Using PowerShell to Collect Incident Information

PowerShell is a fairly common automation tool that is often used by both malware developers and information security experts.

This article will discuss the option of using PowerShell to remotely collect data from end devices when responding to information security incidents. To do this, you will need to write a script that will run on the target device and then there will be a detailed description of this script.



function CSIRT{ param($path) if ($psversiontable.psversion.major -ge 5) { $date = Get-Date -Format dd.MM.yyyy_hh_mm $Computer = $env:COMPUTERNAME New-Item -Path $path\$computer\$date -ItemType 'Directory' -Force | Out-Null $path = "$path\$computer\$date" $process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid $netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state $netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state $task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '**' | where author -ne $null | where author -notlike '*@%systemroot%\*' | where author -notlike '*microsoft*' $job = Get-ScheduledJob $ADS = get-item * -stream * | where stream -ne ':$Data' $user = quser $runUser = Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\" $runMachine = Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run\" $array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS $arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine", "ScheduledJob", "AlternativeDataStream" for ($w = 0; $w -lt $array.count; $w++){ $name = $arrayName[$w] $array[$w] >> $path\$name.txt } } }
      
      





To get started, the CSIRT function is created, which will take an argument - a way to save the received data. Due to the fact that most cmdlets work in Powershell v5, a version of PowerShell has been verified to work correctly.



 function CSIRT{ param($path)#         if ($psversiontable.psversion.major -ge 5)
      
      





For convenience of navigation through the created files, two variables are initialized: $ date and $ Computer, which will be assigned the computer name and current date.



 $date = Get-Date -Format dd.MM.yyyy_hh_mm $Computer = $env:COMPUTERNAME New-Item -Path $path\$computer\$date –ItemType 'Directory' -Force | Out-Null $path = "$path\$computer\$date"
      
      





We get the list of running processes on behalf of the current user as follows: create the $ process variable by assigning it the get-ciminstance cmdlet with the win32_process class. Using the Select-Object cmdlet, you can add additional output parameters, in our case it will be parentprocessid (the identifier of the parent process PPID), creationdate (date the process was created), processed (process identifier PID), processname (process name), commandline (start command).



 $process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid
      
      





To get a list of all TCP and UDP connections, we create the $ netTCP and $ netUDP variables by assigning them the Get-NetTCPConnection and Get-NetTCPConnection cmdlets, respectively.



 $netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state $netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state
      
      





It will be important to know the list of scheduled tasks and tasks. To do this, use the get-ScheduledTask and Get-ScheduledJob cmdlets. Assign them the variables $ task and $ job, because Since there are a lot of scheduled tasks in the system, in order to determine malicious activity it is worth filtering out legitimate scheduled tasks. The Select-Object cmdlet will help us with this.



 $task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '**' | where author -ne $null | where author -notlike '*@%systemroot%\*' | where author -notlike '*microsoft*' # $task  ,  “”, “Microsoft”, “*@%systemroot%\*”,   «»  $job = Get-ScheduledJob
      
      





In the NTFS file system, there is such a thing as alternative data streams (Alternate Data Streams, ADS). This means that a file in NTFS can optionally be associated with multiple data streams of arbitrary size. Using ADS, you can hide data that will not be visible by standard system checks. Thanks to this, you can inject malicious code and / or hide data.



To display alternative data streams in PowerShell, we will use the get-item cmdlet and the built-in Windows stream tool with the * symbol to view all possible flows, for this we will create the $ ADS variable.



 $ADS = get-item * -stream * | where stream –ne ':$Data'
      
      





It will also be useful to find out the list of users who are logged in. To do this, create the $ user variable and assign it the quser program.



 $user = quser
      
      





Attackers in order to gain a foothold in the system can make changes to autorun. You can use the Get-ItemProperty cmdlet to view objects in autorun.

Let's create two variables: $ runUser - to view startup on behalf of the user and $ runMachine - to view startup on behalf of the computer.



 $runUser = Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\" $runMachine = Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run\"
      
      





So that all the information is recorded in different files, we create an array with variables and an array with file names.



 $array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS $arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine", "ScheduledJob", "Alternative Data Stream"
      
      





And, using a for loop, the received data will be written to files.



 for ($w = 0; $w -lt $array.count; $w++){ $name = $arrayName[$w] $array[$w] >> $path\$name.txt
      
      





After the script is executed, 9 text files containing the necessary information will be created.



Currently, cybersecurity professionals can use PowerShell to enrich the information needed to solve a variety of tasks in their work. By adding a script to startup, you can get some information without removing dumps, images, etc.



All Articles