diff --git a/setup/start_sandbox.ps1 b/setup/start_sandbox.ps1 index eea5bc7..a62f9e3 100644 --- a/setup/start_sandbox.ps1 +++ b/setup/start_sandbox.ps1 @@ -359,6 +359,9 @@ Remove-Item C:\Users\WDAGUtilityAccount\Desktop\PdfStreamDumper.exe.lnk mkdir "$HOME\Desktop\dfirws\Browsers" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Browsers\hindsight.lnk" -DestinationPath "C:\Tools\bin\hindsight_gui.exe" mkdir "$HOME\Desktop\dfirws\Cobalt Strike" +mkdir "$HOME\Desktop\dfirws\Database" +Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Database\SQLECmd.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" -Iconlocation "C:\Tools\Zimmerman\SQLECmd\SQLECmd.exe" +Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Database\sqlite3.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" -Iconlocation "C:\Tools\sqlite\sqlite3.exe" mkdir "$HOME\Desktop\dfirws\Debuggers" if ($WSDFIR_X64DBG -eq "Yes") { Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Debuggers\x32dbg.lnk" -DestinationPath "$env:ProgramFiles\x64dbg\release\x32\x32dbg.exe" @@ -366,6 +369,8 @@ if ($WSDFIR_X64DBG -eq "Yes") { } Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Debuggers\dnSpy32.lnk" -DestinationPath "C:\Tools\dnSpy32\dnSpy.exe" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Debuggers\dnSpy64.lnk" -DestinationPath "C:\Tools\dnSpy64\dnSpy.exe" +# C:\Tools\DidierStevens +Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Debuggers\DidierStevens.lnk" -DestinationPath "C:\Tools\DidierStevens" mkdir "$HOME\Desktop\dfirws\Editors" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Editors\Bytecode Viewer.lnk" -DestinationPath "C:\Tools\bin\bcv.bat" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Editors\HxD.lnk" -DestinationPath "$env:ProgramFiles\HxD\HxD.exe" @@ -382,17 +387,22 @@ mkdir "$HOME\Desktop\dfirws\Extraction" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Extraction\bulk_extractor.lnk" -DestinationPath "C:\Tools\bulk_extractor\win64\bulk_extractor.exe" mkdir "$HOME\Desktop\dfirws\File" Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\File\binlex.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" +Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\File\densityscout.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\File\Detect It Easy.lnk" -DestinationPath "C:\Tools\die\die.exe" +Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\File\trid.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" +mkdir "$HOME\Desktop\dfirws\Go" +Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Go\GoReSym.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" mkdir "$HOME\Desktop\dfirws\Java" if (($WSDFIR_JAVA -eq "Yes") -and ($WSDFIR_JAVA_JAVA -eq "Yes")) { Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Java\jadx-gui.lnk" -DestinationPath "$env:ProgramFiles\jadx\bin\jadx-gui.bat" } Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Java\jd-gui.lnk" -DestinationPath "C:Tools\jd-gui\jd-gui.exe" mkdir "$HOME\Desktop\dfirws\Network" -Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Network\Fakenet.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "C:\Tools\fakenet" -Iconlocation C:\Tools\fakenet\fakenet.exe +Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Network\Fakenet.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "C:\Tools\fakenet" -Iconlocation "C:\Tools\fakenet\fakenet.exe" mkdir "$HOME\Desktop\dfirws\Log" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Log\chainsaw.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Log\FullEventLogView.lnk" -DestinationPath "C:\Tools\FullEventLogView\FullEventLogView.exe" +Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Log\hayabusa.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" mkdir "$HOME\Desktop\dfirws\Office" mkdir "$HOME\Desktop\dfirws\PDF" if ($WSDFIR_PDFSTREAM -eq "Yes") { @@ -408,7 +418,11 @@ mkdir "$HOME\Desktop\dfirws\Reverse Engineering" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\Cutter.lnk" -DestinationPath "C:\Tools\cutter\cutter.exe" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Reverse Engineering\ghidraRun.lnk" -DestinationPath "C:\Tools\ghidra\ghidraRun.bat" mkdir "$HOME\Desktop\dfirws\Shellcode" -mkdir "$HOME\Desktop\dfirws\Unpacking" +# "$HOME\Desktop\dfirws\Sysinternals" +Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\Sysinternals.lnk" -DestinationPath "C:\Tools\sysinternals" +mkdir "$HOME\Desktop\dfirws\Unpack" +Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\Unpack\upx.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" +Add-shortcut -SourceLnk "$HOME\Desktop\dfirws\Unpack\zstd.lnk" -DestinationPath "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -WorkingDirectory "$HOME\Desktop" mkdir "$HOME\Desktop\dfirws\Utilities" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Utilities\bash.lnk" -DestinationPath "$env:ProgramFiles\Git\bin\bash.exe" -WorkingDirectory "$HOME\Desktop" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Utilities\cmder.lnk" -DestinationPath "$env:ProgramFiles\cmder\cmder.exe" -WorkingDirectory "$HOME\Desktop" @@ -418,6 +432,10 @@ Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Utilities\floss.lnk" -DestinationP mkdir "$HOME\Desktop\dfirws\Windows" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Windows\Jumplist-Browser.lnk" -DestinationPath "C:\Tools\bin\JumplistBrowser.exe" Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Windows\Prefetch-Browser.lnk" -DestinationPath "C:\Tools\bin\PrefetchBrowser.exe" +Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Windows\Thumbcache Viewer.lnk" -DestinationPath "C:\Tools\thumbcacheviewer\thumbcache_viewer.exe" +# "$HOME\Desktop\dfirws\Zimmerman" +Add-Shortcut -SourceLnk "$HOME\Desktop\dfirws\Zimmerman.lnk" -DestinationPath "C:\Tools\Zimmerman" + Start-Transcript -Append "$TEMP\dfirws_log.txt" & "$env:ProgramFiles\7-Zip\7z.exe" x -pinfected "C:\downloads\signature.7z" -o"$env:ProgramFiles\loki"