-
Notifications
You must be signed in to change notification settings - Fork 3
/
IR-triage_compatible.ps1
214 lines (187 loc) · 8.16 KB
/
IR-triage_compatible.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
# Objects holding information to send to Splunk:
$objects_to_send = @()
# Function builds the objects necessary to send results to Splunk's HTTP Event Collector.
function postResultsToSplunk ($input_content){
$token = "91C89412-C607-48FE-B0CC-7042A5548A67"
$headers = @{"Authorization" = "Splunk $token"}
$body = @{
"host" = $env:COMPUTERNAME;
"source" = "IR-triage-script";
"sourcetype" = "IR-RESTapi";
"index" = "main";
"event" = @{
"case_number" = "EJDIE34500";
"info" = $input_content;
}
}
$json_body = ConvertTo-Json -InputObject $body -Compress
# $json_body = $json_body -replace '(^\s+|\s+$)','' -replace '\s+',''
# $json_body = $json_body -replace '\t',''
Invoke-RestMethod -Method POST -Uri "http://10.55.12.78:8088/services/collector/event" -Headers $headers -ContentType "application/json" -Body $json_body
}
# Checks PowerShell version, if 5.0 runs the new cmdlets, otherwise runs legacy (WMI) cmdlets.
if ($PSVersionTable.PSVersion.Major -eq 5){
# Dumps Local User Accounts, whether they are enabled and a description (if given):
# Some reverse compatibility issues, if so try Get-WmiObject.
try{
$local_users = Get-LocalUser
}catch{
$local_users = "Error running Get-LocalUser cmdlet."
}
$objects_to_send += $local_users
# Grabs all network connection profiles information
try{
$network_profile = Get-NetConnectionProfile
}catch{
$network_profile = "Error running Get-NetConnectionProfile cmdlet."
}
$objects_to_send += $network_profile
# Dumps current DNS cache; very volitale.
try{
$dns_cache = Get-DnsClientCache
}catch{
$dns_cache = "Error running Get-DnsClientCache cmdlet."
}
$objects_to_send += $dns_cache
# Gets DNS Server Address for each interface.
try{
$dns_server_address = Get-DnsClientServerAddress
}catch{
$dns_server_address = "Error running Get-DnsClientServerAddress cmdlet."
}
$objects_to_send += $dns_server_address
} else {
# Gets Local Accounts of the computer:
try{
$local_users_wmi = Get-WmiObject -class Win32_UserAccount -Filter "LocalAccount='True'" | Select-Object PsComputername, Name, Status, Disabled, AccountType, Lockout, PasswordRequired, PasswordChangeable, SID
}catch{
$local_users_wmi = "Errorr running legacy Local User (WMI) cmdlet."
}
$objects_to_send += $local_users_wmi
# Gets Computer Hardware information & Last Logged In User information:
try{
$computer_system_info = Write-Output "`nComputerName`t`t: $env:computername"; Get-WmiObject -computer $env:computername -class win32_computersystem | Select-Object Username, Domain, Manufacturer, Model, SystemType, PrimaryOwnerName, TotalPhysicalMemory
}catch{
$computer_system_info = "Error running legacy Computer System Information (WMI) cmdlet."
}
$objects_to_send += $computer_system_info
# Gets current ip config settings including DNS and Default Gateway settings & converts to JSON:
try{
$ip_dns_config = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.ipaddress -notlike $null} | Select-Object PSComputerName, IPAddress, IPSubnet, DefaultIPGateway, Description, DHCPEnabled, DHCPServer, DNSDomain, DNSDomainSuffixSearchOrder, DNSServerSearchOrder, WINSPrimaryServer, WINSSecondaryServer
$ip_dns_config = $ip_dns_config | Select-Object * | ForEach-Object {$_.IPaddress = $_.IPAddress.Replace("\{",""); $_.DefaultIPGateway = $_.DefaultIPGateway.Replace("\{",""); $_.IPSubnet = $_.IPSubnet.Replace("\{",""); $_}
}catch{
$ip_dns_config = "Error running legacy IP/DNS Config (WMI) cmdlet."
}
$objects_to_send += $ip_dns_config
}
# -IncludeUserName option requires Elevated Privileges
try{
$process_list = Get-Process -IncludeUserName
}catch{
$process_list = "Error running Get-Process cmdlet with -IncludeUserName option. Were you running as Admin?"
}
$objects_to_send += $process_list
# Gets the current list of services, both running and stopped:
try{
$services = Get-Service
}catch{
$services = "Error running Get-Service cmdlet."
}
$objects_to_send += $services
# Grabs installed software.
try{
$registry_software = Get-ChildItem "HKLM:\Software"
}catch{
$registry_software = "Error running Get-ChildItem on HKLM:\Software registry key."
}
$objects_to_send += $registry_software
# Grabs System information from the Registry
try{
$registry_system = Get-ChildItem "HKLM:\System"
}catch{
$registry_system = "Error running Get-ChildItem on HKLM:\System registry key."
}
$objects_to_send += $registry_system
# Function & required COM object to retrieve all scheudled tasks:
$tasks = @()
function getTasks($path) {
$out = @()
$schedule.GetFolder($path).GetTasks(0) | ForEach-Object {
$xml = [xml]$_.xml
$out += New-Object psobject -Property @{
"Name" = $_.Name
"Path" = $_.Path
"LastRunTime" = $_.LastRunTime
"NextRunTime" = $_.NextRunTime
"Actions" = ($xml.Task.Actions.Exec | ForEach-Object {"$($_.Command) $($_.Arguments)"})
}
}
$schedule.GetFolder($path).GetFolders(0) | ForEach-Object {
$out += getTasks($_.Path)
}
$out
}
try{
$schedule = New-Object -ComObject "Schedule.Service"
$schedule.Connect()
$tasks += getTasks("\")
}catch{
$tasks = "Error retrieving Scheduled Tasks list."
}
$objects_to_send += $tasks
# Get PowerShell Transcriptions from C:\temp\PowerShellLogs
$default_transcription_path = 'C:\temp\PowerShellLogs'
$transcription_file_path = Get-ItemProperty "HKLM:\software\Policies\Microsoft\Windows\PowerShell\Transcription" | Select-Object -ExpandProperty OutputDirectory
try{
if (Test-Path -Path $default_transcription_path){
$ps_transcription_logs = Get-ChildItem C:\temp\PowerShellLogs\ | ForEach-Object{Get-Content C:\temp\PowerShellLogs\$_}
}elseif($transcription_file_path -ne $default_transcription_path){
$ps_transcription_logs = Get-ChildItem $transcription_file_path | ForEach-Object{Get-Content $transcription_file_path\$_}
}else{
$ps_transcription_logs = "[!] Error: PowerShell Log directory doesn't exist."
}
}catch{
$ps_transcription_logs = "Error retrieving PowerShell Transcription logs. Is Transcription enabled on this machine?"
}
$objects_to_send += $ps_transcription_logs
# Write PowerShell log metadata:
try{
$getScriptBlockLog = Get-WinEvent -FilterHashTable @{
LogName = "Microsoft-Windows-PowerShell/Operational";
ID = 4103, 4104
}
}catch{
$getScriptBlockLog = "Error retrieving Deep Script Block logs."
}
$objects_to_send += $getScriptBlockLog
# echo $getScriptBlockLog
# $getScriptBlockLog | Get-Member writes all the Properties of the the object.
# Prints the detailed Script Block Log message of each event.
# $getScriptBlockLog.Message
# Write New Process Creation log metadata:
try{
$newProcessCreation = Get-WinEvent -FilterHashTable @{
LogName = "Security";
ID = 4688
}
}catch{
$newProcessCreation = "Error retrieving New Process Creation (ID=4688) from Security logs."
}
$objects_to_send += $newProcessCreation
# $newProcessCreation | Get-Member writes all the Properties of the the object.
# Prints the detailed message for each event.
# $newProcessCreation.Message
# Grabs Network Statistics for all connections. Requires Elevated Privileges.
try{
$network_connections = netstat.exe -ano | Select-String -Pattern "established", "listening"
}catch{
$network_connections = "Error retrieving network connection information."
}
$objects_to_send += $network_connections
# OR
# Not sure if I can identify the owning process with the PowerShell Module.
# Doesn't appear that I can get the Owning Process from this module.
# Get-NetTCPConnection
$objects_to_send | ForEach-Object{
$_ | Select-Object * | ConvertTo-Json -Compress; postResultsToSplunk($_)
}