Showing posts with label Incident Response. Show all posts
Showing posts with label Incident Response. Show all posts

Thursday, January 6, 2022

Windows File operation during IR

 

Windows File operation during IR (Incident Response)

 

(Just for my references)

Sort files by date

 

dir *.* /s /O:D > c:\temp\filelist.txt

dir /O:-D: sort by time, newer to older

 

Show file ownership

dir *.exe /ah /q

 

Search file using Where command:

WHERE /R c:\windows *.exe *.dll *.bat

 

File Property

Powershell:

Get-ItemProperty -Path .\test.exe | Format-list -Property * -Force

Get-Item .\test.exe | select-object -Property *

Get-acl .\test.exe | select-object -Property *

 

Search files with modified day

Command line: (new files since 2021-12-21)

forfiles.exe /D +2021-12-21 /S /C "cmd.exe /c IF @isdir==FALSE dir /q @file"

If you got “ERROR: Invalid date specified.”, type "FORFILES /?" to find out the correct date format.

 

PowerShell: (new files since 10 days ago)

$time = (Get-Date).AddDays(-10)

Get-ChildItem c:\windows -Recurse | Where-Object {$_.LastWriteTime -gt $time}

 

Get file hash

Command line: certutil.exe -hashfile c:\test.exe sha256

Powershell: Get-FileHash c:\test.exe | Format-List

 

Delete file / folder

Below commands delete all *.txt files under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

Set "Target=c:\temp\"

Set "daysold=10"

If Exist "%Target%" (

 rem ECHO Y| Icacls %Target% /T /C /grant Administrators:F

"forfiles.exe" /p "%Target%" /M *.txt /d -%daysold% /c "cmd /c if @isdir==FALSE del @file /q"

)

 

Below commands delete all $Recycle.Bin folder under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

Set "Target=C:\temp\$Recycle.Bin"

Set "daysold=10"

If Exist "%Target%" (

"forfiles.exe" /p "%Target%" /d -%daysold% /c "cmd.exe /c IF @isdir==TRUE RD @Path /S /Q"

)

 

Another example:

Rem if starting from c:\, use c:\\, “c:\” doesn’t seem to work

Set "Target=c:\\"

If Exist "%Target%" (

 "forfiles.exe" /p "%Target%" /S /M $Recycle.Bin /c "cmd /c attrib @file -S -H +A"

 "forfiles.exe" /p "%Target%" /S /M $Recycle.Bin /c "cmd /c rmdir @file /s /q"

)

 

 

Below commands delete all files under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

 

$DateToDelete = 10

$StartFolder = "c:\temp"

dir $StartFolder -Recurse -Force -ea 0 | ?{!$_.PsIsContainer -and $_.LastWriteTime -lt (Get-Date).AddDays(-$DateToDelete)} | rmdir -Force