-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathFLAIR.cmd
More file actions
430 lines (409 loc) · 24.9 KB
/
FLAIR.cmd
File metadata and controls
430 lines (409 loc) · 24.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
@ECHO off
REM =====================================================================================
REM Work out the OS version
REM =====================================================================================
SET V_OS=NUL
SET x64=NUL
SET DT=NUL
for /f "tokens=1-7" %%a in ('ver.exe') do if "[Version" EQU "%%d" (for /f "delims=. tokens=1-5" %%i in ("%%e") do SET V_OS=%%i%%j) else for /f "delims=. tokens=1-5" %%i in ("%%d") do SET V_OS=%%i%%j
if %V_OS% EQU 500 SET V_OS=50 && REM needed because of the odd versioning of 2K
:CheckAdmin
REM =====================================================================================
REM Only works on > XP so skip it if it is NT4 and assume we are admin
REM =====================================================================================
color 4e
if %V_OS% GTR 51 (
%systemroot%\system32\Whoami.exe /priv | find "SeTakeOwnershipPrivilege" >NUL && goto Main
) ELSE (
goto Main
)
:NotAdmin
cls
color e4
ECHO.
ECHO Administrator Privilege Not Detected!
ECHO.
whoami.exe /user /nh
ECHO.
ECHO Please restart under an account in the Administrators group
ECHO.
pause > NUL
GOTO :eof
:Main
REM =====================================================================================
REM Find out where we are running from
REM =====================================================================================
set Store=%~d0
set Store=%Store%%~p0
REM =====================================================================================
REM Set-up Processor type
REM =====================================================================================
if %PROCESSOR_ARCHITECTURE% EQU AMD64 (
set x64=64
) ELSE (
set x64=
)
CLS
ECHO.
ECHO Please wait. Starting FLAIR for %COMPUTERNAME%
ECHO.
TIMEOUT.exe /T 10 /NOBREAK
REM =====================================================================================
REM Create the folder and remove any old copies first
REM =====================================================================================
SET outputfile=%COMPUTERNAME%
SET outputdir=%TEMP%\%outputfile%
if exist "%outputdir%" RD /s /q "%outputdir%"
md "%outputdir%"
cls
REM =====================================================================================
REM Enable hashing, get the date and set file output filename
REM =====================================================================================
echo SHA1 > "%outputdir%\hashes.SHA1"
if %V_OS% GTR 52 (
echo MD5 > "%outputdir%\hashes.MD5"
echo SHA256 > "%outputdir%\hashes.SHA256"
EVENTCREATE.exe /T ERROR /ID 42 /L Application /D "F-Secure FLAIR" 1>NUL
REM =====================================================================================
REM Retrieve date and time in ISO8601 date format
REM =====================================================================================
for /f "tokens=1-30 delims== " %%a in ('wevtutil.exe qe Application /f:text /rd:true /q:"*[System[(Level=2) and (EventID=42)]]"') do if "%%a" equ "Date:" SET DT=%%b
)
call :logme FLAIR Running on %COMPUTERNAME% (%V_OS%)
ver >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
call :logme data in - "%outputdir%" on %DT%
call :logme Running from %Store%
:Volatile
REM =====================================================================================
call :logme File: Metadata
REM =====================================================================================
ECHO This will take a while...
ECHO =========================
if %V_OS% GEQ 61 (
call :logme File: USN
FSUTIL.exe usn readjournal %SystemDrive% csv > "%outputdir%\USN_System.csv"
)
call :logme File: SystemRoot
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:0 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_Systemroot.csv' from '%SystemRoot%\*.*'" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
if "%x64%" EQU "64" (
call :logme File: SystemRoot - SysWOW64
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_SysWOW64.csv' from %SystemRoot%\SysWOW64\*.*" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
)
call :logme File: SystemRoot - System32
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_System32.csv' from '%SystemRoot%\System32\*.*'" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
call :logme File: Profiles
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_USERPROFILE.csv' from '%USERPROFILE%\..\*.*'" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
call :logme File: System Temp
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_Win_temp.csv' from '%SystemRoot%\temp\*.*'" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
call :logme File: ProgramData
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\LP_ProgramData.csv' from '%ProgramData%\*.*'" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
call :logme File: Metadata Complete
REM =====================================================================================
call :logme Network
REM =====================================================================================
if %V_OS% GEQ 100 (
GETMAC /V /FO csv >"%outputdir%\GETMAC.csv"
)
arp -a >"%outputdir%\arp.txt"
route print >"%outputdir%\Route_Print.txt"
if %V_OS% GEQ 51 (
netstat -anO >"%outputdir%\Netstat_ANO.txt"
netstat -anob >"%outputdir%\Netstat_ANOB.txt"
) else (
netstat -an >"%outputdir%\Netstat_AN.txt"
)
ipconfig /All >"%outputdir%\Ipconfig_all.txt"
ipconfig /displaydns >"%outputdir%\Ipconfig_dns.txt"
netsh dump >"%outputdir%\netsh.txt"
net share > "%outputdir%\shares.txt"
net config workstation > "%outputdir%\net_config.txt"
net config Server > "%outputdir%\net_config.txt"
if %V_OS% GEQ 60 netsh advfirewall export "%outputdir%\Firewall.hbin"
call :logme Network Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: System
REM =====================================================================================
if %V_OS% GEQ 60 (
"%systemroot%\system32\msinfo32.exe" /report "%outputdir%\msinfo32.txt" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
) ELSE (
"%Store%Utils\srvinfo.exe" -r > "%outputdir%\srvinfo.txt" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
)
REM =====================================================================================
call :logme System: Sysinternals tools
REM =====================================================================================
if %V_OS% GTR 60 (
"%Store%Utils\handle%x64%.exe" -a -nobanner -accepteula > "%outputdir%\handle.txt" 2>&1
)
"%Store%Utils\Listdlls%x64%.exe" -v -accepteula > "%outputdir%\Listdlls.txt" 2>&1
"%Store%Utils\pipelist%x64%.exe" -accepteula > "%outputdir%\pipelist.txt" 2>&1
REM =====================================================================================
call :logme System: Openfiles and Systeminfo
REM =====================================================================================
openfiles.exe /query /fo csv >"%outputdir%\openfiles.csv"
systeminfo.exe /fo csv >"%outputdir%\system.csv"
call :logme System: Defender collection
if exist "%ProgramFiles%\Windows Defender\MpCmdRun.exe" "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -GetFiles
call :logme System: System Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: Certificate data
REM =====================================================================================
certutil.exe -URLCache -v>"%outputdir%\CERT_URLCache.txt"
call :logme System: Certificate data -%ERRORLEVEL%-
call :logme System: Event Logs
REM =====================================================================================
md "%outputdir%\Event_Logs"
if %V_OS% GEQ 60 (
wevtutil.exe el > "%outputdir%\Event_Logs\List.txt"
for /f "tokens=1* delims=^/" %%a in (.\Utils\EventLogs.txt) do (
call :logme System: Event Log - %%a/%%b -
if "%%b" EQU "" (
wevtutil.exe epl "%%a" "%outputdir%\Event_Logs\%%a.evtx" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
) ELSE (
wevtutil.exe epl "%%a/%%b" "%outputdir%\Event_Logs\%%a-%%b.evtx" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
)
)
) ELSE (
"%Store%Utils\LogParser.exe" -i:evt -o:xml -structure:2 -rootName:EVENTLOG -rowName:Event -compact:ON "Select * INTO '%outputdir%\Event_Logs\System.xml' from 'System'"
"%Store%Utils\LogParser.exe" -i:evt -o:xml -structure:2 -rootName:EVENTLOG -rowName:Event -compact:ON "Select * INTO '%outputdir%\Event_Logs\Application.xml' from 'Application'"
"%Store%Utils\LogParser.exe" -i:evt -o:xml -structure:2 -rootName:EVENTLOG -rowName:Event -compact:ON "Select * INTO '%outputdir%\Event_Logs\Security.xml' from 'Security'"
"%Store%Utils\LogParser.exe" -i:evt -o:xml -structure:2 -rootName:EVENTLOG -rowName:Event -compact:ON "Select * INTO '%outputdir%\Event_Logs\PowerShell.xml' from 'Windows Powershell'"
)
call :logme System: Event Logs Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: RDP
REM =====================================================================================
if %V_OS% GEQ 60 (
query.exe user > "%outputdir%\Q_RDP.csv"
query.exe session >> "%outputdir%\Q_RDP.csv"
query.exe session /VM >> "%outputdir%\Q_RDP.csv"
) ELSE (
quser.exe > "%outputdir%\Q_RDP.csv"
qwinsta.exe >> "%outputdir%\Q_RDP.csv"
)
call :logme System: RDP Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: Registry
REM =====================================================================================
for /f "delims=\ tokens=1-8" %%a in ('REG QUERY HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\ /s^|findstr "Count"') do (
REG save HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\%%h\count "%outputdir%\UA_%%h.hbin" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
)
REG SAVE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" "%outputdir%\REG_AppCompatCache.hbin" 2>NUL && call :logme System: Registry AppCompatCache -%ERRORLEVEL%-
REG SAVE "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell" "%outputdir%\REG_Shell_MRU.hbin" 2>NUL && call :logme System: Registry REG_Shell_MRU -%ERRORLEVEL%-
REG QUERY "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\servers" > "%outputdir%\REG_TS_srv.csv" 2>NUL && call :logme System: Registry REG_TS_srv -%ERRORLEVEL%-
REG SAVE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam" "%outputdir%\REG_bam.hbin" 2>NUL && call :logme System: Registry REG_bam -%ERRORLEVEL%-
call :logme System: Registry Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: Processes
REM =====================================================================================
if %V_OS% GEQ 60 (
query.exe process * >"%outputdir%\Q_process.csv"
"%Store%Utils\tlist%x64%.exe" -t > "%outputdir%\tlist.csv"
"%Store%Utils\tlist%x64%.exe" -v >> "%outputdir%\tlist.csv"
) ELSE (
qprocess.exe * >"%outputdir%\Q_process.csv"
)
if %V_OS% GTR 100 vulkaninfo.exe -j >"%outputdir%\vulkan.json"
SCHTASKS.exe /query >"%outputdir%\SCHTASKS.txt"
TASKLIST.exe /V /FO CSV >"%outputdir%\tasklist.csv"
call :logme System: Processes Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: Autoruns
REM =====================================================================================
"%Store%Utils\Autorunsc%x64%.exe" -t -a * -ct -h -s -nobanner -accepteula> "%outputdir%\Autoruns.csv"
call :logme System: Autoruns Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: Services
REM =====================================================================================
TASKLIST.exe /svc /FO CSV >"%outputdir%\tasklist_svc.csv"
sc.exe queryex >"%outputdir%\sc_svc.txt"
call :logme System: Services Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: Applications
REM =====================================================================================
if %V_OS% GEQ 61 TASKLIST.exe /apps /V /FO CSV >"%outputdir%\tasklist_apps.csv"
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s|findstr /c:"DisplayName" > "%outputdir%\Installed_pgm.txt"
call :logme System: Applications Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: Privileges, Users and Groups
REM =====================================================================================
if %V_OS% GEQ 60 WHOAMI /ALL /FO CSV >"%outputdir%\whoami.csv"
net.exe user >"%outputdir%\Logon.txt"
REM Accounting for locale on names
for /f "skip=4 delims=*" %%a in ('net localgroup') do Net Localgroup "%%a">>"%outputdir%\localgroups.txt" 2>NUL && call :logme System: Localgroup -%%a-
gpresult.exe /z /scope computer>"%outputdir%\GP_Computer.txt"
gpresult.exe /z /scope user>"%outputdir%\GP_User.txt"
call :logme System: Privileges, Users and Groups Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: Drivers
REM =====================================================================================
DRIVERQUERY.exe /V /FO CSV > "%outputdir%\Drivers.csv"
DRIVERQUERY.exe /SI /FO CSV > "%outputdir%\Drivers_Signed.csv"
if %V_OS% GTR 52 pnputil /e > "%outputdir%\pnputil.txt"
call :logme System: Drivers Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme System: Environment
REM =====================================================================================
REG export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation "%outputdir%\Timezone.reg" /y 2>NUL
if %V_OS% GEQ 61 (
w32tm.exe /tz >"%outputdir%\Timezone.txt"
bcdedit.exe /enum >"%outputdir%\bdcedit.txt"
)
if exist "%systemroot%\system32\manage-bde.exe" manage-bde.exe -status >"%outputdir%\bitlocker.txt"
ECHO Name,Value >"%outputdir%\env.csv"
for /f "tokens=1,2* delims==" %%a in ('set') do ECHO %%a,"%%b" >>"%outputdir%\env.csv"
call :logme System: Environment - Disks
if %V_OS% GEQ 51 diskpart /s "%Store%Utils\diskpart.txt" >"%outputdir%\diskpart.txt"
if exist "%systemroot%\system32\diskshadow.exe" diskshadow.exe /s "%Store%Utils\diskshadow.txt" /log "%outputdir%\ds_log.txt" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
call :logme System: Environment Complete -%ERRORLEVEL%-
REM =====================================================================================
call :logme IoC check
REM =====================================================================================
if %V_OS% GEQ 60 (
call :logme IoC check : Eventlog scan
wevtutil.exe qe "Windows PowerShell" /f:RenderedXml /e:PS /q:"*[*[(EventID=600)]]" > "%outputdir%\Event_Logs\PS.xml"
wevtutil.exe qe "Security" /f:RenderedXml /e:Type10 /q:"*[*[(EventID=4624)] and EventData[Data[@Name='LogonType']='10']]" > "%outputdir%\Event_Logs\Type10.xml"
wevtutil.exe qe "Security" /f:RenderedXml /e:Type7 /q:"*[*[(EventID=4624)] and EventData[Data[@Name='LogonType']='7']]" > "%outputdir%\Event_Logs\Type7.xml"
wevtutil.exe qe "Security" /f:RenderedXml /e:Type3 /q:"*[*[(EventID=4624)] and EventData[Data[@Name='LogonType']='3']]" > "%outputdir%\Event_Logs\Type3.xml"
wevtutil.exe qe "System" /f:RenderedXml /e:System /q:"*[System[(EventID=7035 or EventID=3005 or EventID=1116 or EventID=3004 or EventID=104 or EventID=7045)]]" > "%outputdir%\Event_Logs\System.xml"
wevtutil.exe qe "Application" /f:RenderedXml /e:Application /q:"*[Application[(EventID=1000 or EventID=1001 or EventID=1002 or EventID=257 or EventID=51 or EventID=400 or EventID=46)]]" > "%outputdir%\Event_Logs\Application.xml"
)
set ExchangePath=NUL
for /f "tokens=3*" %%b in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\Setup /v MsiInstallPath') DO set ExchangePath=%%b %%c
IF EXIST "%ExchangePath%" (
REM +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
call :logme IoC ExchangeServer - "%ExchangePath%"
REM +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
MD "%outputdir%\ProxyLogon"
call :logme IoC ExchangeServer - ProxyLogon - .aspx files
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\ProxyLogon\ProxyLogon_Exch_aspx.csv' from '%ExchangePath%*.aspx'" >>"%outputdir%\_COLLECTION_LOG.TXT" 2>&1
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO '%outputdir%\ProxyLogon\ProxyLogon_Inetpub_aspx.csv' from '%SystemDrive%\inetpub\wwwroot\*.*'" >>"%outputdir%\_COLLECTION_LOG.TXT" 2>&1
call :logme IoC ExchangeServer - ProxyLogon - Temporary ASP.Net Files
for /f "delims=@" %%a in ('dir /s /b /a:d "%windir%\Temporary ASP.NET Files"') do (
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO STDOUT from '%%a\*.*'" >>"%outputdir%\ProxyLogon\Temporary_ASP.NET_Files.csv" 2>&1
)
for /f "delims=@" %%a in ('dir /s /b /a:d "%ExchangeInstallPath%\temp"') do (
"%Store%Utils\LogParser.exe" -stats:OFF -oDQuotes:on -i:fs -o:csv -recurse:-1 -useLocalTime:OFF -preserveLastAccTime:ON "Select Path,HASHMD5_FILE(Path) AS Hash,Size,Attributes,CreationTime,LastAccessTime,LastWriteTime INTO STDOUT from '%%a\*.*'" >>"%outputdir%\ProxyLogon\Exchange_Temps.csv" 2>&1
)
call :logme IoC ExchangeServer - ProxyLogon - find Key IoCs in log files
for /f "delims=@" %%a in ('findstr /m /s /i /c:"ServerInfo~" "%ExchangePath%*.log" 2^>NUL') do (
XCOPY.EXE /qyh "%%a" "%outputdir%\ProxyLogon" 1>NUL 2>NUL
)
for /f "delims=@" %%a in ('findstr /m /s /i /c:"Set-OabVirtualDirectory" "%ExchangePath%*.log" 2^>NUL') do (
XCOPY.EXE /qyh "%%a" "%outputdir%\ProxyLogon" 1>NUL 2>NUL
)
for /f "delims=@" %%a in ('findstr /m /s /i /c:"function Page_Load(){eval(" "%ExchangePath%*.log" 2^>NUL') do (
XCOPY.EXE /qyh "%%a" "%outputdir%\ProxyLogon" 1>NUL 2>NUL
)
for /f "delims=@" %%a in ('findstr /m /s /i /c:"Download failed and temporary file" "%ExchangePath%*.log" 2^>NUL') do (
XCOPY.EXE /qyh "%%a" "%outputdir%\ProxyLogon" 1>NUL 2>NUL
)
)
REM +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
call :logme IoC Get_Files
REM +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
for /f "tokens=1,2*" %%a in (.\Utils\Get_Files.txt) do (
CALL :getfile %%a %%b %%c
)
REM +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
call :logme IoC check Complete -%ERRORLEVEL%-
:TheEnd
REM =====================================================================================
call :logme Collection finished for %COMPUTERNAME%
REM =====================================================================================
REM Create the ddf and add all files
REM =====================================================================================
call :logme Creating ddf
ECHO .OPTION EXPLICIT ; Generate errors >"%COMPUTERNAME%.ddf"
ECHO .Set DiskLabel1="F-Secure FLAIR" >>"%COMPUTERNAME%.ddf"
ECHO .Set CabinetNameTemplate="%outputfile%.cab" >>"%COMPUTERNAME%.ddf"
ECHO .Set RptFileName="%outputfile%.rpt" >>"%COMPUTERNAME%.ddf"
ECHO .Set InfFileName="%outputfile%.inf" >>"%COMPUTERNAME%.ddf"
ECHO .Set CompressionType="LZX" >>"%COMPUTERNAME%.ddf"
ECHO .Set UniqueFiles="ON" >>"%COMPUTERNAME%.ddf"
ECHO .Set Cabinet="ON" >>"%COMPUTERNAME%.ddf"
ECHO .Set CabinetFileCountThreshold=0 >>"%COMPUTERNAME%.ddf"
ECHO .Set FolderFileCountThreshold=0 >>"%COMPUTERNAME%.ddf"
ECHO .Set FolderSizeThreshold=0 >>"%COMPUTERNAME%.ddf"
ECHO .Set MaxCabinetSize=0 >>"%COMPUTERNAME%.ddf"
ECHO .Set MaxDiskFileCount=0 >>"%COMPUTERNAME%.ddf"
ECHO .Set MaxDiskSize=CDROM >>"%COMPUTERNAME%.ddf"
ECHO .set DestinationDir="%COMPUTERNAME%" >>"%COMPUTERNAME%.ddf"
ECHO .set DiskDirectoryTemplate="FLAIR" >>"%COMPUTERNAME%.ddf"
ECHO .new Folder >>"%COMPUTERNAME%.ddf"
ECHO "%outputdir%\%COMPUTERNAME%.ddf" >>"%COMPUTERNAME%.ddf"
REM =====================================================================================
for /f "delims=@" %%a in (' dir /a:-d /b "%outputdir%\*.*"') do (
ECHO "%outputdir%\%%a" >>"%COMPUTERNAME%.ddf"
call :hashit "%outputdir%\%%a"
)
REM =====================================================================================
REM Now add all the subfolders we have collected
REM =====================================================================================
for /f "delims=@" %%z in ('dir /a:d /b "%outputdir%"') do (
ECHO Adding "%%z"
ECHO .set DestinationDir="%COMPUTERNAME%\%%z" >>"%COMPUTERNAME%.ddf"
ECHO .new Folder >>"%COMPUTERNAME%.ddf"
for /f "delims=@" %%a in (' dir /a:-d /b "%outputdir%\%%z\*.*"') do (
ECHO "%outputdir%\%%z\%%a" >>"%COMPUTERNAME%.ddf"
call :hashit "%outputdir%\%%z\%%a"
)
)
copy "%COMPUTERNAME%.ddf" "%outputdir%"
REM =====================================================================================
REM Make the CAB
REM =====================================================================================
call :logme Starting Compression
makecab.exe /f "%COMPUTERNAME%.ddf"
call :logme Compression Complete -%ERRORLEVEL%-
REM =====================================================================================
REM Cleanup and make it obvious we are done
REM =====================================================================================
color e4
TITLE FLAIR ++ Please send "%outputfile%.cab" to F-Secure
ECHO.
ECHO.
dir /b /s *.cab
ECHO =====================================================================================
ECHO Please send the above file to F-Secure.
ECHO =====================================================================================
Echo This file contains contents of folder "%outputdir%"
ECHO.
GOTO :eof
:getfile
if exist "%2" (
if not exist "%outputdir%\%1\" MD "%outputdir%\%1\"
XCOPY.EXE /qyh "%2" "%outputdir%\%1\" >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
) ELSE (
EXIT /B
)
:logme
TITLE FLAIR ++ Please ignore any errors from this window - Processing %*
ECHO -- %time% : %*
ECHO -- %time% : %* >> "%outputdir%\_COLLECTION_LOG.TXT" 2>&1
EXIT /B
:hashit
SETLOCAL
SET h_fn=%*
set h_ft=SHA1
:hashit_loop
if %V_OS% GTR 52 (
SET h_alg=%h_ft%
) ELSE (
SET h_alg=
)
for /f "skip=1 tokens=1-20" %%a in ('certutil -hashfile %h_fn% %h_alg%') do (
IF "%%a" EQU "CertUtil:" (
SET h_ft=
) ELSE (
echo %%a%%b%%c%%d%%e%%f%%g%%hi%%j%%k%%l%%m%%n%%o%%p%%q%%r%%s%%t %h_fn% >> "%outputdir%\hashes.%h_ft%
)
)
if "%h_alg%" EQU "" GOTO :SHA256
GOTO %h_alg%
:MD5
if exist "%outputdir%\hashes.SHA256" SET h_ft=SHA256&&GOTO :hashit_loop
ELSE GOTO :SHA256
:SHA1
if exist "%outputdir%\hashes.md5" SET h_ft=MD5&&GOTO :hashit_loop
:SHA256
EXIT /b