Bert-JanP / Incident-Response-Powershell

PowerShell Digital Forensics & Incident Response Scripts.
BSD 3-Clause "New" or "Revised" License
514 stars 73 forks source link
forensics-tools incident-response powershell

Powershell Digital Forensics & Incident Response (DFIR)Tweet

This repository contains multiple PowerShell scripts that can help you respond to cyber attacks on Windows Devices.

The following Incident Response scripts are included:

Related Blogs:

DFIR Script - Extracted Artefacts

The DFIR script collects information from multiple sources and structures the output in the current directory in a folder named 'DFIR-hostname-year-month-date'. This folder is zipped at the end, so that folder can be remotely collected. This script can also be used within Defender For Endpoint in a Live Response session (see below). The DFIR script collects the following information when running as normal user:

For the best experience run the script as admin, then the following items will also be collected:

SIEM Import Functionality

The forensic artefacts are exported as CSV files, which allows responders to ingest them into their tooling. Some example tools in which you can ingest the data are Sentinel, Splunk, Elastic or Azure Data Explorer. This will allow you to perform filtering, aggregation and visualisation with your preferred query language.

The folder CSV Results (SIEM Import Data) includes all the CSV files containing the artefacts, the folder listing is shown below.

Name
----
ActiveUsers.csv
AutoRun.csv
ConnectedDevices.csv
DefenderExclusions.csv
DNSCache.csv
Drivers.csv
InstalledSoftware.csv
IPConfiguration.csv
LocalUsers.csv
NetworkShares.csv
OfficeConnections.csv
OpenTCPConnections.csv
PowerShellHistory.csv
Processes.csv
RDPSessions.csv
RemotelyOpenedFiles.csv
RunningServices.csv
ScheduledTasks.csv
ScheduledTasksRunInfo.csv
SecurityEvents.csv
ShadowCopy.csv
SMBShares.csv

DFIR Commands

The DFIR Commands page contains individual PowerShell commands that can be used during your incident response process. The following categories are defined:

Windows Usage

The script can be executed by running the following command.

.\DFIR-Script.ps1

The script is unsigned, that could result in having to use the -ExecutionPolicy Bypass to run the script.

Powershell.exe -ExecutionPolicy Bypass .\DFIR-Script.ps1

DFIR Script | Defender For Endpoint Live Response Integration

It is possible to use the DFIR Script in combination with the Defender For Endpoint Live Response. Make sure that Live Response is setup (See DOCS). Since my script is unsigned, a setting change must be made to be able to run the script.

There is a blog article available that explains more about how to leverage Custom Script in Live Response: Incident Response Part 3: Leveraging Live Response

To run unsigned scripts live Response:

Execute script:

Docs