Helpful scripts

From truxwiki.com
Jump to navigation Jump to search

The following are scripts we have found to be useful.

Download/Install Chrome

$Path = $env:TEMP; $Installer = "chrome_installer.exe"; Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile $Path\$Installer; Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait; Remove-Item $Path\$Installer

Tail/Follow a Log

Get-Content "LOGFILEPATH" -Tail 10 -wait

E01 of E01s

It is not unheard of to receive an image of a hard drive that is an image of a hard drive that contained images of hard drives. This usually happens when sending data between organizations. When you load the E01, the following will export the images found within.

import sys
sys.path.append('C:/Program Files/Truxton/SDK')
import truxton

def main():

 t = truxton.create()
 exporter = t.newexporter()
 exporter.addcriteria( exporter.fqtype, truxton.Type_Expert_Witness_Data )
 exporter.addcriteria( exporter.fqorigin, truxton.ORIGIN_NORMAL)
 exporter.addoption( exporter.eoname, "{name}" )
 exporter.addoption( exporter.eofolder, "C:\ClusterStorage\Scratch\Exports" )
 exporter.addoption( exporter.eounique, "1" )
 exporter.execute()

 return None

if __name__ == "__main__":
    sys.exit(main())

Ping All Equipment in the Rack

The following PowerShell scripts will ping the equipment in the Truxton development rack.

function ping-it($name, $machine_name)
{
   if ( $(Test-Connection -ComputerName $name -Count 1 -Quiet) -EQ $false )
   {
      Write-Host -ForegroundColor Red -BackgroundColor Yellow $($machine_name + " - FAIL!")
   }
   else
   {
      Write-Host $($machine_name + " - OK")
   }
}

ping-it -name "1.1.1.1"     -machine_name "VPN Server"
ping-it -name "8.8.8.8"     -machine_name "Google DNS Server"
ping-it -name "tfrs-dev-dc" -machine_name "TFRS Domain Controller"
ping-it -name "10.1.100.5"  -machine_name "Rack Switch - S5224F-ON"

ping-it -name "10.1.3.11"   -machine_name "TFRS-DEV-01 1Gb NIC"
ping-it -name "10.1.1.11"   -machine_name "TFRS-DEV-01 Storage 1"
ping-it -name "10.1.2.11"   -machine_name "TFRS-DEV-01 Storage 2"
ping-it -name "10.1.3.12"   -machine_name "TFRS-DEV-01 iDRAC"
ping-it -name "10.1.2.11"   -machine_name "TFRS-DEV-01 Outside 10Gb"

ping-it -name "10.1.3.13"   -machine_name "TFRS-DEV-02 1Gb NIC"
ping-it -name "10.1.1.12"   -machine_name "TFRS-DEV-02 Storage 1"
ping-it -name "10.1.2.12"   -machine_name "TFRS-DEV-02 Storage 2"
ping-it -name "10.1.3.14"   -machine_name "TFRS-DEV-02 iDRAC"
ping-it -name "10.1.2.13"   -machine_name "TFRS-DEV-02 Outside 10Gb"

ping-it -name "10.1.3.15"   -machine_name "TFRS-DEV-03 1Gb NIC"
ping-it -name "10.1.1.13"   -machine_name "TFRS-DEV-03 Storage 1"
ping-it -name "10.1.2.13"   -machine_name "TFRS-DEV-03 Storage 2"
ping-it -name "10.1.3.16"   -machine_name "TFRS-DEV-03 iDRAC"
ping-it -name "10.1.2.15"   -machine_name "TFRS-DEV-03 Outside 10Gb"

Calculating Hashes

You can use a Windows command to calculate hashes for files.

certutil -hashfile file.dat md5
certutil -hashfile file.dat sha1
certutil -hashfile file.dat sha512

Copy an Open File

When developing new capability, you need sample files. What do you do when the file you need is being held open?

Volume Shadow Copy

In this example, we will copy the SYSTEM registry file so we can play with it. Using Microsoft's vshadow tool, we can do the following:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\vshadow.exe" -p -nw -script=SETVAR1.cmd c:
call SETVAR1.cmd
copy %SHADOW_DEVICE_1%\Windows\system32\config\SYSTEM C:\temp\SYSTEM.reg

The above will copy the system registry file to C:\temp\SYSTEM.reg

Carve a File in Truxton

If you need to carve the contents of a file in Truxton, you can send a message to the carver ETL to do it.

import sys
sys.path.append('C:/Program Files/Truxton/SDK')
import truxton

def main() -> None:

 t = truxton.create()
 t.carvefile("63204cfc-83a3-c8bc-b85d-392d0000000d")

 return None

if __name__ == "__main__":
    sys.exit(main())

Convert Excel Search Terms to Yara Rules

The Excel2Yara.ps1 PowerShell script, available on GitHub, will convert a column of terms to Yara rules.

Description

This script was written for a customer who maintained Excel spreadsheets with dictionaries of slang terms. We converted his spreadsheets into a series of Yara rule files for easy tagging.

Command Line

Given a spreadsheet with 5 cells:

Term
Bob
Carol
Ted
Alice
PS C:\> .\Excel2Yara.ps1 SearchTerms.xlsx 1 >MySearchTerms.yara

Here we told the script which column contains the terms (column one) and we redirected the output to a file.

This will produce a yara rule:

rule Search_Terms
{
 meta:
  description = "Search terms from C:_SearchTerms.xlsx (last modified 1/26/2023). This file was generated 1/26/2023"
 strings:
  $term1 = "Bob"
  $term2 = "Carol"
  $term3 = "Ted"
  $term4 = "Alice"

 condition:
  any of them
}

Put a reference to the MySearchTerms.yara file in the C:\ProgramData\Truxton\Truxton.yara and it will be used to scan the next file flowing through Truxton during a load.

Tagging

Any file that contains any of the terms in the sample will be tagged with "Search_Terms" which is minimally useful. You can change the name of the rule if you'd like to "FulsomSlang" which is better. You can include more tags if you'd like by adding them to the rule line:

rule FulsomSlang : drugs

Now when any term in the rule is found, the file will be tagged with "FulsomSlang" and "drugs"