 | } 64 | } 65 | } 66 | } 67 | } 68 | } 69 | echo '-------------------------'; 70 | echo "[+] INFO: Getting External IP" 71 | echo '-------------------------'; 72 | Invoke-WebRequest -Uri "http://ifconfig.io" -UseBasicParsing 73 | 74 | echo '-------------------------'; 75 | echo "[+] INFO: Getting netstat info" 76 | echo '-------------------------'; 77 | #OLD get-nettcpconnection | select local*,remote*,state,@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).Path}} |Select-String -Pattern "(0.0.0.0|127.0.0.1|chrome|RemoteAddress=::;|outlook|msedge|SearchUI|SystemSettings|teams|vpnagent|onedrive)" -NotMatch 78 | Get-NetTCPConnection | Where-Object { $_.State -eq 'ESTABLISHED' -and $_.RemoteAddress -notmatch '^10\.|^192\.168\.|^127\.|\b:\b|::|^172\.' } |Sort-Object -Unique -Property RemoteAddress |foreach-object { 79 | $PROC_PATH = (Get-Process -Id $_.OwningProcess).Path 80 | if ($PROC_PATH -notmatch 'Teams|chrome|outlook') { 81 | $REMOTEIP = $_.RemoteAddress 82 | $LocalPort = $_.LocalPort 83 | $WHOIS = ((Invoke-Restmethod "http://whois.arin.net/rest/ip/$REMOTEIP" -ErrorAction stop ).net.orgRef.name) 84 | #(Invoke-Restmethod "http://whois.arin.net/rest/ip/$REMOTEIP" -ErrorAction stop ).net.orgRef.name 85 | Write-Output "$REMOTEIP,$LocalPort,$WHOIS,$PROC_PATH" 86 | } 87 | 88 | } 89 | 90 | (Get-ChildItem -Path "C:\Users\*").name |ForEach-Object { 91 | echo '-------------------------'; 92 | echo "[+] INFO: Displaying recent files for all users .lnk targets and Arguments " 93 | echo '-------------------------'; 94 | Get-ChildItem -Path "C:\Users\$_\AppData\Roaming\Microsoft\Windows\Recent" -Filter *.lnk -Recurse -ErrorAction SilentlyContinue -Force |ForEach-Object { 95 | $WScript = New-Object -ComObject WScript.Shell 96 | $WScript.CreateShortcut($_.FullName).TargetPath 97 | $WScript.CreateShortcut($_.FullName).Arguments 98 | } 99 | }| sort -Unique | Select-String -Pattern 'WINDOWS|Teams|program files' -NotMatch 100 | 101 | 102 | echo '-------------------------'; 103 | echo "[+] INFO: Dumping Recycle Bin only 3 paths deep" 104 | echo '-------------------------'; 105 | 106 | (Get-ChildItem -Path 'C:\$Recycle.Bin' -Force -Recurse -depth 3 ) | select * | ForEach-Object { 107 | if (($_).Name -match '\$I') { 108 | $VarMeta = "$((Get-Content ($_).FullName) -replace '.*\u0001.','' -replace '\u0000','')" 109 | Clear-Variable -Name varPath 110 | } 111 | if (($_).Name -match 'S-.-.-.'){ 112 | $VarUser = "$((New-Object System.Security.Principal.SecurityIdentifier(($_).BaseName)).Translate([System.Security.Principal.NTAccount]).value)" 113 | } 114 | if (($_).Name -match '\$R'){ 115 | Clear-Variable -Name varPath 116 | } else { 117 | $varPath = "$($_.FullName)" 118 | Write-Output "$($VarUser)`t$($VarMeta)`t$($varPath)" 119 | Clear-Variable -Name varPath,VarMeta 120 | } 121 | 122 | } 123 | 124 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 125 | 126 | New-Item -Path "C:\windows\Temp\ftech_temp" -ItemType Directory -Force -ErrorAction SilentlyContinue 127 | Remove-Item -Path "C:\windows\Temp\ftech_temp\report.csv" -Force 128 | 129 | Invoke-WebRequest -Uri "https://www.nirsoft.net/utils/browsinghistoryview-x64.zip" -OutFile "C:\windows\Temp\ftech_temp\browsinghistoryview-x64.zip" 130 | 131 | Expand-Archive "C:\windows\Temp\ftech_temp\browsinghistoryview-x64.zip" -DestinationPath "C:\windows\Temp\ftech_temp" -Force 132 | 133 | echo "[+] INFO: Fetching Latest 6 Users Chrome,Edge History" 134 | 135 | Get-ChildItem -Directory -Path "C:\Users\$_" -ErrorAction SilentlyContinue -Force | Sort LastWriteTime -Descending | Select-Object -First 6 | ForEach-Object { 136 | if (($_).Name -notmatch 'public|default|\$'){ 137 | echo '-------------------------'; 138 | echo "[+] INFO: Displaying History for $_ MSEdge/Chrome " 139 | echo '-------------------------'; 140 | Start-Process -FilePath "C:\windows\Temp\ftech_temp\BrowsingHistoryView.exe" -ArgumentList " /HistorySource 4 /HistorySourceFolder `"C:\users\$_\`" /VisitTimeFilterType 3 /VisitTimeFilterValue 2 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /scomma `"C:\windows\Temp\ftech_temp\report.csv`" /sort `"Visit Time`"" -Wait -Verbose -WindowStyle Hidden 141 | 142 | $CSV = Import-Csv -Path "C:\windows\Temp\ftech_temp\report.csv" 143 | $some = $CSV | Group-Object -Property Title 144 | 145 | $some | ForEach-Object { 146 | $VarTitle = $_.Group.Title | Select-Object -First 1 -Unique 147 | $VarURL = $_.Group.URL.PadRight(100).Substring(0,100).TrimEnd() | Select-Object -First 1 -Unique 148 | Write-Output "$VarTitle,$VarURL" 149 | } | Select-String -Pattern "(newell|crowdstrike|pingidentity)" -NotMatch 150 | 151 | } 152 | 153 | } 154 | 155 | echo '-------------------------'; 156 | echo "[+] INFO: Displaying 100 Uniq Event logs Security,Application,System,Setup,ForwardedEvents, Windows PowerShell " 157 | echo '-------------------------'; 158 | 159 | Write-Output Security,Application,System,Setup,ForwardedEvents,"Windows PowerShell" | foreach-object { 160 | Get-EventLog -LogName $_ | Select-Object -Last 100 | Sort-Object -Unique| Format-Table -AutoSize 161 | } 162 | -------------------------------------------------------------------------------- /RTR_browsinghistoryview.ps1: -------------------------------------------------------------------------------- 1 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 2 | 3 | New-Item -Path "C:\windows\Temp\ftech_temp" -ItemType Directory -Force -ErrorAction SilentlyContinue 4 | Remove-Item -Path "C:\windows\Temp\ftech_temp\report.csv" -Force 5 | 6 | Invoke-WebRequest -Uri "https://www.nirsoft.net/utils/browsinghistoryview-x64.zip" -OutFile "C:\windows\Temp\ftech_temp\browsinghistoryview-x64.zip" 7 | 8 | Expand-Archive "C:\windows\Temp\ftech_temp\browsinghistoryview-x64.zip" -DestinationPath "C:\windows\Temp\ftech_temp" -Force 9 | 10 | echo "[+] INFO: Fetching Latest 6 Users Chrome,Edge History" 11 | 12 | Get-ChildItem -Directory -Path "C:\Users\$_" -ErrorAction SilentlyContinue -Force | Sort LastWriteTime -Descending | Select-Object -First 6 | ForEach-Object { 13 | if (($_).Name -notmatch 'public|default|\$'){ 14 | echo '-------------------------'; 15 | echo "[+] INFO: Displaying History for HostName: $env:computername User: $_ MSEdge/Chrome " 16 | echo '-------------------------'; 17 | Start-Process -FilePath "C:\windows\Temp\ftech_temp\BrowsingHistoryView.exe" -ArgumentList " /HistorySource 4 /HistorySourceFolder `"C:\users\$_\`" /VisitTimeFilterType 3 /VisitTimeFilterValue 2 /LoadIE 1 /LoadFirefox 1 /LoadChrome 1 /scomma `"C:\windows\Temp\ftech_temp\report.csv`" /sort `"Visit Time`"" -Wait -Verbose -WindowStyle Hidden 18 | Import-Csv "C:\windows\Temp\ftech_temp\report.csv" | Select -ExpandProperty URL |Get-Unique -AsString 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /Remote_Bitlocker_lock.ps1: -------------------------------------------------------------------------------- 1 | # run this on RTR powershell session 2 | 3 | # Wipe existing BitLocker protections 4 | manage-bde -protectors -delete C: 5 | # Create new, randomly generated recovery password 6 | manage-bde -protectors -add C: -RecoveryPassword 7 | # Verify new recovery password will be required on next reboot 8 | manage-bde -protectors -enable C: 9 | # Force the user to be prompted for new recovery password 10 | manage-bde -forcerecovery C: 11 | 12 | ############################################################# 13 | ####################### WARNING ############################# 14 | ############################################################# 15 | # YOU MUST COPY THE KEY (PASSWORD) TO UNLOCK THE DRIVE IF YOU LOSE THE KEY YOU WILL NOT BE ABLE TO RECOVER ANYTHING FROM THE C: DRIVE !!! 16 | # EXAMPLE 713438-591129-666237-608498-028864-058685-409024-701756 17 | 18 | Write-Output "$([regex]::Matches($NewPassword, 'Key\sProtectors\sAdded:(?:.*\n)*?.*ID:\s{(?[^}]+)}\s*Password:\s*(?[^\s]+)'))" 19 | 20 | 21 | # force Reboot system to trigger recovery prompt 22 | # Restart-Computer -Force 23 | -------------------------------------------------------------------------------- /SET_ACL_FORCE_DELETE.ps1: -------------------------------------------------------------------------------- 1 | # replace GeoComply with the string you want to search for and destroy! 2 | 3 | 4 | Function Set-Owner { 5 | <# 6 | .SYNOPSIS 7 | Changes owner of a file or folder to another user or group. 8 | 9 | .DESCRIPTION 10 | Changes owner of a file or folder to another user or group. 11 | 12 | .PARAMETER Path 13 | The folder or file that will have the owner changed. 14 | 15 | .PARAMETER Account 16 | Optional parameter to change owner of a file or folder to specified account. 17 | 18 | Default value is 'Builtin\Administrators' 19 | 20 | .PARAMETER Recurse 21 | Recursively set ownership on subfolders and files beneath given folder. 22 | 23 | .NOTES 24 | Name: Set-Owner 25 | Author: Boe Prox 26 | Version History: 27 | 1.0 - Boe Prox 28 | - Initial Version 29 | 30 | .EXAMPLE 31 | Set-Owner -Path C:\temp\test.txt 32 | 33 | Description 34 | ----------- 35 | Changes the owner of test.txt to Builtin\Administrators 36 | 37 | .EXAMPLE 38 | Set-Owner -Path C:\temp\test.txt -Account 'Domain\bprox 39 | 40 | Description 41 | ----------- 42 | Changes the owner of test.txt to Domain\bprox 43 | 44 | .EXAMPLE 45 | Set-Owner -Path C:\temp -Recurse 46 | 47 | Description 48 | ----------- 49 | Changes the owner of all files and folders under C:\Temp to Builtin\Administrators 50 | 51 | .EXAMPLE 52 | Get-ChildItem C:\Temp | Set-Owner -Recurse -Account 'Domain\bprox' 53 | 54 | Description 55 | ----------- 56 | Changes the owner of all files and folders under C:\Temp to Domain\bprox 57 | #> 58 | [cmdletbinding( 59 | SupportsShouldProcess = $True 60 | )] 61 | Param ( 62 | [parameter(ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)] 63 | [Alias('FullName')] 64 | [string[]]$Path, 65 | [parameter()] 66 | [string]$Account = 'Builtin\Administrators', 67 | [parameter()] 68 | [switch]$Recurse 69 | ) 70 | Begin { 71 | #Prevent Confirmation on each Write-Debug command when using -Debug 72 | If ($PSBoundParameters['Debug']) { 73 | $DebugPreference = 'Continue' 74 | } 75 | Try { 76 | [void][TokenAdjuster] 77 | } Catch { 78 | $AdjustTokenPrivileges = @" 79 | using System; 80 | using System.Runtime.InteropServices; 81 | 82 | public class TokenAdjuster 83 | { 84 | [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] 85 | internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, 86 | ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen); 87 | [DllImport("kernel32.dll", ExactSpelling = true)] 88 | internal static extern IntPtr GetCurrentProcess(); 89 | [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] 90 | internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr 91 | phtok); 92 | [DllImport("advapi32.dll", SetLastError = true)] 93 | internal static extern bool LookupPrivilegeValue(string host, string name, 94 | ref long pluid); 95 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 96 | internal struct TokPriv1Luid 97 | { 98 | public int Count; 99 | public long Luid; 100 | public int Attr; 101 | } 102 | internal const int SE_PRIVILEGE_DISABLED = 0x00000000; 103 | internal const int SE_PRIVILEGE_ENABLED = 0x00000002; 104 | internal const int TOKEN_QUERY = 0x00000008; 105 | internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; 106 | public static bool AddPrivilege(string privilege) 107 | { 108 | try 109 | { 110 | bool retVal; 111 | TokPriv1Luid tp; 112 | IntPtr hproc = GetCurrentProcess(); 113 | IntPtr htok = IntPtr.Zero; 114 | retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); 115 | tp.Count = 1; 116 | tp.Luid = 0; 117 | tp.Attr = SE_PRIVILEGE_ENABLED; 118 | retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); 119 | retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); 120 | return retVal; 121 | } 122 | catch (Exception ex) 123 | { 124 | throw ex; 125 | } 126 | } 127 | public static bool RemovePrivilege(string privilege) 128 | { 129 | try 130 | { 131 | bool retVal; 132 | TokPriv1Luid tp; 133 | IntPtr hproc = GetCurrentProcess(); 134 | IntPtr htok = IntPtr.Zero; 135 | retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); 136 | tp.Count = 1; 137 | tp.Luid = 0; 138 | tp.Attr = SE_PRIVILEGE_DISABLED; 139 | retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); 140 | retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); 141 | return retVal; 142 | } 143 | catch (Exception ex) 144 | { 145 | throw ex; 146 | } 147 | } 148 | } 149 | "@ 150 | Add-Type $AdjustTokenPrivileges 151 | } 152 | 153 | #Activate necessary admin privileges to make changes without NTFS perms 154 | [void][TokenAdjuster]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions 155 | [void][TokenAdjuster]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking 156 | [void][TokenAdjuster]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions 157 | } 158 | Process { 159 | ForEach ($Item in $Path) { 160 | Write-Verbose "FullName: $Item" 161 | #The ACL objects do not like being used more than once, so re-create them on the Process block 162 | $DirOwner = New-Object System.Security.AccessControl.DirectorySecurity 163 | $DirOwner.SetOwner([System.Security.Principal.NTAccount]$Account) 164 | $FileOwner = New-Object System.Security.AccessControl.FileSecurity 165 | $FileOwner.SetOwner([System.Security.Principal.NTAccount]$Account) 166 | $DirAdminAcl = New-Object System.Security.AccessControl.DirectorySecurity 167 | $FileAdminAcl = New-Object System.Security.AccessControl.DirectorySecurity 168 | $AdminACL = New-Object System.Security.AccessControl.FileSystemAccessRule('Builtin\Administrators','FullControl','ContainerInherit,ObjectInherit','InheritOnly','Allow') 169 | $FileAdminAcl.AddAccessRule($AdminACL) 170 | $DirAdminAcl.AddAccessRule($AdminACL) 171 | Try { 172 | $Item = Get-Item -LiteralPath $Item -Force -ErrorAction Stop 173 | If (-NOT $Item.PSIsContainer) { 174 | If ($PSCmdlet.ShouldProcess($Item, 'Set File Owner')) { 175 | Try { 176 | $Item.SetAccessControl($FileOwner) 177 | } Catch { 178 | Write-Warning "Couldn't take ownership of $($Item.FullName)! Taking FullControl of $($Item.Directory.FullName)" 179 | $Item.Directory.SetAccessControl($FileAdminAcl) 180 | $Item.SetAccessControl($FileOwner) 181 | } 182 | } 183 | } Else { 184 | If ($PSCmdlet.ShouldProcess($Item, 'Set Directory Owner')) { 185 | Try { 186 | $Item.SetAccessControl($DirOwner) 187 | } Catch { 188 | Write-Warning "Couldn't take ownership of $($Item.FullName)! Taking FullControl of $($Item.Parent.FullName)" 189 | $Item.Parent.SetAccessControl($DirAdminAcl) 190 | $Item.SetAccessControl($DirOwner) 191 | } 192 | } 193 | If ($Recurse) { 194 | [void]$PSBoundParameters.Remove('Path') 195 | Get-ChildItem $Item -Force | Set-Owner @PSBoundParameters 196 | } 197 | } 198 | } Catch { 199 | Write-Warning "$($Item): $($_.Exception.Message)" 200 | } 201 | } 202 | } 203 | End { 204 | #Remove priviledges that had been granted 205 | [void][TokenAdjuster]::RemovePrivilege("SeRestorePrivilege") 206 | [void][TokenAdjuster]::RemovePrivilege("SeBackupPrivilege") 207 | [void][TokenAdjuster]::RemovePrivilege("SeTakeOwnershipPrivilege") 208 | } 209 | } 210 | 211 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 212 | 213 | echo Killing Browsers 214 | cmd /c taskkill.exe /F /IM chrome.exe 215 | cmd /c taskkill.exe /F /IM outlook.exe 216 | cmd /c taskkill.exe /F /IM IEXPLORE.EXE 217 | cmd /c taskkill.exe /F /IM msedge.exe 218 | cmd /c taskkill.exe /F /IM firefox.exe 219 | 220 | echo Forcing Loggoff for locked files 221 | logoff 1 222 | logoff 2 223 | logoff 3 224 | logoff 4 225 | logoff 5 226 | logoff 6 227 | logoff 7 228 | 229 | 230 | (Get-ChildItem -Path 'c:\' -Depth 200 -Force -Recurse -Filter "*GeoComply*").Fullname | 231 | ForEach-Object { 232 | 233 | 234 | 235 | echo "Setting permissions to SYSTEM for $_” 236 | Set-Owner -Recurse -Account '.\SYSTEM' -Verbose 237 | 238 | echo "Removing... $_” 239 | Remove-Item "$_” -Force -Recurse 240 | 241 | 242 | } 243 | echo "ALL DONE" 244 | -------------------------------------------------------------------------------- /SHOW_DISK_SPACE: -------------------------------------------------------------------------------- 1 | # this times out ... need something faster ... 2 | (Get-PSDrive -PSProvider FileSystem).Root | ForEach-Object { 3 | Write-Output "Digging Drive $_" 4 | $targetfolder="$_" 5 | 6 | $dataColl = @() 7 | gci -force $targetfolder -ErrorAction SilentlyContinue | ? { $_ -is [io.directoryinfo] } | % { 8 | $len = 0 9 | gci -recurse -force $_.fullname -ErrorAction SilentlyContinue | % { $len += $_.length } 10 | $foldername = $_.fullname 11 | $foldersize= '{0:N2}' -f ($len / 1Gb) 12 | $dataObject = New-Object PSObject 13 | Add-Member -inputObject $dataObject -memberType NoteProperty -name “foldername” -value $foldername 14 | Add-Member -inputObject $dataObject -memberType NoteProperty -name “foldersizeGb” -value $foldersize 15 | $dataColl += $dataObject 16 | } 17 | $dataColl 18 | 19 | } 20 | -------------------------------------------------------------------------------- /Wavesor_AKA_WebNav.ps1: -------------------------------------------------------------------------------- 1 | 2 | Function Set-Owner { 3 | <# 4 | .SYNOPSIS 5 | Changes owner of a file or folder to another user or group. 6 | 7 | .DESCRIPTION 8 | Changes owner of a file or folder to another user or group. 9 | 10 | .PARAMETER Path 11 | The folder or file that will have the owner changed. 12 | 13 | .PARAMETER Account 14 | Optional parameter to change owner of a file or folder to specified account. 15 | 16 | Default value is 'Builtin\Administrators' 17 | 18 | .PARAMETER Recurse 19 | Recursively set ownership on subfolders and files beneath given folder. 20 | 21 | .NOTES 22 | Name: Set-Owner 23 | Author: Boe Prox 24 | Version History: 25 | 1.0 - Boe Prox 26 | - Initial Version 27 | 28 | .EXAMPLE 29 | Set-Owner -Path C:\temp\test.txt 30 | 31 | Description 32 | ----------- 33 | Changes the owner of test.txt to Builtin\Administrators 34 | 35 | .EXAMPLE 36 | Set-Owner -Path C:\temp\test.txt -Account 'Domain\bprox 37 | 38 | Description 39 | ----------- 40 | Changes the owner of test.txt to Domain\bprox 41 | 42 | .EXAMPLE 43 | Set-Owner -Path C:\temp -Recurse 44 | 45 | Description 46 | ----------- 47 | Changes the owner of all files and folders under C:\Temp to Builtin\Administrators 48 | 49 | .EXAMPLE 50 | Get-ChildItem C:\Temp | Set-Owner -Recurse -Account 'Domain\bprox' 51 | 52 | Description 53 | ----------- 54 | Changes the owner of all files and folders under C:\Temp to Domain\bprox 55 | #> 56 | [cmdletbinding( 57 | SupportsShouldProcess = $True 58 | )] 59 | Param ( 60 | [parameter(ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)] 61 | [Alias('FullName')] 62 | [string[]]$Path, 63 | [parameter()] 64 | [string]$Account = 'Builtin\Administrators', 65 | [parameter()] 66 | [switch]$Recurse 67 | ) 68 | Begin { 69 | #Prevent Confirmation on each Write-Debug command when using -Debug 70 | If ($PSBoundParameters['Debug']) { 71 | $DebugPreference = 'Continue' 72 | } 73 | Try { 74 | [void][TokenAdjuster] 75 | } Catch { 76 | $AdjustTokenPrivileges = @" 77 | using System; 78 | using System.Runtime.InteropServices; 79 | 80 | public class TokenAdjuster 81 | { 82 | [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] 83 | internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, 84 | ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen); 85 | [DllImport("kernel32.dll", ExactSpelling = true)] 86 | internal static extern IntPtr GetCurrentProcess(); 87 | [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] 88 | internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr 89 | phtok); 90 | [DllImport("advapi32.dll", SetLastError = true)] 91 | internal static extern bool LookupPrivilegeValue(string host, string name, 92 | ref long pluid); 93 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 94 | internal struct TokPriv1Luid 95 | { 96 | public int Count; 97 | public long Luid; 98 | public int Attr; 99 | } 100 | internal const int SE_PRIVILEGE_DISABLED = 0x00000000; 101 | internal const int SE_PRIVILEGE_ENABLED = 0x00000002; 102 | internal const int TOKEN_QUERY = 0x00000008; 103 | internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; 104 | public static bool AddPrivilege(string privilege) 105 | { 106 | try 107 | { 108 | bool retVal; 109 | TokPriv1Luid tp; 110 | IntPtr hproc = GetCurrentProcess(); 111 | IntPtr htok = IntPtr.Zero; 112 | retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); 113 | tp.Count = 1; 114 | tp.Luid = 0; 115 | tp.Attr = SE_PRIVILEGE_ENABLED; 116 | retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); 117 | retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); 118 | return retVal; 119 | } 120 | catch (Exception ex) 121 | { 122 | throw ex; 123 | } 124 | } 125 | public static bool RemovePrivilege(string privilege) 126 | { 127 | try 128 | { 129 | bool retVal; 130 | TokPriv1Luid tp; 131 | IntPtr hproc = GetCurrentProcess(); 132 | IntPtr htok = IntPtr.Zero; 133 | retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); 134 | tp.Count = 1; 135 | tp.Luid = 0; 136 | tp.Attr = SE_PRIVILEGE_DISABLED; 137 | retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); 138 | retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); 139 | return retVal; 140 | } 141 | catch (Exception ex) 142 | { 143 | throw ex; 144 | } 145 | } 146 | } 147 | "@ 148 | Add-Type $AdjustTokenPrivileges 149 | } 150 | 151 | #Activate necessary admin privileges to make changes without NTFS perms 152 | [void][TokenAdjuster]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions 153 | [void][TokenAdjuster]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking 154 | [void][TokenAdjuster]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions 155 | } 156 | Process { 157 | ForEach ($Item in $Path) { 158 | Write-Verbose "FullName: $Item" 159 | #The ACL objects do not like being used more than once, so re-create them on the Process block 160 | $DirOwner = New-Object System.Security.AccessControl.DirectorySecurity 161 | $DirOwner.SetOwner([System.Security.Principal.NTAccount]$Account) 162 | $FileOwner = New-Object System.Security.AccessControl.FileSecurity 163 | $FileOwner.SetOwner([System.Security.Principal.NTAccount]$Account) 164 | $DirAdminAcl = New-Object System.Security.AccessControl.DirectorySecurity 165 | $FileAdminAcl = New-Object System.Security.AccessControl.DirectorySecurity 166 | $AdminACL = New-Object System.Security.AccessControl.FileSystemAccessRule('Builtin\Administrators','FullControl','ContainerInherit,ObjectInherit','InheritOnly','Allow') 167 | $FileAdminAcl.AddAccessRule($AdminACL) 168 | $DirAdminAcl.AddAccessRule($AdminACL) 169 | Try { 170 | $Item = Get-Item -LiteralPath $Item -Force -ErrorAction Stop 171 | If (-NOT $Item.PSIsContainer) { 172 | If ($PSCmdlet.ShouldProcess($Item, 'Set File Owner')) { 173 | Try { 174 | $Item.SetAccessControl($FileOwner) 175 | } Catch { 176 | Write-Warning "Couldn't take ownership of $($Item.FullName)! Taking FullControl of $($Item.Directory.FullName)" 177 | $Item.Directory.SetAccessControl($FileAdminAcl) 178 | $Item.SetAccessControl($FileOwner) 179 | } 180 | } 181 | } Else { 182 | If ($PSCmdlet.ShouldProcess($Item, 'Set Directory Owner')) { 183 | Try { 184 | $Item.SetAccessControl($DirOwner) 185 | } Catch { 186 | Write-Warning "Couldn't take ownership of $($Item.FullName)! Taking FullControl of $($Item.Parent.FullName)" 187 | $Item.Parent.SetAccessControl($DirAdminAcl) 188 | $Item.SetAccessControl($DirOwner) 189 | } 190 | } 191 | If ($Recurse) { 192 | [void]$PSBoundParameters.Remove('Path') 193 | Get-ChildItem $Item -Force | Set-Owner @PSBoundParameters 194 | } 195 | } 196 | } Catch { 197 | Write-Warning "$($Item): $($_.Exception.Message)" 198 | } 199 | } 200 | } 201 | End { 202 | #Remove priviledges that had been granted 203 | [void][TokenAdjuster]::RemovePrivilege("SeRestorePrivilege") 204 | [void][TokenAdjuster]::RemovePrivilege("SeBackupPrivilege") 205 | [void][TokenAdjuster]::RemovePrivilege("SeTakeOwnershipPrivilege") 206 | } 207 | } 208 | 209 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 210 | 211 | 212 | echo Killing Browsers 213 | cmd /c taskkill.exe /F /IM chrome.exe 214 | cmd /c taskkill.exe /F /IM outlook.exe 215 | cmd /c taskkill.exe /F /IM IEXPLORE.EXE 216 | cmd /c taskkill.exe /F /IM msedge.exe 217 | cmd /c taskkill.exe /F /IM firefox.exe 218 | 219 | echo Forcing Loggoff for locked files 220 | logoff 1 221 | logoff 2 222 | logoff 3 223 | logoff 4 224 | logoff 5 225 | logoff 6 226 | logoff 7 227 | 228 | Get-ScheduledTask -TaskName *Wavesor* | Disable-ScheduledTask 229 | Get-ScheduledTask -TaskName *Wavesor* | Export-ScheduledTask 230 | 231 | (Get-ChildItem -Path "c:\Users\*\Wavesor Software\" -Depth 200 -Force -Recurse).Fullname | 232 | ForEach-Object { 233 | 234 | 235 | echo "Setting permissions to SYSTEM for $_" 236 | Set-Owner -Recurse -Account '.\SYSTEM' -Verbose 237 | 238 | echo "Removing... $_" 239 | Remove-Item "$_" -Force -Recurse 240 | Remove-Item "$_" -Force -Recurse 241 | 242 | 243 | } 244 | echo "ALL DONE" 245 | -------------------------------------------------------------------------------- /Win10_etl_2_pcap.ps1: -------------------------------------------------------------------------------- 1 | #Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 2 | 3 | 4 | function Write-Message { 5 | <# 6 | .SYNOPSIS 7 | Prints colored messages depending on type 8 | .PARAMETER TYPE 9 | Type of error message to be prepended to the message and sets the color 10 | .PARAMETER MESSAGE 11 | Message to be output 12 | #> 13 | [CmdletBinding()] 14 | param ( 15 | [string] 16 | $Type, 17 | 18 | [string] 19 | $Message 20 | ) 21 | 22 | if (($TYPE) -eq ("INFO")) { $Tag = "INFO" ; $Color = "Green"} 23 | if (($TYPE) -eq ("WARNING")) { $Tag = "WARNING" ; $Color = "Yellow"} 24 | if (($TYPE) -eq ("ERROR")) { $Tag = "ERROR" ; $Color = "Red"} 25 | $date1=(Get-Date -UFormat “%m/%d/%Y %T”) 26 | 27 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] "$Tag" : "$Message" -ForegroundColor $Color 28 | echo "$date1 [+] $Tag : $Message" 29 | } 30 | 31 | 32 | Write-Message -Message "Stopping trace..." -Type "INFO" 33 | Start-Process -FilePath "C:\Windows\System32\netsh.exe" -WorkingDirectory "$env:TEMP" -ArgumentList " trace stop " 34 | 35 | 36 | 37 | Write-Message -Message "Removing old capture files..." -Type "INFO" 38 | del capture..* 39 | Start-Sleep -s 2 40 | Write-Message -Message "Starting packet trace..." -Type "INFO" 41 | #netsh trace start capture=yes tracefile="$env:TEMP\capture.etl" maxsize=512 filemode=circular overwrite=yes report=no correlation=no Ethernet.Type=IPv4 42 | Start-Process -FilePath "C:\Windows\System32\netsh.exe" -WorkingDirectory "$env:TEMP" -ArgumentList " trace start capture=yes tracefile=`"$env:TEMP\capture.etl`" maxsize=512 filemode=circular overwrite=yes report=no correlation=no Ethernet.Type=IPv4 " 43 | 44 | 45 | Write-Message -Message "Capturing packets for 15 seconds..." -Type "INFO" 46 | Start-Sleep -s 15 47 | 48 | Write-Message -Message "Stopping trace...This can take a 1-5min " -Type "INFO" 49 | #netsh trace stop 50 | Start-Process -FilePath "C:\Windows\System32\netsh.exe" -WorkingDirectory "$env:TEMP" -ArgumentList " trace stop " -Wait -NoNewWindow - 51 | 52 | Write-Message -Message "Sleeping for 5 seconds..." -Type "INFO" 53 | Start-Sleep -s 5 54 | 55 | # Full path of the file 56 | $file = "$env:TEMP\etl2pcapng\x64\etl2pcapng.exe" 57 | 58 | Write-Message -Message "Downloading etl2pcapng for converting etl captures to pcap" -Type "INFO" 59 | (New-Object Net.WebClient).DownloadFile('https://github.com/microsoft/etl2pcapng/releases/download/v1.3.0/etl2pcapng.zip', "$env:TEMP\etl2pcapng.zip") 60 | 61 | Write-Message -Message "Extracting etl2pcapng..." -Type "INFO" 62 | Expand-Archive "$env:TEMP\etl2pcapng.zip" -DestinationPath "$env:TEMP\" -Force -Verbose 63 | 64 | Write-Message -Message "Converting etl packet trace to pcap using etl2pcapng..." -Type "INFO" 65 | Start-Process -FilePath "$env:TEMP\etl2pcapng\x64\etl2pcapng.exe" -ArgumentList "$env:TEMP\capture.etl $env:TEMP\capture.etl.pcap" -Verbose 66 | $PCap = "$env:TEMP\capture.etl.pcap" 67 | Write-Message -Message "Run get $PCap to download pcap file" -Type "INFO" 68 | 69 | echo "ALL DONE" 70 | -------------------------------------------------------------------------------- /WinPMEM_Portable.ps1: -------------------------------------------------------------------------------- 1 | ################################ Please wait for memory dump before running Zipping up files 2 | 3 | ################################ Downloading obfuscated WinPMEM 4 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 5 | Write-Output (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: "Downloading obfuscated WinPMEM" 6 | 7 | Stop-process -name robert_mccurdy_winpmem -Force 8 | Stop-process -name 7z -Force 9 | 10 | New-Item -Path 'C:\ftech_temp' -ItemType Directory 11 | 12 | ############################### This is just a obfucasted binary using echo '' >> binary.exe 13 | Invoke-WebRequest -Uri "https://rmccurdy.com/.scripts/.IR/robert_mccurdy_winpmem" -OutFile "C:\ftech_temp\robert_mccurdy_winpmem" 14 | 15 | Rename-Item -Path "C:\ftech_temp\robert_mccurdy_winpmem" -NewName "C:\ftech_temp\robert_mccurdy_winpmem.exe" 16 | 17 | Get-ChildItem "C:\ftech_temp" 18 | 19 | Start-Process -FilePath "C:\ftech_temp\robert_mccurdy_winpmem.exe" -ArgumentList "C:\ftech_temp\memory.dump" -Verbose -WindowStyle Maximized 20 | 21 | Write-Host (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: "Please wait for memory dump to run Zipping up files" 22 | Start-Sleep -s 1 23 | Get-Process -Name robert_mccurdy_winpmem 24 | 25 | ################################ Please wait for memory dump before running Zipping up files 26 | 27 | ################################ Zipping up files 28 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 29 | Write-Output (Get-Date -UFormat “%m/%d/%Y %T”) [+] INFO: Zipping up files 30 | 31 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 32 | Stop-process -name robert_mccurdy_winpmem -Force 33 | Stop-process -name 7z -Force 34 | 35 | mkdir "C:\ftech_temp" 36 | $url = "https://cytranet.dl.sourceforge.net/project/sevenzip/7-Zip/21.07/7z2107-x64.exe" 37 | $dest = "C:\ftech_temp\7z2107-x64.exe" 38 | Invoke-WebRequest -Uri $url -OutFile $dest -verbose 39 | cd "C:\ftech_temp" 40 | 41 | Start-Process -FilePath "C:\ftech_temp\7z2107-x64.exe" -ArgumentList "/S /D=C:\ftech_temp\7ZIP" -WindowStyle Maximized 42 | 43 | Start-Sleep -s 3 44 | 45 | If (Test-Path -Path C:\ftech_temp\memory.dump ) { 46 | Start-Process -FilePath "C:\ftech_temp\7ZIP\7z.exe" -ArgumentList "a -v500m -mx=1 -mmt=4 C:\ftech_temp\memory.zip C:\ftech_temp\memory.dump" -WindowStyle Maximized 47 | } 48 | 49 | Get-ChildItem "C:\ftech_temp\" -recurse -Include *.zip.* | Select-Object Name, @{Name="MegaBytes";Expression={"{0:F2}" -f ($_.length/1MB)}} 50 | 51 | ########################################### FILE SHARE 52 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 53 | New-SmbShare -Name ftech_temp -Description "ftech_temp" -Path C:\ftech_temp 54 | Grant-SmbShareAccess -Name ftech_temp -AccountName Everyone -AccessRight Read -Force 55 | 56 | Remove-Item "C:\ftech_temp\memory.dump" -Force -Recurse 57 | 58 | ########################################## WHEN YOU ARE DONE 59 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 60 | 61 | Revoke-SmbShareAccess -Name ftech_temp -AccountName Everyone -Force 62 | Remove-SmbShare -Name ftech_temp -Force 63 | -------------------------------------------------------------------------------- /srum_dump2.ps1: -------------------------------------------------------------------------------- 1 | Set-Variable -Name ErrorActionPreference -Value SilentlyContinue 2 | 3 | echo '-------------------------'; 4 | echo 'BE SURE TO ADD -Timeout=600 in the runscript options before you run this script'; 5 | echo 'Example :'; 6 | echo 'runscript -CloudFile="srum_dump2" -Timeout=600'; 7 | echo '-------------------------'; 8 | 9 | New-Item -Path 'C:\windows\Temp\ftech_temp' -ItemType Directory | Out-Null 10 | echo "[+] INFO: Downloading srum_dump2.exe" 11 | Invoke-WebRequest -Uri "https://github.com/MarkBaggett/srum-dump/releases/download/2.4/srum_dump2.exe" -OutFile "C:\windows\Temp\ftech_temp\srum_dump2.exe" 12 | 13 | echo "[+] INFO: Downloading srum_dump2 SRUM_TEMPLATE2.xlsx " 14 | Invoke-WebRequest -Uri "https://github.com/MarkBaggett/srum-dump/blob/master/SRUM_TEMPLATE2.xlsx?raw=true" -OutFile "C:\windows\Temp\ftech_temp\SRUM_TEMPLATE2.xlsx" 15 | 16 | Start-Process -FilePath "C:\windows\Temp\ftech_temp\srum_dump2.exe" -ArgumentList " -i `"c:\windows\system32\sru\SRUDB.dat`" -t `"C:\windows\Temp\ftech_temp\SRUM_TEMPLATE2.xlsx`" " -WorkingDirectory "C:\windows\Temp\ftech_temp\" -Verbose -WindowStyle Hidden # -RedirectStandardOutput output.txt -RedirectStandardError err.txt 17 | 18 | echo "type: " 19 | echo "get C:\windows\Temp\ftech_temp\SRUM_DUMP_OUTPUT.xlsx" 20 | echo "Password is infected. When Download is complete the type:" 21 | echo "rm C:\windows\Temp\ftech_temp -force" 22 | --------------------------------------------------------------------------------