search

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
388 stars 42 forks source link

Launch embed Script.ps1 alone or binary with configuration file #59

Closed juste-bob closed 2 years ago

juste-bob commented 2 years ago

Hello,

I'm trying to execute a wolflauncher command that will launch a single powershell scripts. I succeeded with binary but not with scripts. I would like to know if it is possible to add scripts to the tools embedded in DFIR-ORC?

Below is some wolflauncher configuration I tried:

<wolf>
[...]
        <command keyword="ScriptName" winver="6.0+">
            <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/>
            <argument>-NonInteractive -WindowStyle Hidden -NoProfile</argument>
            <argument>7z:#Tools|ScriptName.ps1 -server "127.0.0.1"</argument>
            <output  name="ScriptName_powershell.log" source="StdOutErr" />
        </command>
[...]
</wolf>

Or

<wolf>
[...]
        <command keyword="ScriptName">
            <execute name="ScriptName.ps1" run="7z:#Tools|ScriptName.ps1"/>
            <argument>-server "127.0.0.1"</argument>
            <output  name="ScriptName.log" source="StdOutErr" />
        </command>
[...]
</wolf>

And the part related to the embed.xml file :

<toolembed>
[...]
    <archive name="Tools" format="7z" compression="Ultra">
        [...]
        <file name="ScriptName.ps1" path=".\tools\ScriptName.ps1"/>
    </archive>
[...]
</toolembed>

When DFIR-ORC.exe is runing, the error obtained is: [E] Failed to CreateFile for '' [0x80070003: Le chemin d'accès spécifique est introuvable.] Did I miss something?

In addition to this, is it possible to add / link a configuration file to a tool embed? Or do I have to package the whole thing in a binary (and then embed it)?

I tried to declare the config file in differents ways:

<toolembed>
[...]
    <file name="Tool.config" path=".\%ORC_CONFIG_FOLDER%\tool.config" />
[...]
</toolembed>

with

<wolf>
[...]
        <command keyword="Tool">
            <execute name="Tool.exe" run="7z:#Tools|Tool.exe" />
            <argument>-a</argument>
            <argument>/config=res:#Tool.exe.config</argument>
            <output name="Tool.txt" source="StdOutErr" />
        </command>
[...]
</wolf>

Or,

<toolembed>
[...]
    <archive name="Tools" format="7z" compression="Ultra">
        [...]
        <file name="Tool.exe" path=".\tools\Tool.exe"/>
        <file name="Tool.exe" path=".\tools\Tool.exe.config"/>
    </archive>
[...]
</toolembed>

with,

<wolf>
[...]
        <command keyword="Tool">
            <execute name="Tool.exe" run="7z:#Tools|Tool.exe" />
            <argument>-a</argument>
            <argument>7z:#Tools|Tool.exe.config</argument>
            <output name="Tool.txt" source="StdOutErr" />
        </command>
[...]
</wolf>

I got issues during the configuration or the following error during runtime: [E] Failed to CreateFile for '' [0x80070003: Le chemin d'accès spécifique est introuvable.]

sc-anssi commented 2 years ago

Hi ! You were almost there, you were missing the input element: https://dfir-orc.github.io/wolf_config.html#input-element

Try something like this:

process.ps1

param([String]$ProcessName)
Get-Process -Name $ProcessName | ConvertTo-Csv -NoTypeInformation

embed.xml

    <file name="process_ps1" path=".\%ORC_CONFIG_FOLDER%\process.ps1" />

config.xml

        <command keyword="Process" winver="6.0+" >
            <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/>
            <argument>-NonInteractive -WindowStyle Hidden -NoProfile</argument>
            <input name="process.ps1" source="res:#process_ps1" argument="{FileName}" />
            <output  name="process.csv" source="StdOut" />
            <output  name="process.log" source="StdOutErr" />
        </command>