From 55baf0777988212fbf6afa7711a71789128c8270 Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:30:56 +0200 Subject: [PATCH 1/4] Create PowerShell_AD_Timeline.mkape --- Modules/PowerShell_AD_Timeline.mkape | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 Modules/PowerShell_AD_Timeline.mkape diff --git a/Modules/PowerShell_AD_Timeline.mkape b/Modules/PowerShell_AD_Timeline.mkape new file mode 100644 index 000000000..8b6672fb2 --- /dev/null +++ b/Modules/PowerShell_AD_Timeline.mkape @@ -0,0 +1,24 @@ +Description: ADTimeline.ps1 - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest. +Category: Github +Author: Tristan PINCEAUX - CERT CWATCH - ALMOND +Version: 1.0 +Id: 6666cc62-821f-4b13-b13a-03c768b40f71 +BinaryUrl: https://raw.githubusercontent.com/ANSSI-FR/ADTimeline/master/ADTimeline.ps1 +ExportFormat: csv, log, xml +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: "-ep bypass & '%kapeDirectory%\\Modules\\bin\\ADTimeline.ps1'; Move-Item timeline_*.csv -Destination %destinationDirectory%; Move-Item logfile_*.log -Destination %destinationDirectory%; Move-Item ADobjects_*.xml -Destination %destinationDirectory%; Move-Item gcADobjects_*.xml -Destination %destinationDirectory% " + ExportFormat: csv, log, xml + +# Documentation +# ADtimeline is a powershell script created by the ANSSI (French Cybersecurity Agency). +# You can use the output of this script to determine persistance, sensitives accounts, suspicious activities... +# You need to run this script on a live domain controller. +# This script will generate four files : +# - timeline_%DOMAINFQDN%.csv: The timeline generated with the AD replication metadata of objects retrieved. +# - logfile_%DOMAINFQDN%.log: Script log file. You will also find various information on the domain. +# - ADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via LDAP. +# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog. +# https://github.com/ANSSI-FR/ADTimeline +# https://www.first.org/resources/papers/amsterdam2019/AD_Timeline_FIRST_TC.pdf From 862ada47fd519601938f337efa0609396fa11619 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 2 Apr 2024 14:37:07 -0400 Subject: [PATCH 2/4] Update and rename Modules/PowerShell_AD_Timeline.mkape to Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape --- Modules/{ => Apps/GGitHub}/PowerShell_AD_Timeline.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename Modules/{ => Apps/GGitHub}/PowerShell_AD_Timeline.mkape (98%) diff --git a/Modules/PowerShell_AD_Timeline.mkape b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape similarity index 98% rename from Modules/PowerShell_AD_Timeline.mkape rename to Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape index 8b6672fb2..0a61860b9 100644 --- a/Modules/PowerShell_AD_Timeline.mkape +++ b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape @@ -1,5 +1,5 @@ Description: ADTimeline.ps1 - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest. -Category: Github +Category: GitHub Author: Tristan PINCEAUX - CERT CWATCH - ALMOND Version: 1.0 Id: 6666cc62-821f-4b13-b13a-03c768b40f71 From 4350f663ec27a292b4bb5346f239792cdeb9e81f Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 2 Apr 2024 14:39:34 -0400 Subject: [PATCH 3/4] Update PowerShell_AD_Timeline.mkape remove trailing spaces --- Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape index 0a61860b9..e84a7e929 100644 --- a/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape +++ b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape @@ -12,13 +12,13 @@ Processors: ExportFormat: csv, log, xml # Documentation -# ADtimeline is a powershell script created by the ANSSI (French Cybersecurity Agency). +# ADtimeline is a PowerShell script created by the ANSSI (French Cybersecurity Agency). # You can use the output of this script to determine persistance, sensitives accounts, suspicious activities... -# You need to run this script on a live domain controller. -# This script will generate four files : +# You need to run this script on a live domain controller. +# This script will generate four files: # - timeline_%DOMAINFQDN%.csv: The timeline generated with the AD replication metadata of objects retrieved. # - logfile_%DOMAINFQDN%.log: Script log file. You will also find various information on the domain. # - ADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via LDAP. -# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog. +# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog. # https://github.com/ANSSI-FR/ADTimeline # https://www.first.org/resources/papers/amsterdam2019/AD_Timeline_FIRST_TC.pdf From 6765c598b6766a65e5fb3232ceac7eaba8a123bf Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 4 Apr 2024 21:02:20 -0400 Subject: [PATCH 4/4] Update PowerShell_AD_Timeline.mkape make CSV the default ExportFormat, and rename the ExportFormat for the first processor to CSV --- Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape index e84a7e929..9887abd07 100644 --- a/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape +++ b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape @@ -4,12 +4,12 @@ Author: Tristan PINCEAUX - CERT CWATCH - ALMOND Version: 1.0 Id: 6666cc62-821f-4b13-b13a-03c768b40f71 BinaryUrl: https://raw.githubusercontent.com/ANSSI-FR/ADTimeline/master/ADTimeline.ps1 -ExportFormat: csv, log, xml +ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: "-ep bypass & '%kapeDirectory%\\Modules\\bin\\ADTimeline.ps1'; Move-Item timeline_*.csv -Destination %destinationDirectory%; Move-Item logfile_*.log -Destination %destinationDirectory%; Move-Item ADobjects_*.xml -Destination %destinationDirectory%; Move-Item gcADobjects_*.xml -Destination %destinationDirectory% " - ExportFormat: csv, log, xml + ExportFormat: csv # Documentation # ADtimeline is a PowerShell script created by the ANSSI (French Cybersecurity Agency).