diff --git a/Modules/Disk/Get-File.ps1 b/Modules/Disk/Get-File.ps1 index 7b906b5a..3d01b482 100644 --- a/Modules/Disk/Get-File.ps1 +++ b/Modules/Disk/Get-File.ps1 @@ -1,7 +1,22 @@ # OUTPUT Default -# Get-File.ps1 retrieves the user specified file. -# How does the user specify the file? By editing -# the $targetFile value below with a full path. +<# +.SYNOPSIS +Get-File.ps1 retrieves the user specified file. +.PARAMETER File +A recommended parameter, a sensible default is provided, that points to +the file you want to acquire from remote systems. + +When used with Kansa.ps1, parameters must be positional. Named params +are not supported. +.EXAMPLE +Get-File.ps1 C:\Users\Administrator\NTUser.dat +.NOTES +When passing specific modules with parameters via Kansa.ps1's +-ModulePath parameter, be sure to quote the entire string, like shown +here: +.\kansa.ps1 -Target localhost -ModulePath ".\Modules\Disk\Get-File.ps1 C:\boot.log" +#> + [CmdletBinding()] Param( diff --git a/Modules/Disk/Get-FlsBodyfile.ps1 b/Modules/Disk/Get-FlsBodyfile.ps1 index d4f974fa..b82ab4f5 100644 --- a/Modules/Disk/Get-FlsBodyfile.ps1 +++ b/Modules/Disk/Get-FlsBodyfile.ps1 @@ -16,6 +16,12 @@ $env:SystemDrive (typically C:\). This can take a long time for large drives. !! This takes time for an entire drive !! #> +[CmdletBinding()] +Param( + [Parameter(Mandatory=$False,Position=0)] + [String]$Drive="$env:SystemDrive" +) + Function Expand-Zip ($zipfile, $destination) { $shell = New-Object -ComObject shell.application $zip = $shell.Namespace($zipfile) @@ -31,8 +37,8 @@ if (Test-Path ($flspath)) { $flsdest = ($env:Temp + "\fls\") Expand-Zip $flspath $flsdest if (Test-Path($flsdest + "\fls.exe")) { - $sd = $env:SystemDrive - & $flsdest\fls.exe -r -m ($sd) \\.\$sd + # $sd = $env:SystemDrive + & $flsdest\fls.exe -r -m ($Drive) \\.\$Drive $suppress = Remove-Item $flsdest -Force -Recurse } else { "Fls.zip found, but not unzipped." diff --git a/Modules/Log/Get-LogAppExperienceProgInventory.ps1 b/Modules/Log/Get-LogAppExperienceProgInventory.ps1 deleted file mode 100644 index 596a099d..00000000 Binary files a/Modules/Log/Get-LogAppExperienceProgInventory.ps1 and /dev/null differ diff --git a/Modules/Log/Get-LogAppExperienceProgTelemetry.ps1 b/Modules/Log/Get-LogAppExperienceProgTelemetry.ps1 deleted file mode 100644 index 091427f3..00000000 Binary files a/Modules/Log/Get-LogAppExperienceProgTelemetry.ps1 and /dev/null differ diff --git a/Modules/Log/Get-LogAppLockerExeDll.ps1 b/Modules/Log/Get-LogAppLockerExeDll.ps1 deleted file mode 100644 index 735cb986..00000000 Binary files a/Modules/Log/Get-LogAppLockerExeDll.ps1 and /dev/null differ diff --git a/Modules/Log/Get-LogAppLockerMSIScript.ps1 b/Modules/Log/Get-LogAppLockerMSIScript.ps1 deleted file mode 100644 index 5d726700..00000000 Binary files a/Modules/Log/Get-LogAppLockerMSIScript.ps1 and /dev/null differ diff --git a/Modules/Log/Get-LogAppLockerPackagedAppDeployment.ps1 b/Modules/Log/Get-LogAppLockerPackagedAppDeployment.ps1 deleted file mode 100644 index 4cb01506..00000000 Binary files a/Modules/Log/Get-LogAppLockerPackagedAppDeployment.ps1 and /dev/null differ diff --git a/Modules/Log/Get-LogSecurity.ps1 b/Modules/Log/Get-LogSecurity.ps1 deleted file mode 100644 index 18cdfc58..00000000 --- a/Modules/Log/Get-LogSecurity.ps1 +++ /dev/null @@ -1,6 +0,0 @@ -# OUTPUT TSV -<# -Acquire remote security event log -#> - -Get-WinEvent Security \ No newline at end of file diff --git a/Modules/Log/Get-LogShellCoreOperational.ps1 b/Modules/Log/Get-LogShellCoreOperational.ps1 deleted file mode 100644 index 3e799f8a..00000000 Binary files a/Modules/Log/Get-LogShellCoreOperational.ps1 and /dev/null differ diff --git a/Modules/Log/Get-LogTermSrvcsLocalSessionMgrOperational.ps1 b/Modules/Log/Get-LogTermSrvcsLocalSessionMgrOperational.ps1 deleted file mode 100644 index 8306c29c..00000000 Binary files a/Modules/Log/Get-LogTermSrvcsLocalSessionMgrOperational.ps1 and /dev/null differ diff --git a/Modules/Log/Get-LogTermSrvcsRemoteConnMgrOperational.ps1 b/Modules/Log/Get-LogTermSrvcsRemoteConnMgrOperational.ps1 deleted file mode 100644 index f0b31ce0..00000000 Binary files a/Modules/Log/Get-LogTermSrvcsRemoteConnMgrOperational.ps1 and /dev/null differ diff --git a/Modules/Log/Get-LogWinEvent.ps1 b/Modules/Log/Get-LogWinEvent.ps1 new file mode 100644 index 00000000..d09a19fa --- /dev/null +++ b/Modules/Log/Get-LogWinEvent.ps1 @@ -0,0 +1,27 @@ +# OUTPUT TSV +<# +.SYNOPSIS +Get-LogWinEvent +.PARAMETER LogName +A required parameter, that names the event log to acquire data from. +To see a list of common lognames run: +Get-WinEvent -ListLog | Select LogName + +When used with Kansa.ps1, parameters must be positional. Named params +are not supported. +.EXAMPLE +Get-LogWinEvent.ps1 Security +.NOTES +When passing specific modules with parameters via Kansa.ps1's +-ModulePath parameter, be sure to quote the entire string, like shown +here: +.\kansa.ps1 -Target localhost -ModulePath ".\Modules\Log\Get-LogWinEvent.ps1 Security" +#> + +[CmdletBinding()] +Param( + [Parameter(Mandatory=$True,Position=0)] + [String]$LogName +) + +Get-WinEvent -LogName $LogName \ No newline at end of file diff --git a/Modules/Modules.conf b/Modules/Modules.conf index 942211d8..a3494f28 100644 --- a/Modules/Modules.conf +++ b/Modules/Modules.conf @@ -16,30 +16,30 @@ Net\Get-Netstat.ps1 # Process\Get-Tasklistv.ps1 # Process\Get-Handle.ps1 # Process\Get-RekalPslist.ps1 -# Process\Get-ProcsWMI.ps1 +Process\Get-ProcsWMI.ps1 # Process\Get-ProcDump.ps1 # Net\Get-NetRoutes.ps1 # Net\Get-NetIPInterfaces.ps1 -# Log\Get-LogUserAssist.ps1 -# Log\Get-LogShellCoreOperational.ps1 -# Log\Get-LogAppLockerPackagedAppDeployment.ps1 -# Log\Get-LogAppLockerMSIScript.ps1 -# Log\Get-LogAppLockerExeDll.ps1 -# Log\Get-LogAppExperienceProgTelemetry.ps1 -# Log\Get-LogAppExperienceProgInventory.ps1 +Log\Get-LogUserAssist.ps1 +# Log\Get-LogWinEvent.ps1 Security +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-Application-Experience/Program-Inventory +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-Application-Experience/Program-Telemetry +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/EXE and DLL +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/MSI and Script +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/Packaged app-Deployment +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-Shell-Core/Operational +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational # Log\Get-LogCBS.ps1 -# Log\Get-LogTermSrvcsLocalSessionMgrOperational.ps1 -# Log\Get-LogTermSrvcsRemoteConnMgrOperational.ps1 -# Log\Get-LogSecurity.ps1 # ASEP\Get-SvcAll.ps1 -# ASEP\Get-SvcFail.ps1 -# ASEP\Get-SvcTrigs.ps1 -# ASEP\Get-WMIEvtFilter.ps1 -# ASEP\Get-WMIFltConBind.ps1 -# ASEP\Get-WMIEvtConsumer.ps1 -ASEP\Get-Autorunsc.ps1 -# ASEP\Get-PSProfiles.ps1 -# Disk\Get-FlsBodyFile.ps1 +ASEP\Get-SvcFail.ps1 +ASEP\Get-SvcTrigs.ps1 +ASEP\Get-WMIEvtFilter.ps1 +ASEP\Get-WMIFltConBind.ps1 +ASEP\Get-WMIEvtConsumer.ps1 +# ASEP\Get-Autorunsc.ps1 +ASEP\Get-PSProfiles.ps1 +# Disk\Get-FlsBodyFile.ps1 C: # Disk\Get-TempDirListing.ps1 Disk\Get-File.ps1 C:\Windows\WindowsUpdate.log # Config\Get-LocalAdmins.ps1 diff --git a/Modules/Process/Get-ProcDump.ps1 b/Modules/Process/Get-ProcDump.ps1 index b57f8efd..ebbcf284 100644 --- a/Modules/Process/Get-ProcDump.ps1 +++ b/Modules/Process/Get-ProcDump.ps1 @@ -1,20 +1,35 @@ # OUTPUT bin # BINDEP .\Modules\bin\Procdump.exe <# -Get-ProcDump -Acquires a Sysinternal procdump of the specified process +.SYNOPSIS +Get-ProcDump.ps1 acquires a Sysinternal procdump of the specified +process +.PARAMETER ProcId +A required parameter, the process id of the process you want to dump. +.NOTES +When used with Kansa.ps1, parameters must be positional. Named params +are not supported. +.EXAMPLE +Get-ProcDump.ps1 104 -If you have procdump.exe in your Modules\bin\ path and run Kansa with the -Pushbin -flag, Kansa will attempt to copy the binary to the ADMIN$. Binaries are not removed, so -subsequent runs won't require -Pushbin. +When passing specific modules with parameters via Kansa.ps1's +-ModulePath parameter, be sure to quote the entire string, like +shown here: +.\kansa.ps1 -Target localhost -ModulePath ".\Modules\Process\Get-ProcDumpe.ps1 104" -Also, you should configure this to dump the process you're -interested in. By default it dumps itself, which is probably -not what you want. +If you have procdump.exe in your Modules\bin\ path and run Kansa with +the -Pushbin flag, Kansa will attempt to copy the binary to the ADMIN$. +Binaries are not removed, so subsequent runs won't require -Pushbin. + +Also, you should configure this to dump the process you're interested +in. By default it dumps itself, which is probably not what you want. #> -# Replace $pid with the process id you wish to capture. -$ProcId = $pid +[CmdletBinding()] +Param( + [Parameter(Mandatory=$False,Position=0)] + [Int]$ProcId=$pid +) if (Test-Path "$env:SystemRoot\Procdump.exe") { $PDOutput = & $env:SystemRoot\Procdump.exe /accepteula $ProcId 2> $null diff --git a/kansa.ps1 b/kansa.ps1 index 55ab5b55..f46ec921 100644 --- a/kansa.ps1 +++ b/kansa.ps1 @@ -361,6 +361,21 @@ Param( Write-Debug "Exiting $($MyInvocation.MyCommand)" } +function Get-LegalFileName { +<# +.SYNOPSIS +Returns argument with illegal filename characters removed. +#> +Param( + [Parameter(Mandatory=$True,Position=0)] + [String]$Argument +) + Write-Debug "Entering ($MyInvocation.MyCommand)" + $Argument -replace [regex]::Escape("\") -replace [regex]::Escape("/") -replace [regex]::Escape(":") ` + -replace [regex]::Escape("*") -replace [regex]::Escape("?") -replace "`"" -replace [regex]::Escape("<") ` + -replace [regex]::Escape(">") -replace [regex]::Escape("|") +} + function Get-TargetData { <# .SYNOPSIS @@ -370,7 +385,7 @@ Param( [Parameter(Mandatory=$True,Position=0)] [Array]$Targets, [Parameter(Mandatory=$True,Position=1)] - [HashTable]$Modules, + [System.Collections.Specialized.OrderedDictionary]$Modules, [Parameter(Mandatory=$False,Position=2)] [PSCredential]$Credential=$False, [Parameter(Mandatory=$False,Position=3)] @@ -391,22 +406,25 @@ Param( } foreach($Module in $Modules.Keys) { - $ModuleName = $Module | Select-Object -ExpandProperty BaseName + $ModuleName = $Module | Select-Object -ExpandProperty BaseName + $Argument = $($Modules.Get_Item($Module)) + if ($Argument) { + $ArgFileName = Get-LegalFileName $Argument + } else { $ArgFileName = "" } # we'll use $GetlessMod for the output folder $GetlessMod = $($ModuleName -replace "Get-") - $Suppress = New-Item -Path $OutputPath -name $GetlessMod -ItemType Directory + $Suppress = New-Item -Path $OutputPath -name ($GetlessMod + $ArgFileName) -ItemType Directory # First line of each modules can specify how output should be handled $OutputMethod = Get-Content $Module -TotalCount 1 - # run the module on the targets - $Argument = $($Modules.Get_Item($Module)) + # run the module on the targets # "Invoke-Command -Session $PSSessions -FilePath $Module -ArgumentList `"$Argument`" -AsJob -ThrottleLimit $ThrottleLimit" $Job = Invoke-Command -Session $PSSessions -FilePath $Module -ArgumentList "$Argument" -AsJob -ThrottleLimit $ThrottleLimit - Write-Verbose "Waiting for $ModuleName to complete." + Write-Verbose "Waiting for $ModuleName $Argument to complete." # Wait-Job does return data to stdout, add $suppress = to start of next line, if needed Wait-Job $Job foreach($ChildJob in $Job.ChildJobs) { $Recpt = Receive-Job $ChildJob - $Outfile = $OutputPath + $GetlessMod + "\" + $ChildJob.Location + "-" + $GetlessMod + $Outfile = $OutputPath + $GetlessMod + $ArgFileName + "\" + $ChildJob.Location + "-" + $GetlessMod + $ArgFileName # save the data switch -Wildcard ($OutputMethod) { "*csv" { @@ -435,7 +453,7 @@ Param( "*Default" { # Default here means we let PowerShell figure out the output encoding # Used by Get-File.ps1, which can grab arbitrary files - $Outfile = $Outfile + ".default_encoding" + $Outfile = $Outfile $Recpt | Set-Content -Encoding Default $Outfile } default {