This Project Show us, How we can leverage Powershell script automation to collect artifacts and create work efficient. The motive of this Project is to reduce manual efforts and increase productivity.
This Project contains multiple PowerShell scripts that can help you respond to cyber attacks on Windows Devices.
- Familiar with commandline-interface.
- Moderate knowledge of Powershell.
- Windows machine.
- Vmware or Virtualbox.
- Admin permissions for better performance.
The following Incident Response scripts are included:
- DFIR Script: Collects all items as listed in section DFIR Script.
- CollectWindowsEvents: Collects all Windows events and outputs it as CSV.
- CollectWindowsSecurityEvents: Collects all Windows security events and outputs it as CSV.
- CollectPnPDevices: Collects all Plug and Play devices, such as USB, Network and Storage.
- DumpLocalAdmins: Returns all local admins of a device.
- LastLogons - List the last N successful logins of a device.
- ListInstalledSecurityProducts - List the installed security products and their status.
- ListDefenderExclusions - List the FolderPath, FileExtension, Process and IP exclusions that are defined.
The DFIR script collects information from multiple sources and structures the output in the current directory in a folder named 'DFIR-hostname-year-month-date'. This folder is zipped at the end, so that folder can be remotely collected. This script can also be used within Defender For Endpoint in a Live Response session (see below). The DFIR script collects the following information when running as normal user:
- Local IP Info
- Open Connections
- Aautorun Information (Startup Folder & Registry Run keys)
- Active Users
- Local Users
- Connections Made From Office Applications
- Active SMB Shares
- RDP Sessions
- Active Processes
- Active USB Connections
- Powershell History
- DNS Cache
- Installed Drivers
- Installed Software
- Running Services
- Scheduled Tasks
- Browser history and profile files
For the best experience run the script as admin, then the following items will also be collected:
- Windows Security Events
- Remotely Opened Files
- Shadow Copies
The DFIR Commands page contains invidividual powershell commands that can be used during your incident response process. The follwing catagories are defined:
- Connections
- Persistence
- Windows Security Events
- Processes
- User & Group Information
- Applications
- File Analysis
- Collect IOC Information
-
Start Windows machine and also open Powershell with Admin privileges, So the script can provide better output.
-
The script can be excuted by running the following command.
.\DFIR-Script.ps1- The script is unsigned, that could result in having to use the -ExecutionPolicy Bypass to run the script.
Powershell.exe -ExecutionPolicy Bypass .\DFIR-Script.ps1It is possible to use the DFIR Script in combination with the Defender For Endpoint Live Repsonse. Make sure that Live Response is setup (See DOCS). Since my script is usigned a setting change must be made to able to run the script.
- Security.microsoft.com
- Settings
- Endpoints
- Advanced Features
- Make sure that Live Response is enabled
- If you want to run this on a server enable live resonse for servers
- Enable Live Response unsigened script execution
Step 1 : Go to the device page
Step 2 : Initiate Live Response session
Step 3 : Upload File to library to upload script
Step 4 : After uploading the script to the library, use the run command to run the script
To collect the output of the DFIR script perform the following actions:
getfile "C:\windows\DFIR-TestDevice-2024-08-03.zip" & - Microsoft Documentation Live Response
- DFE User permissions
- Defender For Endpoint Settings Live Response
Finally, we have created the DFIR project, where we learned about using PowerShell in EDR, how we can integrate with it, and how to collect artifacts with automation.
In the future release, I have some ideas in mind that I will surely implement in this project.
Hope you enjoyed Project creation and if you want more information on Project message me on linkedin.
💝💝Happy Learning !!!!! 💝💝
If you like my project make it star ⭐ in your github and also follow👆 for upcoming releases.