Powershell 7 (Powershell Core)/ C# cross platform forensic framework. Built by incident responders for incident responders.
- Laser focused on automating incident response actions, rather than system monitoring. Aims to eliminate Tier I and Tier II adversaries described in the article Resilient Military Systems and the Advanced Cyber Threat (https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-081.pdf)
- Tightly controlled and well recorded interation with remote systems
- Fun and interesting
- No need to use a host agent - this tool uses living off the land techniques, combined with the WinPmem executeable
- Your own endpoint with the following installed:
- Powershell Core
- Python 3.7 (minimum)
- Plenty of storage space (I'd recommend at least 100Gb if you're looking to extract memory)
- Plenty of processing power. (I'd recommend at least a 9th generation i5 or AMD equivalent). The framework makes extensive use of parallelization to operate at scale, so the more powerful the greater your reach will be.
- Reasonable Powershell experience. This program is currently in Beta, so there's likely to be a bit of interaction to use it.
- Navigate to https://hub.docker.com/r/jimtin/hosthunter
- Check out if this is what you're looking for and then download and use. Let me know how it goes if there's anything I can do to improve :)
- Clone repository into your own directory
- Open Powershell Core as administrator
- Run the loadIRCore script.
.\loadIRCore.ps1- Note: If you are not an Administrator, you will be prompted to restart console as admin
- This script will download a number of files for you. Take time to understand what is being downloaded.
- You will be prompted for credentials.
- Create a target:
New-Target -Target 127.0.0.1 - Start running commands against the target. Some examples:
- Range of basic forensic artefacts on all targets:
Invoke-CoreForensicArtifactGatheringPlaybook - Range of basic forensic artefacts on specific target:
Invoke-CoreForensicArtifactGatheringPlaybook -Target 127.0.0.1
- Range of basic forensic artefacts on all targets:
- To process artefacts into JSON format:
- After using the CoreForensicArtifactGathering Playbook:
Invoke-CoreForensicArtifactProcessingPlaybook - After using the CoreForensicArtifactGathering Playbook, but processing a specific target:
Invoke-CoreForensicArtifactProcessingPlaybook -Target 127.0.0.1
- After using the CoreForensicArtifactGathering Playbook:
- You have administrative access to your network
- The access you use on your network is secure
A cool example of what happens when you combine operational experience with engineering expertise to automate common Incident Response processes
This playbook automates the gathering of core forensic artefacts. Moreover, it's simple to add more in if you need to. These artefacts are almost always asked for by incident reponders, yet no tool on the market does it as seamlessly as this.
- Records all actions it does, so that when you inevitably need to figure out what has happened on the endpoint, you know which actions were you and which were the adversaries.
- Creates a remote staging location, innocuously named "PerformanceInformation"
- Pushes winpmem across to the remote endpoint
- Checks if there is enough space on the endpoint to dump memory
- Dumps memory
- Extracts the following artefacts to your remote endpoint:
- Memory Dump (and confirms that the hash of what was dumped matches what actually ends up on your machine)
- All the event logs (i.e. the entire event log folder, not just the event logs that some random engineering team thinks are what you need)
- SRUM database (i.e. the forensic artifact which could allow you to a link a user, process and network activity together)
- Key Registry hives
- Prefetch Folder
- Current running processes (for the inevitable question 'Was this process running when we touched this machine?')
- Finishes up by going and deleting the Remote Staging location so that the endpoint doesn't get all clogged up by what you've done
- Runs the entire process as Powershell Job, so can be mulithreaded. Registers the job with the native windows notification icon, so will simply notify you when completed
Pretty awesome. And it's just the start. Using this platform, significant post-processing is also available :)
This playbooks automatically processes all the artefacts gathered by the CoreForensicArtifactGatheringPlaybook. Naturally there will be times when not all artefacts are gathered, so this playbook processes what is available and continues onwards. Best of all, all artefacts are output in JSON so they can be easily uploaded to your SIEM of choice.
- Records all actions it does, so that when you inevitably need to figure out what has happened on the endpoint, you know which actions were you and which were the adversaries.
- Processes the following artefacts:
- SRU Database, using Mark Baggerts srum_dump2
- Prefetch, using Eric Zimmerman's PECmd
- Volatility commands using Volatility3
- Some Windows EventLogs (with more being added) using my own custom processing
- Outputs all results in JSON, into a folder title "ProcessedArtefacts"
- Runs the entire process as Powershell Job, so can be mulithreaded. Registers the job with the native windows notification icon, so will simply notify you when completed
- Makes use of the Windows ToolTip API. Combined with the use of jobs to multithread operations, this framework can gather these artefacts from multiple endpoints simultaneously.
- Means you can continue to do other actions while the time consuming actions (i.e. extracting memory) continue.
- By using extensive use of living-off-the-land techniques, the artefacts left behind by this framework are minimal. Contrast this to many SOC tools and Incident Responders will appreciate the cleanliness of these actions.
- Integrate the ability to zip using native windows tools
- Integrate the ability to automatically upload to cloud storage (likely Amazon s3)
- Start doing some basic post-processing analysis to make IR jobs even easier