OfficeDiagnostics

Windowsv1

Author: teddy-ROxPin

description

Office Diagnostics

paths

2 paths

ExecutionOffice Diagnostics

C:\Users\%user%\AppData\Local\Diagnostics\PCW.debugreport.xml

Payloads for CVE-2022-30190 ('Follina') will be in this log

ExecutionOffice Elevated Diagnostics

C:\Users\%user%\AppData\Local\ElevatedDiagnostics\PCW.debugreport.xml

Payloads for CVE-2022-30190 ('Follina') will be in this log

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: OfficeDiagnostics
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Office Diagnostics
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Diagnostics\"
Collect-Artifact -SourcePath "$UserPath\PCW.debugreport.xml" -FolderName "Office_Diagnostics"

# 2. Office Elevated Diagnostics
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\ElevatedDiagnostics\"
Collect-Artifact -SourcePath "$UserPath\PCW.debugreport.xml" -FolderName "Office_Elevated_Diagnostics"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

https://twitter.com/nas_bench/status/1531718490494844928?cxt=HHwWgIC-ncH24MEqAAAA

// description

// paths

// collection commands

// references

description

paths

collection commands

references