Helpful scripts
The following are scripts we have found to be useful.
Contents
Download/Install Chrome
$Path = $env:TEMP; $Installer = "chrome_installer.exe"; Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile $Path\$Installer; Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait; Remove-Item $Path\$Installer
Tail/Follow a Log
Get-Content "LOGFILEPATH" -Tail 10 -wait
E01 of E01s
It is not unheard of to receive an image of a hard drive that is an image of a hard drive that contained images of hard drives. This usually happens when sending data between organizations. When you load the E01, the following will export the images found within.
import sys
sys.path.append('C:/Program Files/Truxton/SDK')
import truxton
def main():
t = truxton.create()
exporter = t.newexporter()
exporter.addcriteria( exporter.fqtype, truxton.Type_Expert_Witness_Data )
exporter.addcriteria( exporter.fqorigin, truxton.ORIGIN_NORMAL)
exporter.addoption( exporter.eoname, "{name}" )
exporter.addoption( exporter.eofolder, "C:\ClusterStorage\Scratch\Exports" )
exporter.addoption( exporter.eounique, "1" )
exporter.execute()
return None
if __name__ == "__main__":
sys.exit(main())
Ping All Equipment in the Rack
The following PowerShell scripts will ping the equipment in the Truxton development rack.
function ping-it($name, $machine_name)
{
if ( $(Test-Connection -ComputerName $name -Count 1 -Quiet) -EQ $false )
{
Write-Host -ForegroundColor Red -BackgroundColor Yellow $($machine_name + " - FAIL!")
}
else
{
Write-Host $($machine_name + " - OK")
}
}
ping-it -name "1.1.1.1" -machine_name "VPN Server"
ping-it -name "8.8.8.8" -machine_name "Google DNS Server"
ping-it -name "tfrs-dev-dc" -machine_name "TFRS Domain Controller"
ping-it -name "10.1.100.5" -machine_name "Rack Switch - S5224F-ON"
ping-it -name "10.1.3.11" -machine_name "TFRS-DEV-01 1Gb NIC"
ping-it -name "10.1.1.11" -machine_name "TFRS-DEV-01 Storage 1"
ping-it -name "10.1.2.11" -machine_name "TFRS-DEV-01 Storage 2"
ping-it -name "10.1.3.12" -machine_name "TFRS-DEV-01 iDRAC"
ping-it -name "10.1.2.11" -machine_name "TFRS-DEV-01 Outside 10Gb"
ping-it -name "10.1.3.13" -machine_name "TFRS-DEV-02 1Gb NIC"
ping-it -name "10.1.1.12" -machine_name "TFRS-DEV-02 Storage 1"
ping-it -name "10.1.2.12" -machine_name "TFRS-DEV-02 Storage 2"
ping-it -name "10.1.3.14" -machine_name "TFRS-DEV-02 iDRAC"
ping-it -name "10.1.2.13" -machine_name "TFRS-DEV-02 Outside 10Gb"
ping-it -name "10.1.3.15" -machine_name "TFRS-DEV-03 1Gb NIC"
ping-it -name "10.1.1.13" -machine_name "TFRS-DEV-03 Storage 1"
ping-it -name "10.1.2.13" -machine_name "TFRS-DEV-03 Storage 2"
ping-it -name "10.1.3.16" -machine_name "TFRS-DEV-03 iDRAC"
ping-it -name "10.1.2.15" -machine_name "TFRS-DEV-03 Outside 10Gb"
Calculating Hashes
You can use a Windows command to calculate hashes for files.
certutil -hashfile file.dat md5
certutil -hashfile file.dat sha1
certutil -hashfile file.dat sha512
Copy an Open File
When developing new capability, you need sample files. What do you do when the file you need is being held open?
Volume Shadow Copy
In this example, we will copy the SYSTEM registry file so we can play with it. Using Microsoft's vshadow tool, we can do the following:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\vshadow.exe" -p -nw -script=SETVAR1.cmd c:
call SETVAR1.cmd
copy %SHADOW_DEVICE_1%\Windows\system32\config\SYSTEM C:\temp\SYSTEM.reg
The above will copy the system registry file to C:\temp\SYSTEM.reg
Carve a File in Truxton
If you need to carve the contents of a file in Truxton, you can send a message to the carver ETL to do it.
import sys
sys.path.append('C:/Program Files/Truxton/SDK')
import truxton
def main() -> None:
t = truxton.create()
t.carvefile("63204cfc-83a3-c8bc-b85d-392d0000000d")
return None
if __name__ == "__main__":
sys.exit(main())
Convert Excel Search Terms to Yara Rules
The Excel2Yara.ps1
PowerShell script, available on GitHub, will convert a column of terms to Yara rules.
Description
This script was written for a customer who maintained Excel spreadsheets with dictionaries of slang terms. We converted his spreadsheets into a series of Yara rule files for easy tagging.
Command Line
Given a spreadsheet with 5 cells:
Term |
---|
Bob |
Carol |
Ted |
Alice |
PS C:\> .\Excel2Yara.ps1 SearchTerms.xlsx 1 >MySearchTerms.yara
Here we told the script which column contains the terms (column one) and we redirected the output to a file.
This will produce a yara rule:
rule Search_Terms
{
meta:
description = "Search terms from C:_SearchTerms.xlsx (last modified 1/26/2023). This file was generated 1/26/2023"
strings:
$term1 = "Bob"
$term2 = "Carol"
$term3 = "Ted"
$term4 = "Alice"
condition:
any of them
}
Put a reference to the MySearchTerms.yara
file in the C:\ProgramData\Truxton\Truxton.yara
and it will be used to scan the next file flowing through Truxton during a load.
Tagging
Any file that contains any of the terms in the sample will be tagged with "Search_Terms" which is minimally useful. You can change the name of the rule if you'd like to "FulsomSlang" which is better. You can include more tags if you'd like by adding them to the rule line:
rule FulsomSlang : drugs
Now when any term in the rule is found, the file will be tagged with "FulsomSlang" and "drugs"