From fb5d4f09da5f7af8b986f5b8e9daf2d817712ae1 Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Wed, 2 Jul 2014 09:58:56 -0700 Subject: [PATCH 01/14] Added KansaTest.ps1 to .gitignore, may add it to the repo eventually. --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 5a350b3d..d8e6fe77 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ hostlist* test Output* Schedule +KansaTest.ps1 !.gitignore \ No newline at end of file From 3aff80c5c54dd35d4572eff393da7804041e87ab Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Wed, 2 Jul 2014 10:18:10 -0700 Subject: [PATCH 02/14] Fleshing out .SYNOPSIS. --- Modules/Disk/Get-File.ps1 | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/Modules/Disk/Get-File.ps1 b/Modules/Disk/Get-File.ps1 index 7b906b5a..3d01b482 100644 --- a/Modules/Disk/Get-File.ps1 +++ b/Modules/Disk/Get-File.ps1 @@ -1,7 +1,22 @@ # OUTPUT Default -# Get-File.ps1 retrieves the user specified file. -# How does the user specify the file? By editing -# the $targetFile value below with a full path. +<# +.SYNOPSIS +Get-File.ps1 retrieves the user specified file. +.PARAMETER File +A recommended parameter, a sensible default is provided, that points to +the file you want to acquire from remote systems. + +When used with Kansa.ps1, parameters must be positional. Named params +are not supported. +.EXAMPLE +Get-File.ps1 C:\Users\Administrator\NTUser.dat +.NOTES +When passing specific modules with parameters via Kansa.ps1's +-ModulePath parameter, be sure to quote the entire string, like shown +here: +.\kansa.ps1 -Target localhost -ModulePath ".\Modules\Disk\Get-File.ps1 C:\boot.log" +#> + [CmdletBinding()] Param( From c562ccfdac4f5e95cff6f34039d631704f0dd4be Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Wed, 2 Jul 2014 21:43:19 -0700 Subject: [PATCH 03/14] Updated Get-ProcDump.ps1 to take a process id as a parameter. --- Modules/Process/Get-ProcDump.ps1 | 35 +++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/Modules/Process/Get-ProcDump.ps1 b/Modules/Process/Get-ProcDump.ps1 index b57f8efd..ebbcf284 100644 --- a/Modules/Process/Get-ProcDump.ps1 +++ b/Modules/Process/Get-ProcDump.ps1 @@ -1,20 +1,35 @@ # OUTPUT bin # BINDEP .\Modules\bin\Procdump.exe <# -Get-ProcDump -Acquires a Sysinternal procdump of the specified process +.SYNOPSIS +Get-ProcDump.ps1 acquires a Sysinternal procdump of the specified +process +.PARAMETER ProcId +A required parameter, the process id of the process you want to dump. +.NOTES +When used with Kansa.ps1, parameters must be positional. Named params +are not supported. +.EXAMPLE +Get-ProcDump.ps1 104 -If you have procdump.exe in your Modules\bin\ path and run Kansa with the -Pushbin -flag, Kansa will attempt to copy the binary to the ADMIN$. Binaries are not removed, so -subsequent runs won't require -Pushbin. +When passing specific modules with parameters via Kansa.ps1's +-ModulePath parameter, be sure to quote the entire string, like +shown here: +.\kansa.ps1 -Target localhost -ModulePath ".\Modules\Process\Get-ProcDumpe.ps1 104" -Also, you should configure this to dump the process you're -interested in. By default it dumps itself, which is probably -not what you want. +If you have procdump.exe in your Modules\bin\ path and run Kansa with +the -Pushbin flag, Kansa will attempt to copy the binary to the ADMIN$. +Binaries are not removed, so subsequent runs won't require -Pushbin. + +Also, you should configure this to dump the process you're interested +in. By default it dumps itself, which is probably not what you want. #> -# Replace $pid with the process id you wish to capture. -$ProcId = $pid +[CmdletBinding()] +Param( + [Parameter(Mandatory=$False,Position=0)] + [Int]$ProcId=$pid +) if (Test-Path "$env:SystemRoot\Procdump.exe") { $PDOutput = & $env:SystemRoot\Procdump.exe /accepteula $ProcId 2> $null From 50cea7c48cc7ef269cb7312363a2baf8c79f2374 Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Wed, 2 Jul 2014 22:35:10 -0700 Subject: [PATCH 04/14] Updated kansa.ps1's Get-TargetData function to preserve ordered hashtable. --- kansa.ps1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kansa.ps1 b/kansa.ps1 index 55ab5b55..46b108bc 100644 --- a/kansa.ps1 +++ b/kansa.ps1 @@ -370,7 +370,7 @@ Param( [Parameter(Mandatory=$True,Position=0)] [Array]$Targets, [Parameter(Mandatory=$True,Position=1)] - [HashTable]$Modules, + [System.Collections.Specialized.OrderedDictionary]$Modules, [Parameter(Mandatory=$False,Position=2)] [PSCredential]$Credential=$False, [Parameter(Mandatory=$False,Position=3)] @@ -378,6 +378,9 @@ Param( ) Write-Debug "Entering $($MyInvocation.MyCommand)" + $Modules + exit + Try { # Create our sessions with targets if ($Credential) { From 356dd8d638acc04e4496df74280ee733751386ae Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Wed, 2 Jul 2014 22:35:52 -0700 Subject: [PATCH 05/14] Updated kansa.ps1's Get-TargetData function to preserve ordered hashtable. --- kansa.ps1 | 3 --- 1 file changed, 3 deletions(-) diff --git a/kansa.ps1 b/kansa.ps1 index 46b108bc..6e61a8c1 100644 --- a/kansa.ps1 +++ b/kansa.ps1 @@ -378,9 +378,6 @@ Param( ) Write-Debug "Entering $($MyInvocation.MyCommand)" - $Modules - exit - Try { # Create our sessions with targets if ($Credential) { From a7190092d4fc112c8f777a53a84e1bd82f53fcd5 Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Thu, 3 Jul 2014 14:45:19 -0700 Subject: [PATCH 06/14] Updating Modules.conf for testing. --- Modules/Modules.conf | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Modules/Modules.conf b/Modules/Modules.conf index 942211d8..d6f1519b 100644 --- a/Modules/Modules.conf +++ b/Modules/Modules.conf @@ -16,11 +16,11 @@ Net\Get-Netstat.ps1 # Process\Get-Tasklistv.ps1 # Process\Get-Handle.ps1 # Process\Get-RekalPslist.ps1 -# Process\Get-ProcsWMI.ps1 +Process\Get-ProcsWMI.ps1 # Process\Get-ProcDump.ps1 # Net\Get-NetRoutes.ps1 # Net\Get-NetIPInterfaces.ps1 -# Log\Get-LogUserAssist.ps1 +Log\Get-LogUserAssist.ps1 # Log\Get-LogShellCoreOperational.ps1 # Log\Get-LogAppLockerPackagedAppDeployment.ps1 # Log\Get-LogAppLockerMSIScript.ps1 @@ -32,14 +32,14 @@ Net\Get-Netstat.ps1 # Log\Get-LogTermSrvcsRemoteConnMgrOperational.ps1 # Log\Get-LogSecurity.ps1 # ASEP\Get-SvcAll.ps1 -# ASEP\Get-SvcFail.ps1 -# ASEP\Get-SvcTrigs.ps1 -# ASEP\Get-WMIEvtFilter.ps1 -# ASEP\Get-WMIFltConBind.ps1 -# ASEP\Get-WMIEvtConsumer.ps1 -ASEP\Get-Autorunsc.ps1 -# ASEP\Get-PSProfiles.ps1 -# Disk\Get-FlsBodyFile.ps1 +ASEP\Get-SvcFail.ps1 +ASEP\Get-SvcTrigs.ps1 +ASEP\Get-WMIEvtFilter.ps1 +ASEP\Get-WMIFltConBind.ps1 +ASEP\Get-WMIEvtConsumer.ps1 +# ASEP\Get-Autorunsc.ps1 +ASEP\Get-PSProfiles.ps1 +Disk\Get-FlsBodyFile.ps1 C: # Disk\Get-TempDirListing.ps1 Disk\Get-File.ps1 C:\Windows\WindowsUpdate.log # Config\Get-LocalAdmins.ps1 From d80da7d0a1a00ef22d1327318d64a512d43a9310 Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Thu, 3 Jul 2014 14:46:09 -0700 Subject: [PATCH 07/14] Updated Get-FlsBodyfile.ps1 to accept target file system argument via command line. --- Modules/Disk/Get-FlsBodyfile.ps1 | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Modules/Disk/Get-FlsBodyfile.ps1 b/Modules/Disk/Get-FlsBodyfile.ps1 index d4f974fa..b82ab4f5 100644 --- a/Modules/Disk/Get-FlsBodyfile.ps1 +++ b/Modules/Disk/Get-FlsBodyfile.ps1 @@ -16,6 +16,12 @@ $env:SystemDrive (typically C:\). This can take a long time for large drives. !! This takes time for an entire drive !! #> +[CmdletBinding()] +Param( + [Parameter(Mandatory=$False,Position=0)] + [String]$Drive="$env:SystemDrive" +) + Function Expand-Zip ($zipfile, $destination) { $shell = New-Object -ComObject shell.application $zip = $shell.Namespace($zipfile) @@ -31,8 +37,8 @@ if (Test-Path ($flspath)) { $flsdest = ($env:Temp + "\fls\") Expand-Zip $flspath $flsdest if (Test-Path($flsdest + "\fls.exe")) { - $sd = $env:SystemDrive - & $flsdest\fls.exe -r -m ($sd) \\.\$sd + # $sd = $env:SystemDrive + & $flsdest\fls.exe -r -m ($Drive) \\.\$Drive $suppress = Remove-Item $flsdest -Force -Recurse } else { "Fls.zip found, but not unzipped." From afac7feaf420532ac6d5a4acf5182252f6b02e11 Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Fri, 4 Jul 2014 08:23:37 -0700 Subject: [PATCH 08/14] Get-LogWinEvent.ps1 can acquire any event log supplied via command line parameter. --- Modules/Log/Get-LogWinEvent.ps1 | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 Modules/Log/Get-LogWinEvent.ps1 diff --git a/Modules/Log/Get-LogWinEvent.ps1 b/Modules/Log/Get-LogWinEvent.ps1 new file mode 100644 index 00000000..d09a19fa --- /dev/null +++ b/Modules/Log/Get-LogWinEvent.ps1 @@ -0,0 +1,27 @@ +# OUTPUT TSV +<# +.SYNOPSIS +Get-LogWinEvent +.PARAMETER LogName +A required parameter, that names the event log to acquire data from. +To see a list of common lognames run: +Get-WinEvent -ListLog | Select LogName + +When used with Kansa.ps1, parameters must be positional. Named params +are not supported. +.EXAMPLE +Get-LogWinEvent.ps1 Security +.NOTES +When passing specific modules with parameters via Kansa.ps1's +-ModulePath parameter, be sure to quote the entire string, like shown +here: +.\kansa.ps1 -Target localhost -ModulePath ".\Modules\Log\Get-LogWinEvent.ps1 Security" +#> + +[CmdletBinding()] +Param( + [Parameter(Mandatory=$True,Position=0)] + [String]$LogName +) + +Get-WinEvent -LogName $LogName \ No newline at end of file From 19e62db0bb3891a0c6aaf8721bcb950b62b4d3d4 Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Fri, 4 Jul 2014 08:25:34 -0700 Subject: [PATCH 09/14] Updating modules.conf to use new Get-LogWinEvent.ps1. --- Modules/Modules.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/Modules/Modules.conf b/Modules/Modules.conf index d6f1519b..13844181 100644 --- a/Modules/Modules.conf +++ b/Modules/Modules.conf @@ -21,6 +21,7 @@ Process\Get-ProcsWMI.ps1 # Net\Get-NetRoutes.ps1 # Net\Get-NetIPInterfaces.ps1 Log\Get-LogUserAssist.ps1 +Log\Get-LogWinEvent.ps1 Security # Log\Get-LogShellCoreOperational.ps1 # Log\Get-LogAppLockerPackagedAppDeployment.ps1 # Log\Get-LogAppLockerMSIScript.ps1 From 28f25af8285795d55a69721cefd8af6ff3552936 Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Fri, 4 Jul 2014 09:00:08 -0700 Subject: [PATCH 10/14] Updated for testing. --- Modules/Modules.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Modules.conf b/Modules/Modules.conf index 13844181..672ae4bb 100644 --- a/Modules/Modules.conf +++ b/Modules/Modules.conf @@ -40,7 +40,7 @@ ASEP\Get-WMIFltConBind.ps1 ASEP\Get-WMIEvtConsumer.ps1 # ASEP\Get-Autorunsc.ps1 ASEP\Get-PSProfiles.ps1 -Disk\Get-FlsBodyFile.ps1 C: +# Disk\Get-FlsBodyFile.ps1 C: # Disk\Get-TempDirListing.ps1 Disk\Get-File.ps1 C:\Windows\WindowsUpdate.log # Config\Get-LocalAdmins.ps1 From 90467a27ceebe01d7a166017b66454ce1694989b Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Fri, 4 Jul 2014 09:00:48 -0700 Subject: [PATCH 11/14] Making some tweaks for handling module args via modules.conf --- kansa.ps1 | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/kansa.ps1 b/kansa.ps1 index 6e61a8c1..ef970d6e 100644 --- a/kansa.ps1 +++ b/kansa.ps1 @@ -361,6 +361,21 @@ Param( Write-Debug "Exiting $($MyInvocation.MyCommand)" } +function Get-LegalFileName { +<# +.SYNOPSIS +Returns argument with illegal filename characters removed. +#> +Param( + [Parameter(Mandatory=$True,Position=0)] + [String]$Argument +) + Write-Debug "Entering ($MyInvocation.MyCommand)" + $Argument -replace [regex]::Escape("\") -replace [regex]::Escape("/") -replace [regex]::Escape(":") ` + -replace [regex]::Escape("*") -replace [regex]::Escape("?") -replace "`"" -replace [regex]::Escape("<") ` + -replace [regex]::Escape(">") -replace [regex]::Escape("|") +} + function Get-TargetData { <# .SYNOPSIS @@ -391,22 +406,25 @@ Param( } foreach($Module in $Modules.Keys) { - $ModuleName = $Module | Select-Object -ExpandProperty BaseName + $ModuleName = $Module | Select-Object -ExpandProperty BaseName + $Argument = $($Modules.Get_Item($Module)) + if ($Argument) { + $ArgFileName = Get-LegalFileName $Argument + } else { $ArgFileName = "" } # we'll use $GetlessMod for the output folder $GetlessMod = $($ModuleName -replace "Get-") - $Suppress = New-Item -Path $OutputPath -name $GetlessMod -ItemType Directory + $Suppress = New-Item -Path $OutputPath -name ($GetlessMod + $ArgFileName) -ItemType Directory # First line of each modules can specify how output should be handled $OutputMethod = Get-Content $Module -TotalCount 1 - # run the module on the targets - $Argument = $($Modules.Get_Item($Module)) + # run the module on the targets # "Invoke-Command -Session $PSSessions -FilePath $Module -ArgumentList `"$Argument`" -AsJob -ThrottleLimit $ThrottleLimit" $Job = Invoke-Command -Session $PSSessions -FilePath $Module -ArgumentList "$Argument" -AsJob -ThrottleLimit $ThrottleLimit - Write-Verbose "Waiting for $ModuleName to complete." + Write-Verbose "Waiting for $ModuleName $Argument to complete." # Wait-Job does return data to stdout, add $suppress = to start of next line, if needed Wait-Job $Job foreach($ChildJob in $Job.ChildJobs) { $Recpt = Receive-Job $ChildJob - $Outfile = $OutputPath + $GetlessMod + "\" + $ChildJob.Location + "-" + $GetlessMod + $Outfile = $OutputPath + $GetlessMod + $ArgFileName + "\" + $ChildJob.Location + "-" + $GetlessMod + $ArgFileName # save the data switch -Wildcard ($OutputMethod) { "*csv" { From d9c68b58e71dffa34dd65d21e0c60f4818ffb80d Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Fri, 4 Jul 2014 10:08:18 -0700 Subject: [PATCH 12/14] Updated for new Get-LogWinEvent.ps1 usage --- Modules/Modules.conf | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/Modules/Modules.conf b/Modules/Modules.conf index 672ae4bb..a3494f28 100644 --- a/Modules/Modules.conf +++ b/Modules/Modules.conf @@ -21,17 +21,16 @@ Process\Get-ProcsWMI.ps1 # Net\Get-NetRoutes.ps1 # Net\Get-NetIPInterfaces.ps1 Log\Get-LogUserAssist.ps1 -Log\Get-LogWinEvent.ps1 Security -# Log\Get-LogShellCoreOperational.ps1 -# Log\Get-LogAppLockerPackagedAppDeployment.ps1 -# Log\Get-LogAppLockerMSIScript.ps1 -# Log\Get-LogAppLockerExeDll.ps1 -# Log\Get-LogAppExperienceProgTelemetry.ps1 -# Log\Get-LogAppExperienceProgInventory.ps1 +# Log\Get-LogWinEvent.ps1 Security +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-Application-Experience/Program-Inventory +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-Application-Experience/Program-Telemetry +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/EXE and DLL +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/MSI and Script +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/Packaged app-Deployment +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-Shell-Core/Operational +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational +# Log\Get-LogWinEvent.ps1 Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational # Log\Get-LogCBS.ps1 -# Log\Get-LogTermSrvcsLocalSessionMgrOperational.ps1 -# Log\Get-LogTermSrvcsRemoteConnMgrOperational.ps1 -# Log\Get-LogSecurity.ps1 # ASEP\Get-SvcAll.ps1 ASEP\Get-SvcFail.ps1 ASEP\Get-SvcTrigs.ps1 From 96c1dd10ba9bc14086e675aad80553ab450fe555 Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Fri, 4 Jul 2014 10:08:43 -0700 Subject: [PATCH 13/14] Removed default_encoding from output filename. --- kansa.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kansa.ps1 b/kansa.ps1 index ef970d6e..f46ec921 100644 --- a/kansa.ps1 +++ b/kansa.ps1 @@ -453,7 +453,7 @@ Param( "*Default" { # Default here means we let PowerShell figure out the output encoding # Used by Get-File.ps1, which can grab arbitrary files - $Outfile = $Outfile + ".default_encoding" + $Outfile = $Outfile $Recpt | Set-Content -Encoding Default $Outfile } default { From 7a9ed3822bb4b9a5f153be0bd4070b1994b7d5d8 Mon Sep 17 00:00:00 2001 From: Dave Hull Date: Fri, 4 Jul 2014 10:15:05 -0700 Subject: [PATCH 14/14] Removing some modules that are obsolete now that arguments can be passed via command line or modules.conf file. --- Modules/Log/Get-LogAppExperienceProgInventory.ps1 | Bin 238 -> 0 bytes Modules/Log/Get-LogAppExperienceProgTelemetry.ps1 | Bin 238 -> 0 bytes Modules/Log/Get-LogAppLockerExeDll.ps1 | Bin 200 -> 0 bytes Modules/Log/Get-LogAppLockerMSIScript.ps1 | Bin 210 -> 0 bytes .../Log/Get-LogAppLockerPackagedAppDeployment.ps1 | Bin 224 -> 0 bytes Modules/Log/Get-LogSecurity.ps1 | 6 ------ Modules/Log/Get-LogShellCoreOperational.ps1 | Bin 426 -> 0 bytes ...Get-LogTermSrvcsLocalSessionMgrOperational.ps1 | Bin 782 -> 0 bytes .../Get-LogTermSrvcsRemoteConnMgrOperational.ps1 | Bin 776 -> 0 bytes 9 files changed, 6 deletions(-) delete mode 100644 Modules/Log/Get-LogAppExperienceProgInventory.ps1 delete mode 100644 Modules/Log/Get-LogAppExperienceProgTelemetry.ps1 delete mode 100644 Modules/Log/Get-LogAppLockerExeDll.ps1 delete mode 100644 Modules/Log/Get-LogAppLockerMSIScript.ps1 delete mode 100644 Modules/Log/Get-LogAppLockerPackagedAppDeployment.ps1 delete mode 100644 Modules/Log/Get-LogSecurity.ps1 delete mode 100644 Modules/Log/Get-LogShellCoreOperational.ps1 delete mode 100644 Modules/Log/Get-LogTermSrvcsLocalSessionMgrOperational.ps1 delete mode 100644 Modules/Log/Get-LogTermSrvcsRemoteConnMgrOperational.ps1 diff --git a/Modules/Log/Get-LogAppExperienceProgInventory.ps1 b/Modules/Log/Get-LogAppExperienceProgInventory.ps1 deleted file mode 100644 index 596a099decd8f78e927f2d81ea5a6242140db0ea..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 238 zcmYk0%L>9U5Jk^g@E-!MgWn)h#f2#NTDNH}qD@8Pqd%|SL<9+$%$z%OGw;^`!-5TK zmMI!#E4K9M5w$Tbp1_3z1vh0CrFcQ7I2S#N7$)TE^Qt{{nvM=rX#vYF@r=9b==Pm- za&5Wl?*F<<)elk2h_lW~vrg_oZ`{R_@f5GpPSMXPA8P;TRx9Q->Y7RU{nv_id;q7T BD<1#= diff --git a/Modules/Log/Get-LogAppExperienceProgTelemetry.ps1 b/Modules/Log/Get-LogAppExperienceProgTelemetry.ps1 deleted file mode 100644 index 091427f374bed2902eba65ee761a2347a3b84f9e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 238 zcmYk0%L>9U5Jk^g@E?M%gWn)hU5SEK*KJyh*ruZK(VtguvXU^9nUk5D`~6HYY}k{t zP1&g0abV1d__m9k3`Ngc@E?M%i{Btx-Bc9nYinDTB21;Nia)R3$x4QV+>_*HzMnD1njKp< zo=sKGo*@HbZ$?9)r=_Ogq3TQ}Uhr04iQYtv1t-k~>A=;um*PDM2WKfy>F8vPe6N&e jL#Md>%~jGb(S#{?y-d3F8!Z!3jtcWz@fUOTGx_}h=}RJl diff --git a/Modules/Log/Get-LogAppLockerMSIScript.ps1 b/Modules/Log/Get-LogAppLockerMSIScript.ps1 deleted file mode 100644 index 5d726700fa38ce8f1f4c9594655cad97af3c7f05..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 210 zcmYk0%?iRm41~Y4;5#h!Tzm!*6+uy0f6lg5k;1mrs`&EiBqv!mWM(pxd_N-s8}{tj zdJXC#2ZjtVZAwF;r{hM!L*1E5e8F3FEw&aDm~+xx5>8y*Z3zo$Jvm3`XFP>1Es(jl oRBppv|ME9i3BSbVOlb91!lm!&7|Rz~D#7;IB~hAP*D4|72MsACIRF3v diff --git a/Modules/Log/Get-LogAppLockerPackagedAppDeployment.ps1 b/Modules/Log/Get-LogAppLockerPackagedAppDeployment.ps1 deleted file mode 100644 index 4cb015068829fa115c091710342d11997b136f35..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 224 zcmYk0NeaS15Jlfw@D5E}H=aS9Hj0ANx|67g+6gf#xxD&Qx{#)d`mcWt?^h4Uf(>hy zmYu2dmAx+fmWijlopVj_)18T%M71$wlsl>u*!S2Zb{z5C8xG diff --git a/Modules/Log/Get-LogSecurity.ps1 b/Modules/Log/Get-LogSecurity.ps1 deleted file mode 100644 index 18cdfc58..00000000 --- a/Modules/Log/Get-LogSecurity.ps1 +++ /dev/null @@ -1,6 +0,0 @@ -# OUTPUT TSV -<# -Acquire remote security event log -#> - -Get-WinEvent Security \ No newline at end of file diff --git a/Modules/Log/Get-LogShellCoreOperational.ps1 b/Modules/Log/Get-LogShellCoreOperational.ps1 deleted file mode 100644 index 3e799f8abf18a236283f776faa774759f58f0ef5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 426 zcmbV}$!@|x5Jc-7DgR)Jvz3ov$tfff+u4pyKoHv+58KZJuiG)=9F1l?UDaJ(J-%HB zO7y9P=KAt8;WpD!uX>SjBOUasMlJWKjY_`Xs#Ot{ei~D2{ltH0OHKf7ory}d0;^OI zpFmT3nAV<^Y6u!!xzzDbHG!%1^YAexiu5RTR)%_nzYw?h>uNWyZ7yqY>t+rE-i^1~ z-hY8YWcM>#f6ES3<>*;mL4NKXY?>WNq6sw>%d|UZ@2=cWH-2*e-#2*UZ#1X|_qcUu H8MEF26#Gls diff --git a/Modules/Log/Get-LogTermSrvcsLocalSessionMgrOperational.ps1 b/Modules/Log/Get-LogTermSrvcsLocalSessionMgrOperational.ps1 deleted file mode 100644 index 8306c29c6ce4ecbb6c36a7e59d3a1a741e32ec49..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 782 zcmZ`$T~C8R5S(Wd{{xAyHvR@vKVq!5Dy`3WU_~i3fHfrkc6Da&urz7YKyT+}W_O3* zpA$rwVvZOydq+GyVS!^DL3d+RDB+M{jh6KbI==6aY8|q5uOdZ z#D;ZgTB#grIyQV>2dtF!7ts;BXJo8Qo1owhCv8%sph~-2|&ZJ2aP9en^ zw_4jNVIR+sCc-x#xfXn!%`oLw@1fFe>eB?LQ?ivs6n-~IA#6cb{oh;213qo4oSWt0 zR``TxWl)$dCZ}O`y3vG=v!}dOearujIaG8`$rAQROdKJ7?-{GgGLf>zJv~>!L+LCn zhaT~4eL-#IJ%$^_c%w%~k8KBK>4@vAW;_0KdZ=eVOH7VBje|$avrp*U(#>tomV5OI hZB)?TGY_%0sa>!`!=$9?c4irFG0gI?qECN6;}4pyhaCU_ diff --git a/Modules/Log/Get-LogTermSrvcsRemoteConnMgrOperational.ps1 b/Modules/Log/Get-LogTermSrvcsRemoteConnMgrOperational.ps1 deleted file mode 100644 index f0b31ce003ea7300fe360e6f21ec71c844ab4ec2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 776 zcmZ{i+fKqz6h!CQ#D8ewtHf_Gc!?1e74aF`f@mqEtr!x&U0rk9N;MkN_Uzd+voD9w zj{`-z(St@BhIhp2USsWRPtNtVQm$C3)~bl7+VZ~ALN8#E&NLyP6X%)-)j4>jo*n~s zsts`-v{uC`a4dOd9acj82HK-~3S$|x6J_+`coURqVBCQ$;a7a??s85s@d7lbH+M9l z8!L~PZXHgOZ-#v%z4O>TYt%iMQ$074XLP-?aXN(UokY#=LWzuxVHL3I+D2~miY5b@ z@zh!41J2$>7IY&xB|CJ+9me#Ykac{?cgsFjI47`-d1`Zvw6%vstFRj@3ti*6Y&?GF zTFn5(yu<9yRBL?Kp1W0y^n`bc_pY*c9E1DT(~eujf2ag0I_gE}so!|`*6Ph2H+SZ{ it(dp1=SegCYvzBf-8N6qmu%3Q?T=o%v$gyFoBahgZiVpx