PowerShell – Page 6 – Baker Street Forensics

AXIOM, YARA, GitHub – Oh My!

Version 6 of Magnet Axiom added support for YARA rules. By default the installation ships with the free Open-Source YARA rules from Reversing Labs. These YARA rules may be updated within Axiom periodically. In addition to the included rules, AXIOM supports adding your own YARA source folders.

If you need to update the included rules on demand, you can do so with a PowerShell script and the GitHub CLI. The script below can be used to update the included rules, as well as other YARA sources you may be using within Axiom.

Prerequisites:

Prior to running the script you’ll need to install GitHub CLI
Once installed run gh auth login to establish authentication with GitHub
When running the script you will need to run as an Administrator in order for the file-copy to ~\ProgramFiles to be successful

Set the working directory to the local git repository for the YARA rules

Set-Location C:\GitHub\reversinglabs-yara-rules\

Sync the repository; requires github CLI https://cli.github.com/

gh repo sync

Create local archive directory

mkdir C:\Archives -Force

Backup the existing YARA rules in Axiom

Get-ChildItem -Path "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA" | Compress-Archive -DestinationPath C:\Archives\AxiomYARA.zip

Variable for date/time

$timestamp = Get-Date -Format o | ForEach-Object { $_ -replace ":", "." }

Set the working directory to the Archives location

Set-Location "C:\Archives"

Rename the archive with timestamp

Get-ChildItem -Filter 'AxiomYARA' -Recurse | Rename-Item -NewName {$_.name -replace 'AxiomYARA', $timestamp }

Copy new YARA rules to Axiom

robocopy /s C:\GitHub\reversinglabs-yara-rules\yara "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA\ReversingLabs"

Now let’s run it all together in a single script:

Set-Location C:\GitHub\reversinglabs-yara-rules\ gh repo sync mkdir C:\Archives -Force Get-ChildItem -Path "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA" | Compress-Archive -DestinationPath C:\Archives\AxiomYARA.zip $timestamp = Get-Date -Format o | ForEach-Object { $_ -replace ":", "." } Set-Location "C:\Archives" Get-ChildItem -Filter 'AxiomYARA' -Recurse | Rename-Item -NewName {$_.name -replace 'AxiomYARA', $timestamp } robocopy /s C:\GitHub\reversinglabs-yara-rules\yara "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA\ReversingLabs"

That’s all there is to it. If you’ve got multiple repositories to sync, just add lines to cd (Set-Location) into those directories and repeat the gh repo sync command.

Feel free to copy the code above, or you can download directly from my GitHub.

Are you utilizing YARA rules within AXIOM? If so, leave a comment on what are some that you’ve found useful.

CSIRT-Collect Summit Edition

DFIR, PowerShell, Presentations, RAM, USB

Just in time for the 2022 Magnet User Summit and my presentation on FREE Tools for DFIR Triage Collections, an updated release (v3.1) of CSIRT-Collect. Special thanks to Kevin Pagano for contributing.

You can register for my talk Free Tools for DFIR Triage Collections here.

QuickPcap – Capturing a PCAP with PowerShell

DFIR, PowerShell

Earlier today I was asked for a ‘quick and easy’ PowerShell to grab a packet capture on a Windows box. I didn’t have anything on hand so I set off to the Google and returned with the necessary ingredients.

The star of the show is netsh trace, which is built into Windows. If we wanted to capture for 90 seconds, start the trace, wait 90 seconds, and stop it the syntax would be:

netsh trace start capture=yes IPv4.Address=192.168.1.167 tracefile=c:\temp\capture.etl
Start-Sleep 90
netsh trace stop

Note there are 3 lines (the first may wrap depending on windows size)

Like Wireshark, you need to specify what interface you want to capture traffic from. In the example above 192.168.1.167 is the active interface I want to capture. But what if I want to use this for automation and won’t know in advance what the active IP address will be?

We can grab the local IPv4 address and save it as a variable.

#Get the local IPv4 address
$env:HostIP = (
    Get-NetIPConfiguration |
    Where-Object {
        $_.IPv4DefaultGateway -ne $null -and
        $_.NetAdapter.Status -ne "Disconnected"
    }
).IPv4Address.IPAddress

Now putting the two together:

$env:HostIP = (
    Get-NetIPConfiguration |
    Where-Object {
        $_.IPv4DefaultGateway -ne $null -and
        $_.NetAdapter.Status -ne "Disconnected"
    }
).IPv4Address.IPAddress
netsh trace start capture=yes IPv4.Address=$env:HostIP tracefile=c:\temp\capture.etl
Start-Sleep 90
netsh trace stop

Perfect. Automated packet capture without having to install Wireshark on the host. The only item you should need to adjust will be the capture (sleep) timer.

But wait, the request was for a pcap file. Not a .etl. Lucky for us there’s an easy conversion utility etl2pcapng. Execution is as simple as giving the exe the source and destination files.

./etl2pcapng.exe c:\temp\capture.etl c:\temp\capture.pcap

That’s it. We’re now able to collect a packet capture on Windows hosts without adding any additional tools. We can then take those collections and convert them with ease to everyone’s favorite packet analyzer.

I’ve combined everything above into QuickPcap.ps1 available on my GitHub site.

In this case the capture and conversion are running as one contiguous process, but it’s easy to imagine them as separate automation elements being handled through scripting by different processes. After all, we all build our Lego’s differently, don’t we?

Post-update

Since this continues to be one of the most searched for topics, be sure to check out detonaRE, a malware detonation and capture utility that uses the same pcap functionality.

detonaRE initiates packet capture and process monitor, detonates the malware, ends pcap collection, completes evidence capture with Magnet RESPONSE. PCAP, Zip, and CSV outputs.

blog: https://bakerstreetforensics.com/2023…

GitHub: https://github.com/dwmetz/detonaRE

Using WSL Profiles for Frequent Applications

DFIR, PowerShell

Windows Subsystem for Linux (WSL) adds a lot of capability and convenience for running DFIR applications on a Windows host. Previously I wrote about how to add a SIFT/REMnux Ubuntu distribution to WSL.

Another tip I’d like to share with you is setting up separate profiles for frequently used applications.

Volatility is one of the applications I’m in frequently, whether for work or lab(work). Sure, I can open a command window and then navigate to the appropriate application path; but why not make it a one-click option.

To begin, open Windows Terminal, and go to the Settings menu.

On the bottom left choose select ‘Add a new profile.’

PowerShell (Core) is my default shell environment. I’ll select this as the profile to duplicate.

After you hit ‘Duplicate’ you’ll be presented with a copy of the profile.

Update the Name and Starting directory to reflect the application path.

You can customize the Icon and Tab title. Under the Appearance tab you can assign a custom background for the WSL profile. Be sure to click Save when you’ve made your changes.

Now when I want to open a Volatility session, it’s right there on the drop down in WSL.

If you have WSL parked on the Taskbar, you can select the new profile (or any other profile) with a right-click.

If you want to have your WSL instances in separate windows, versus the default tabbed layout, right clicking from the taskbar will open the selected session in a new window.