Incident Response PowerShell V2

DFIR PowerShell V2

The DFIR PowerShell script has gotten a major update! The script provides you with a single script to collect forensic artefacts on Windows devices. Whether you are responding to incidents with Security E5 licenses or without a security budget, this tool can be executed to collect the needed information to perform the first response.

This blog will discuss the following items:

What’s New in Version 2.0:

  1. SIEM Import Functionality
  • In the world of incident response, seamless collaboration and integration with other tools are essential. The new SIEM import functionality feature allows you to import the collected artefacts into your preferred SIEM or data analysis tools by providing the output also as CSV files.
  1. Microsoft Protection Log – Artefact Collection
  • The script includes the export of Microsoft Protection Log (MPLog). These files can contain artefacts of the following activities: Process execution, Threats detected, Security Scans and Actions and File existence.
  1. DefenderExclusions – Artefact Collection
  • The script gathers the Defender Exclusions that are configured on the device. The exclusions can contain evidence of excluded files/folders/processes that have not been monitored.
  1. Custom Timeframe Support For Windows Security Event Collection
  • That Windows Security Events can contain valuable information about attacker behaviour was already known. This customization allows users to customize the timeframe of the collected security events to their specific investigative needs, ensuring a more targeted and efficient response.

/images/IncidentResponsePowershellV2/IRPowerShell.jpeg

SIEM Import Functionality

The biggest addition for responders is that the forensic artefacts are now exported as CSV files, which allows responders to ingest them into their tooling. Some example tools in which you can ingest the data are Sentinel, Splunk, Elastic or Azure Data Explorer (ADX examples are shown later in this blog). This will allow you to perform filtering, aggregation and visualisation with your preferred query language.

The folder CSV Results (SIEM Import Data) includes all the CSV files containing the artefacts, the folder listing is shown below.

Name
----
ActiveUsers.csv
AutoRun.csv
ConnectedDevices.csv
DefenderExclusions.csv
DNSCache.csv
Drivers.csv
InstalledSoftware.csv
IPConfiguration.csv
LocalUsers.csv
NetworkShares.csv
OfficeConnections.csv
OpenTCPConnections.csv
PowerShellHistory.csv
Processes.csv
RDPSessions.csv
RemotelyOpenedFiles.csv
RunningServices.csv
ScheduledTasks.csv
ScheduledTasksRunInfo.csv
SecurityEvents.csv
ShadowCopy.csv
SMBShares.csv

Azure Data Explorer

ADX is my personal favourite when it comes to analyzing external data sources. Before diving into some examples, in a previous blog (Incident Response Part 2: What about the other logs? ) I have explained the value of ADX for incident response, to be able to perform analysis on custom logs (everything that is not ingested in your SIEM/EDR). Through the OpenTCPConnections and ConnectedDevices artefacts I will share examples to effectively analyse the content of the exported files

If you want to join the custom logs outputted by the PowerShell script with for example DeviceFileEvents it is recommended to use the externaldata() operator in MDE or Sentinel.

Free Azure Data Explorer Cluster

You can get a free Azure Data Explorer Cluster if you do not have a company-owned cluster. This cluster will include roughly 100 GB of log storage. The documentation below can be used to create your cluster, which is a prerequisite for the next part of the blog.

Documentation:

OpenTCPConnections

Once the files have been imported into Azure Data Explorer they can be queried via KQL, the example below shows 10 rows from the retrieved OpenTCPConnections.csv file. This file contains all the outstanding TCP connections of the moment the script was executed, which could for example be Command & Control connections to the adversary’s infrastructure.

/images/IncidentResponsePowershellV2/OpenTCPConnections.png
List 10 rows with open TCP connections

Query:

OpenTCPConnections
| project State, AppliedSetting, CreationTime, LocalAddress, LocalPort, RemoteAddress, RemotePort
| take 10

Next up is using the query language itself to filter the data to find suspicious activities. In this case, we are performing a forensic hunt to find malicious outbound connections from the infected host. This is done by filtering all the internal connections, which leaves us with connections to public IP addresses. Lastly, we filter on connections where the remote port number is between 0 and 1000.

/images/IncidentResponsePowershellV2/OpenTCPConnectionsAnalysisKQL.png
Open TCP Connections to Public IPs

Query:

OpenTCPConnections
| project State, AppliedSetting, CreationTime, LocalAddress, LocalPort, RemoteAddress, RemotePort
| where not(ipv4_is_private(RemoteAddress))
| where RemotePort between (0 .. 1000)

Visualising Evidence

One of the powers of KQL is that it enables users to easily aggregate and visualise results, in this example the artefacts from the ConnectedDevices (all the plug-and-play devices) are visualised in a piechart. This shows clearly which PNP device class is often used and which might be anomalous.

Visualising results is a good practice to do when performing incident response, especially when performing forensic hunts on large datasets. Visualising the context will provide quick understanding, pattern information and the detection of anomalies in the logs.

/images/IncidentResponsePowershellV2/ConnectedDevices.png
Connected Devices

Query:

ConnectedDevices
| summarize count() by Class
| render piechart 

Defender For Endpoint Live Response

The DFIR Script can be used within Live Response to collect additional information from impacted devices. The Incident Response Part 3: Leveraging Live Response explains in detail how custom PowerShell scripts can be added and executed within Live Response, this includes a detailed explanation with the DFIR PowerShell V1 script. To summarise the steps:

  1. Upload the file to the Live Response Library.
  2. Execute run DFIR-script.ps1 to start the script.
  3. Execute getfile DFIR-DeviceName-yyyy-mm-dd to download the retrieved artefacts to your local machine for analysis.

Questions? Feel free to reach out to me on any of my socials.