<# Meta Date: 2022 January 7th Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) Company: Huntress Labs Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. Notes: Will trigger AV as it's technically credential dumping. Also relies on having internet access, to wge TSCopy #> # check admin function admin_check{ if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Warning "Insufficient permissions. Run this Powershell script as Admin please" Break } # if we're all good, let's fire it off else {Collect_via_Reg} } # Collect basic hives function Collect_via_Reg{ #print to re-assure user things are happening until ZIP write-host "`n`nHuntress "-NoNewline -ForegroundColor green ; write-host "Registry collection script is running...`n`n"; #Ensure errors don't ruin anything for us $ErrorActionPreference = "SilentlyContinue" $progressPreference = 'silentlyContinue' # Make the various directories, to be neat and tidy mkdir c:\ir, C:\ir\Collected_ntuser_files, C:\ir\Collected_UsrClass_files, C:\ir\amcache # save the registry files reg save HKLM\Software c:\ir\Software reg save HKLM\System c:\ir\System reg save HKLM\SECURITY c:\ir\SECURITY reg save HKLM\SAM C:\ir\SAM #Next Stage Collect_via_TSCopy } ## TSCopy for further registry hives function Collect_via_TSCopy{ # pull TScropy exe this way, because invoke-webrequests progress bar is slow and I am a bad scripter (New-Object Net.WebClient).DownloadFile("https://github.com/trustedsec/tscopy/raw/master/dist/TScopy_x64.exe", "C:\ir\TScopy_x64.exe"); # each user's ntuser.dat C:\ir\TScopy_x64.exe -f c:\users\*\ntuser.dat* -o C:\ir\Collected_ntuser_files # each user's usrclass.dat C:\ir\TScopy_x64.exe -f C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat* -o C:\ir\Collected_UsrClass_files # collect amcache hive C:\ir\TScopy_x64.exe -f C:\Windows\AppCompat\Programs\Amcache.hve -o C:\ir\amcache # Next stage Zip_Collected } # zip it all up function Zip_Collected{ #Tree for a directory map tree C:\IR /f >> C:\IR\tree_output.txt # Get current user's desktop to save zip to. $DesktopPath = [Environment]::GetFolderPath("Desktop") Get-ChildItem -Path C:\ir | Compress-Archive -DestinationPath $DesktopPath\Huntress_Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip write-host "`n`nYour ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\Huntress_Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip`n`n" -ForegroundColor green ; # Clean up C:\IR on host after ZIP Remove-Item "C:\IR" -Recurse -force # Open up dir sleep 2; ii "$DesktopPath\Huntress_Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" } #Execute main function in silence Admin_Check | out-null