Windows incident response script

Search for:. Windows Incident Response Template. Linux Incident Response Template. Like this: Like Loading Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:. Email required Address never made public. Name required. Webhost Heavy. Kali Linux Hacking Tutorials Life is art. Paint your own picture! Kali Linux. PowerShell is based on object not text. The output of a command is an object. You can send the output object, through the pipeline, to another command as its input.

This pipeline provides a familiar interface for people experienced with other shells. PowerShell extends this concept by sending objects rather than text. These are two types of PowerShell:. Suppose there is a NanoCore malware infection in our environment and we are at the eradication step of Incident Response. We will learn which PowerShell Commands can be used for Incident Response but it can be applicable to any malware family. To keep it simple, we will consider following points:.

The main goal of this Eradication step in Incident response is to remove all the malware artifacts from the system and verify if the system is completely cleaned or not.

Please make sure you are running the PowerShell with admin privilege otherwise you will not be able to remediate the system. We have to check if the malicious process RAVBg Get-Process cmdlet can be used to get currently executing processes as shown in the pic below. For quick reference, check PowerShell Cheat Sheet at Github which include all the commands discussed in this article. We know this RAVBg Only applicable for Windows PowerShell 5.

You may need to stop this process imapsv. It is designed for small-to-medium sized digital investigations and acquisitions. NST - Network Security Toolkit - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional. It comes with many open source forensics tools included. Security Onion - Special Linux distro aimed at network security monitoring featuring advanced analysis tools.

SANS Investigative Forensic Toolkit SIFT Workstation - Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated. Event Log Explorer - Tool developed to quickly analyze log files and other data. Users can immediately leverage threat intelligence for security monitoring and incident report IR activities in the workflow of their existing security operations.

LogonTracer - Tool to investigate malicious Windows logon by visualizing and analyzing Windows event log. StreamAlert - Serverless, real-time log data analysis framework, capable of ingesting custom data sources and triggering alerts using user-defined logic.

SysmonSearch - SysmonSearch makes Windows event log analysis more effective and less time consuming by aggregation of event logs. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers. Memoryze - Free memory forensic software that helps incident responders find evil in live memory.

A lower number of features, however. Orochi - Orochi is an open source framework for collaborative forensic memory dump analysis. Rekall - Open source tool and library for the extraction of digital artifacts from volatile memory RAM samples. Volatility - Advanced memory forensics framework. Volatility 3 - The volatile memory extraction framework successor of Volatility VolatilityBot - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation.

WindowsSCOPE - Memory forensics and reverse engineering tool used for analyzing volatile memory offering the capability of analyzing the Windows kernel, drivers, DLLs, and virtual and physical memory. Supports recent versions of Windows. OSForensics - Tool to acquire live memory on bit and bit systems. Awesome Forensics - A curated list of awesome forensic analysis tools and resources. Other Tools Cortex - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface.

Crits - Web-based tool which combines an analytic engine with a cyber threat database. Diffy - DFIR tool developed by Netflix's SIRT that allows an investigator to quickly scope a compromise across cloud instances Linux instances on AWS, currently during an incident and efficiently triaging those instances for followup actions by showing differences against a baseline.

Fileintel - Pull intelligence per file hash. Hostintel - Pull intelligence per host. Kansa - Modular incident response framework in PowerShell. Munin - Online hash checker for VirusTotal and other services.

PowerSponse - PowerSponse is a PowerShell module focused on targeted containment and remediation during security incident response. RaQet - Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer client that is restarted with a purposely built forensic operating system. Scout2 - Security tool that lets Amazon Web Services administrators assess their environment's security posture. Stenographer - Packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets.

It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic. X-Ray 2. Counteractive Playbooks - Counteractive PLaybooks collection. Set this to true in order to see the newest logs first. It allows you to display active TCP connections, listening ports and a whole bunch of other stats including what Process ID the connection is associated with.

It is very useful for determining what process is associated with a PID. For example, if you notice a strange connection in the netstat output, you can determine the process with this tool. The net family has multiple siblings. All of them are helpful in identifying system information as well as active network activity. Having WMIC in your toolkit can immensely speed up the process of determining system information in IR, pen tests and system administration.

There are some neat scripts out there that will gather a bunch of system data through WMIC for post-exploitation and enumeration as well. This command will display the name and parent process ID of a given process ID.

This would be the next step after determining which process is performing strange network activity. The parent process will be the process that spawned the suspicious process. You can then follow up with running the same command with the parent process ID to determine the name of the parent process. You probably want to shut your firewall off for this quiz since it will run a harmless backdoor on your host.