Thursday, January 6, 2022

Windows File operation during IR

 

Windows File operation during IR (Incident Response)

 

(Just for my references)

Sort files by date

 

dir *.* /s /O:D > c:\temp\filelist.txt

dir /O:-D: sort by time, newer to older

 

Show file ownership

dir *.exe /ah /q

 

Search file using Where command:

WHERE /R c:\windows *.exe *.dll *.bat

 

File Property

Powershell:

Get-ItemProperty -Path .\test.exe | Format-list -Property * -Force

Get-Item .\test.exe | select-object -Property *

Get-acl .\test.exe | select-object -Property *

 

Search files with modified day

Command line: (new files since 2021-12-21)

forfiles.exe /D +2021-12-21 /S /C "cmd.exe /c IF @isdir==FALSE dir /q @file"

If you got “ERROR: Invalid date specified.”, type "FORFILES /?" to find out the correct date format.

 

PowerShell: (new files since 10 days ago)

$time = (Get-Date).AddDays(-10)

Get-ChildItem c:\windows -Recurse | Where-Object {$_.LastWriteTime -gt $time}

 

Get file hash

Command line: certutil.exe -hashfile c:\test.exe sha256

Powershell: Get-FileHash c:\test.exe | Format-List

 

Delete file / folder

Below commands delete all *.txt files under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

Set "Target=c:\temp\"

Set "daysold=10"

If Exist "%Target%" (

 rem ECHO Y| Icacls %Target% /T /C /grant Administrators:F

"forfiles.exe" /p "%Target%" /M *.txt /d -%daysold% /c "cmd /c if @isdir==FALSE del @file /q"

)

 

Below commands delete all $Recycle.Bin folder under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

Set "Target=C:\temp\$Recycle.Bin"

Set "daysold=10"

If Exist "%Target%" (

"forfiles.exe" /p "%Target%" /d -%daysold% /c "cmd.exe /c IF @isdir==TRUE RD @Path /S /Q"

)

 

Another example:

Rem if starting from c:\, use c:\\, “c:\” doesn’t seem to work

Set "Target=c:\\"

If Exist "%Target%" (

 "forfiles.exe" /p "%Target%" /S /M $Recycle.Bin /c "cmd /c attrib @file -S -H +A"

 "forfiles.exe" /p "%Target%" /S /M $Recycle.Bin /c "cmd /c rmdir @file /s /q"

)

 

 

Below commands delete all files under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

 

$DateToDelete = 10

$StartFolder = "c:\temp"

dir $StartFolder -Recurse -Force -ea 0 | ?{!$_.PsIsContainer -and $_.LastWriteTime -lt (Get-Date).AddDays(-$DateToDelete)} | rmdir -Force

 

Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)