From 8c0b7ccc6325eb0cc585a3e71d68713b1f37f3c2 Mon Sep 17 00:00:00 2001 From: DReneau <53024966+DReneau@users.noreply.github.com> Date: Fri, 18 Oct 2024 11:02:45 -0700 Subject: [PATCH 1/5] PowerShell Docker Containers --- .../PowerShell_Docker_Containers.mkape | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 Modules/Windows/PowerShell_Docker_Containers.mkape diff --git a/Modules/Windows/PowerShell_Docker_Containers.mkape b/Modules/Windows/PowerShell_Docker_Containers.mkape new file mode 100644 index 000000000..b9b84330e --- /dev/null +++ b/Modules/Windows/PowerShell_Docker_Containers.mkape @@ -0,0 +1,46 @@ +Description: Docker Container Details +Category: LiveResponse +Author: DReneau +Version: 1.0 +Id: 67e875ee-1cb2-4b06-ab94-83540f8f2482 +ExportFormat: txt +Processors: + - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: | + $maxRetries = 3; + $retryCount = 0; + $filePath = '%destinationDirectory%\docker_container_info.txt'; + + $dockerInfo = (docker version) | Out-String; + $dockerPS = (docker ps --all --format 'ID: {{.ID}} | Name: {{.Names}} | Image: {{.Image}} | Size: {{.Size}} | Status: {{.Status}} | Command: {{.Command}} | Ports: {{.Ports}}') | Out-String; + + $separator = [System.Environment]::NewLine + [System.Environment]::NewLine; + + $output = $dockerInfo + $separator + $dockerPS; + + $dockerOutput = $dockerInfo.TrimEnd() + $separator + $dockerPS.TrimEnd(); + + while ($retryCount -lt $maxRetries) { + try { + # Use Set-Content to write the combined data to the file + Set-Content -Path $filePath -Value $dockerOutput -Encoding UTF8 -Force; + Write-Host 'Docker details have been successfully written to: ' $filePath -ForegroundColor Green; + break; + } catch { + Write-Host "Attempt $retryCount failed to write to the file. Retrying..." -ForegroundColor Yellow; + Start-Sleep -Seconds 2; + $retryCount++; + } + } + + if ($retryCount -eq $maxRetries) { + Write-Host 'Failed to write Docker details after multiple attempts.' -ForegroundColor Red; + } + ExportFormat: txt + +# Documentation +# https://docs.docker.com/reference/cli/docker/container/ls/ +# This module combines Docker ps and Docker version commands. Output is based on installed Docker and the status. +# +# Example: +# .\kape.exe --msource C:\kape\path\to\acquired\Windows\System32\config --mdest C:\kape\out --module powershell_docker_containers From 9122a09394dc0212b5745b62271dd52561a9b537 Mon Sep 17 00:00:00 2001 From: DReneau <53024966+DReneau@users.noreply.github.com> Date: Fri, 18 Oct 2024 11:11:19 -0700 Subject: [PATCH 2/5] Update PowerShell_Docker_Containers.mkape --- Modules/Windows/PowerShell_Docker_Containers.mkape | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/Windows/PowerShell_Docker_Containers.mkape b/Modules/Windows/PowerShell_Docker_Containers.mkape index b9b84330e..82f83c15a 100644 --- a/Modules/Windows/PowerShell_Docker_Containers.mkape +++ b/Modules/Windows/PowerShell_Docker_Containers.mkape @@ -38,9 +38,9 @@ Processors: } ExportFormat: txt -# Documentation +# Documentation # https://docs.docker.com/reference/cli/docker/container/ls/ -# This module combines Docker ps and Docker version commands. Output is based on installed Docker and the status. +# This module combines Docker ps and Docker version commands. Output is based on installed Docker and the status. # # Example: -# .\kape.exe --msource C:\kape\path\to\acquired\Windows\System32\config --mdest C:\kape\out --module powershell_docker_containers +# .\kape.exe --msource C:\kape\path\to\acquired\Windows\System32\config --mdest C:\kape\out --module powershell_docker_containers From aa3729fd9fee41ae19aae7e6dfc6dbda2a22ec86 Mon Sep 17 00:00:00 2001 From: DReneau <53024966+DReneau@users.noreply.github.com> Date: Fri, 18 Oct 2024 18:18:47 -0700 Subject: [PATCH 3/5] Update PowerShell_Docker_Containers.mkape Corrected spacing errors. --- Modules/Windows/PowerShell_Docker_Containers.mkape | 1 - 1 file changed, 1 deletion(-) diff --git a/Modules/Windows/PowerShell_Docker_Containers.mkape b/Modules/Windows/PowerShell_Docker_Containers.mkape index 82f83c15a..0c4807b6c 100644 --- a/Modules/Windows/PowerShell_Docker_Containers.mkape +++ b/Modules/Windows/PowerShell_Docker_Containers.mkape @@ -22,7 +22,6 @@ Processors: while ($retryCount -lt $maxRetries) { try { - # Use Set-Content to write the combined data to the file Set-Content -Path $filePath -Value $dockerOutput -Encoding UTF8 -Force; Write-Host 'Docker details have been successfully written to: ' $filePath -ForegroundColor Green; break; From 39f6b75378f1fba7d58a1b8eb7db8d493d30a5ef Mon Sep 17 00:00:00 2001 From: DReneau <53024966+DReneau@users.noreply.github.com> Date: Fri, 18 Oct 2024 21:31:59 -0700 Subject: [PATCH 4/5] Update PowerShell_Docker_Containers.mkape Condensed code. --- .../PowerShell_Docker_Containers.mkape | 31 +++---------------- 1 file changed, 4 insertions(+), 27 deletions(-) diff --git a/Modules/Windows/PowerShell_Docker_Containers.mkape b/Modules/Windows/PowerShell_Docker_Containers.mkape index 0c4807b6c..865ff577d 100644 --- a/Modules/Windows/PowerShell_Docker_Containers.mkape +++ b/Modules/Windows/PowerShell_Docker_Containers.mkape @@ -2,44 +2,21 @@ Description: Docker Container Details Category: LiveResponse Author: DReneau Version: 1.0 -Id: 67e875ee-1cb2-4b06-ab94-83540f8f2482 +Id: 87bf8201-6256-45ad-8b2b-a6034235db53 ExportFormat: txt Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: | - $maxRetries = 3; - $retryCount = 0; $filePath = '%destinationDirectory%\docker_container_info.txt'; - $dockerInfo = (docker version) | Out-String; - $dockerPS = (docker ps --all --format 'ID: {{.ID}} | Name: {{.Names}} | Image: {{.Image}} | Size: {{.Size}} | Status: {{.Status}} | Command: {{.Command}} | Ports: {{.Ports}}') | Out-String; + $dockerOutput = (docker version | Out-String).TrimEnd() + [System.Environment]::NewLine + [System.Environment]::NewLine + + (docker ps --all --format 'ID: {{.ID}} | Name: {{.Names}} | Image: {{.Image}} | Size: {{.Size}} | Status: {{.Status}} | Command: {{.Command}}' | Out-String).TrimEnd(); - $separator = [System.Environment]::NewLine + [System.Environment]::NewLine; - - $output = $dockerInfo + $separator + $dockerPS; - - $dockerOutput = $dockerInfo.TrimEnd() + $separator + $dockerPS.TrimEnd(); - - while ($retryCount -lt $maxRetries) { - try { - Set-Content -Path $filePath -Value $dockerOutput -Encoding UTF8 -Force; - Write-Host 'Docker details have been successfully written to: ' $filePath -ForegroundColor Green; - break; - } catch { - Write-Host "Attempt $retryCount failed to write to the file. Retrying..." -ForegroundColor Yellow; - Start-Sleep -Seconds 2; - $retryCount++; - } - } - - if ($retryCount -eq $maxRetries) { - Write-Host 'Failed to write Docker details after multiple attempts.' -ForegroundColor Red; - } + Set-Content -Path $filePath -Value $dockerOutput -Encoding UTF8; ExportFormat: txt # Documentation # https://docs.docker.com/reference/cli/docker/container/ls/ # This module combines Docker ps and Docker version commands. Output is based on installed Docker and the status. -# # Example: # .\kape.exe --msource C:\kape\path\to\acquired\Windows\System32\config --mdest C:\kape\out --module powershell_docker_containers From f505cfb1bb0170b97a097fc92d42f3273dc5c802 Mon Sep 17 00:00:00 2001 From: DReneau <53024966+DReneau@users.noreply.github.com> Date: Fri, 18 Oct 2024 21:48:42 -0700 Subject: [PATCH 5/5] Update PowerShell_Docker_Containers.mkape CommandLine combined/condensed to one-liner. --- Modules/Windows/PowerShell_Docker_Containers.mkape | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/Modules/Windows/PowerShell_Docker_Containers.mkape b/Modules/Windows/PowerShell_Docker_Containers.mkape index 865ff577d..fc66dfbc6 100644 --- a/Modules/Windows/PowerShell_Docker_Containers.mkape +++ b/Modules/Windows/PowerShell_Docker_Containers.mkape @@ -1,18 +1,12 @@ Description: Docker Container Details Category: LiveResponse Author: DReneau -Version: 1.0 +Version: 1.1 Id: 87bf8201-6256-45ad-8b2b-a6034235db53 ExportFormat: txt Processors: - - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: | - $filePath = '%destinationDirectory%\docker_container_info.txt'; - - $dockerOutput = (docker version | Out-String).TrimEnd() + [System.Environment]::NewLine + [System.Environment]::NewLine + - (docker ps --all --format 'ID: {{.ID}} | Name: {{.Names}} | Image: {{.Image}} | Size: {{.Size}} | Status: {{.Status}} | Command: {{.Command}}' | Out-String).TrimEnd(); - - Set-Content -Path $filePath -Value $dockerOutput -Encoding UTF8; + - Executable: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe + CommandLine: "$filePath = '%destinationDirectory%\\docker_container_info.txt'; $dockerOutput = (docker version | Out-String).TrimEnd() + [System.Environment]::NewLine + [System.Environment]::NewLine + (docker ps --all --format 'ID: {{.ID}} | Name: {{.Names}} | Image: {{.Image}} | Size: {{.Size}} | Status: {{.Status}} | Command: {{.Command}}' | Out-String).TrimEnd(); Set-Content -Path $filePath -Value $dockerOutput -Encoding UTF8;" ExportFormat: txt # Documentation