search

diogo-fernan / ir-rescue

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Other
459 stars 94 forks source link

Simple method for downloading Sysinternals tools and saving to respective directories #5

Closed tinyapps closed 2 years ago

tinyapps commented 6 years ago

Hi Diogo,

Thanks very much for crafting and sharing your IR script.

Here's a simple way for users to download the required Systinternals tools directly from Microsoft and save them to their respective directories. Since we're using relative paths in the destination directories, we'll need to cd into ir-rescue-master\win before running the script.

if exist "%PROGRAMFILES(X86)%" (
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/accesschk64.exe %CD%\tools-win\sys\accesschk64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/Autoruns64.exe %CD%\tools-win\mal\Autoruns64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/autorunsc64.exe %CD%\tools-win\mal\autorunsc64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/ntfsinfo64.exe %CD%\tools-win\fs\ntfsinfo64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psloglist.exe %CD%\tools-win\evt\psloglist.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psfile64.exe %CD%\tools-win\net\psfile64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsGetsid64.exe %CD%\tools-win\sys\PsGetsid64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsInfo64.exe %CD%\tools-win\sys\PsInfo64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/logonsessions64.exe %CD%\tools-win\sys\logonsessions64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsLoggedon64.exe %CD%\tools-win\sys\PsLoggedon64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/sdelete64.exe %CD%\tools-win\sdelete64.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/tcpvcon.exe %CD%\tools-win\net\tcpvcon.exe
) else (
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/accesschk.exe %CD%\tools-win\sys\accesschk.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/Autoruns.exe %CD%\tools-win\mal\Autoruns.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/autorunsc.exe %CD%\tools-win\mal\autorunsc.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/ntfsinfo.exe %CD%\tools-win\fs\ntfsinfo.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psloglist.exe %CD%\tools-win\evt\psloglist.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/psfile.exe %CD%\tools-win\net\psfile.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsGetsid.exe %CD%\tools-win\sys\PsGetsid.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsInfo.exe %CD%\tools-win\sys\PsInfo.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/logonsessions.exe %CD%\tools-win\sys\logonsessions.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/PsLoggedon.exe %CD%\tools-win\sys\PsLoggedon.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/sdelete.exe %CD%\tools-win\sdelete.exe
    bitsadmin /transfer /download /priority foreground https://live.sysinternals.com/tcpvcon.exe %CD%\tools-win\net\tcpvcon.exe
)

Aloha,

Miles

sharpie2018 commented 6 years ago

Hi, I'm trying to run this in Powersell ISE as admin. I get multiple errors like Missing ( and unexpected token ). I don't know if those are accurate or if errors are being caused by something else. Thanks.

sharpie2018 commented 6 years ago

Hi, Actually if I add {} it only gives me 1 error where it doesn't recognize the word 'exist'. Is that a module I need to download? Thanks

tinyapps commented 6 years ago

Hi sharpie2018, Try saving the commands to a batch script and running that. Aloha, Miles

sharpie2018 commented 6 years ago

Yes, I tried that. I'm getting errors saying that bitsadmin is deprecated. Thank you.

tinyapps commented 6 years ago

Just tested as a batch script (which executes under cmd.exe as usual) under Windows 10, version 1803 - working fine.

sharpie2018 commented 6 years ago

I added a pause to your script to see the errors close. And now they all say Unable to add file - 0x8007010b. do you know what could be the problem?

sharpie2018 commented 6 years ago

And they say The directory name is invalid.

sharpie2018 commented 6 years ago

Ah, maybe it's just the path. I have to check it for my computer.

sharpie2018 commented 6 years ago

Yes, it was my path. I fixed it and it downloaded the tools. Thanks!