TotalCommander

Appsv1.4

Author: Andrew Rathbun, Jessica Venturo and Chuck Whitson

description

Total Commander

paths

7 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: TotalCommander
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Total Commander - Log File
Collect-Artifact -SourceDir "C:" -FileMask "totalcmd.log" -FolderName "Total_Commander_Log_File"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Total Commander - .ini File
        $UserPath = "$($_.FullName)\AppData\Roaming\GHISLER"
        Collect-Artifact -SourceDir $UserPath -FileMask "wincmd.ini" -FolderName "Total_Commander_ini_File_$UserName"
        # Total Commander - Temp Files Created During Folder Traversal
        $UserPath = "$($_.FullName)\AppData\Local\Temp"
        Collect-Artifact -SourceDir $UserPath -FileMask "FTP*.tmp" -FolderName "Total_Commander_Temp_Files_Created_During_Folder_Traversal_$UserName"
        # Total Commander - FTP .ini File
        $UserPath = "$($_.FullName)\AppData\Roaming\GHISLER"
        Collect-Artifact -SourceDir $UserPath -FileMask "wcx_ftp.ini" -FolderName "Total_Commander_FTP_ini_File_$UserName"
        # Total Commander - File Tree
        $UserPath = "$($_.FullName)\AppData\Local\GHISLER"
        Collect-Artifact -SourceDir $UserPath -FileMask "treeinfo*.wc" -FolderName "Total_Commander_File_Tree_$UserName"
        # Total Commander - Frequent Directory Listing
        $UserPath = "$($_.FullName)\AppData\Local\GHISLER"
        Collect-Artifact -SourceDir $UserPath -FileMask "tcDirFrq.txt" -FolderName "Total_Commander_Frequent_Directory_Listing_$UserName"
        # Total Commander - FTP Logs
        $UserPath = "$($_.FullName)\AppData\Local\Temp"
        Collect-Artifact -SourceDir $UserPath -FileMask "tcftp.log" -FolderName "Total_Commander_FTP_Logs_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

ghisler.ch https://www.ghisler.ch/board/viewtopic.php?p=430396&sid=cdebdb47cc6181223341b124c31a6374#p430396

notes

Total Commander is a shareware Windows File Explorer replacement commonly used by threat actors during IR incidents.

This Target grabs the .ini file which provides some useful information very similar to Windows Shellbags.

It should be noted this .ini file is updated when Total Commander is exited.

Within the wincmd.ini file, you will notice the following fields:

InstallDir - directory where Total Commander is installed

Path listed for both Left and Right panes - in my testing, this is what folders were currently displayed in each respective pane upon exiting Total Commander

RightHistory and LeftHistory - each of these provide a breadcrumb trail of the user's actions in each respective pain. For example, mine looked like this (0 is most recent):

[RightHistory]

0=C:\Users\%user%\Music\	#0
1=C:\Users\%user%\	#08,Music
2=C:\Users\	#01,%user%
3=C:\	#04,Users

4=C:\Program Files (x86)\Google\

5=C:\Program Files (x86)\	#05,Google
6=C:\Program Files (x86)\BraveSoftware\	#2,CrashReports
7=C:\Program Files (x86)\	#02,BraveSoftware
8=C:\	#2,Program Files (x86)

[LeftHistory]

0=C:\Users\%user%\Desktop\	#0
1=C:\Users\%user%\	#03,Desktop
2=C:\Users\	#01,%user%
3=C:\	#04,Users

4=C:\Program Files (x86)\Microsoft\

5=C:\Program Files (x86)\	#07,Microsoft
6=C:\	#2,Program Files (x86)
7=C:\Program Files (x86)\	#0
8=C:\Program Files (x86)\BraveSoftware\Brave-Browser\	#0
9=C:\Program Files (x86)\BraveSoftware\	#01,Brave-Browser
10=C:\Program Files (x86)\	#02,BraveSoftware

The totalcmd.log is the default filename by Total Commander for the log file which can track creation of folders, delete actions, archive packing and unpacking, etc.

Within a user's NTUSER.DAT file, there will be a key with an address of: SOFTWARE\Ghisler\Total Commander. There will be a value for InstallDir which will list where TotalCommander is installed for that user.

wcx_ftp.ini will contain saved FTP connections that the user configured with Total Commander

.tmp files will only exist during an active Total Commander session. Once Total Commander is existed, they will be deleted. I'd suggest carving for them to see file/folder contents.

A preview of their contents can be seen below:

Contents of C:\Users\%user%\AppData\Local\Temp\FTP418E.tmp

type=file;modify=20210327145254;size=65536; AppEvent.Evt

type=file;modify=20201021200345;size=65536; Internet.evt

type=file;modify=20201021160008;size=65536; SecEvent.Evt

type=file;modify=20210327145254;size=65536; SysEvent.Evt

type=file;modify=20201021200840;size=65536; ThinPrint.evt

Please note that each folder I traversed made a new .tmp folder and had similar contents for each respective folder traversed

Hex -> ASCII, 0x747970653D translates to file= which appears to be the first 5 characters of each of these .tmp files

Total Commander - Frequent Directory Listing

New in version 11.x

Per author Christian Ghisler:

Example / Documentation:

The first line is the date stamp when the tcDirFrq.txt file is created, which occurs when Total Commander is closed

<N>,<FOLDER> where <N> is the number of times the folder was accessed and <FOLDER> is the folder path

20230809

22,C:\Windows\

14,c:\Temp\

12,C:\

included in collections

FileExplorerReplacements

// description

// paths

// collection commands

// references

// notes

// included in collections