Skip to content

Instantly share code, notes, and snippets.

@dmaynor

dmaynor/gist:02ff05fa9a347efba514b6798a7060d4

Last active June 4, 2024 15:42
Show Gist options
  • Save dmaynor/02ff05fa9a347efba514b6798a7060d4 to your computer and use it in GitHub Desktop.
Save dmaynor/02ff05fa9a347efba514b6798a7060d4 to your computer and use it in GitHub Desktop.
Download ZIP
Quick powershell DFIR script
Raw
gistfile1.txt
param(
[Parameter(Mandatory=$false)]
[string]$SuspiciousPath,
[string]$UserName,
[switch]$Help
)
function Show-Help {
Write-Host "Usage: .\script.ps1 [-SuspiciousPath] <path> [-UserName <username>] [-Help]"
Write-Host "Investigate a suspicious file."
Write-Host ""
Write-Host "Options:"
Write-Host " -SuspiciousPath <path> Path to the suspicious file (required)."
Write-Host " -UserName <username> Manually specify the username for investigation."
Write-Host " -Help Show this help message."
Write-Host ""
Write-Host "Examples:"
Write-Host " .\script.ps1 -SuspiciousPath ""C:\Users\csanders\Downloads\suspicious.txt"""
Write-Host " .\script.ps1 -SuspiciousPath ""C:\Users\csanders\Downloads\suspicious.exe"" -UserName ""johndoe"""
Exit
}
if ($Help -or !$SuspiciousPath) {
Show-Help
}
# Rest of the script remains the same
# Get the file owner
$file = Get-Item $SuspiciousPath
$owner = (Get-Acl $SuspiciousPath).Owner
$extractedUserName = $owner.Split('\')[-1]
if ($UserName) {
$user = $UserName
} else {
Write-Host "File Owner: $extractedUserName"
$proceed = Read-Host "Do you want to proceed with this user? (Y/N)"
if ($proceed -eq "Y") {
$user = $extractedUserName
} else {
$user = Read-Host "Enter the username manually"
}
}
# Check file properties
Write-Host "Checking file properties..."
Write-Host "File Name: $($file.Name)"
Write-Host "File Size: $($file.Length) bytes"
Write-Host "Created: $($file.CreationTime)"
Write-Host "Modified: $($file.LastWriteTime)"
# Calculate file hash
$hash = Get-FileHash $SuspiciousPath -Algorithm SHA256
Write-Host "SHA256 Hash: $($hash.Hash)"
# Analyze the directory
Write-Host "Analyzing the directory..."
$directory = Split-Path $SuspiciousPath
Get-ChildItem $directory | Format-Table -AutoSize
# Review system logs
Write-Host "Reviewing system logs..."
Get-EventLog -LogName Security -InstanceId 4688 | Where-Object { $_.Message -like "*$($file.Name)*" }
# Investigate network activity
Write-Host "Investigating network activity..."
$startTime = (Get-Date).AddHours(-24)
$endTime = Get-Date
Get-NetTCPConnection | Where-Object { $_.CreationTime -ge $startTime -and $_.CreationTime -le $endTime }
# Examine persistence mechanisms
Write-Host "Examining persistence mechanisms..."
Get-CimInstance Win32_StartupCommand | Where-Object { $_.Command -like "*$($file.Name)*" }
Get-ScheduledTask | Where-Object { $_.Actions -like "*$($file.Name)*" }
# Analyze user activity
Write-Host "Analyzing user activity..."
Get-EventLog -LogName Security -InstanceId 4624 | Where-Object { $_.Message -like "*$user*" }
# Retrieve command execution history from ShellBags
Write-Host "Retrieving command execution history from ShellBags..."
$shellBagsPath = "HKCU:\Software\Microsoft\Windows\Shell\Bags"
$shellBagsItems = Get-ChildItem -Path $shellBagsPath -Recurse -ErrorAction SilentlyContinue
foreach ($item in $shellBagsItems) {
$value = Get-ItemProperty -Path $item.PSPath -Name "Command" -ErrorAction SilentlyContinue
if ($value -ne $null -and $value.Command -ne $null) {
Write-Host "Command: $($value.Command)"
}
}
# Scan for malware
Write-Host "Scanning for malware..."
Start-MpScan
# Investigate similar systems
Write-Host "Investigating similar systems..."
$computers = Get-ADComputer -Filter *
foreach ($computer in $computers) {
Invoke-Command -ComputerName $computer.Name -ScriptBlock {
Get-ChildItem -Path "C:\Users\" -Recurse -Include "$($using:file.Name)" -ErrorAction SilentlyContinue
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment