Cyber security

Powershell Digital Forensics And Incident Response (DFIR) – Essential Scripts For Windows Cyber Defense

Powershell Digital Forensics & Incident Response (DFIR) equips cybersecurity professionals with a suite of PowerShell scripts tailored for effective incident handling on Windows devices.

From collecting forensic artifacts to analyzing security events, these tools streamline the process of identifying, understanding, and mitigating cyber threats, ensuring a robust defense mechanism in the digital landscape.

This repository contains multiple PowerShell scripts that can help you respond to cyber attacks on Windows Devices.

The following Incident Response scripts are included:

Related Blogs:

DFIR Script – Extracted Artefacts

The DFIR script collects information from multiple sources and structures the output in the current directory in a folder named ‘DFIR-hostname-year-month-date’.

This folder is zipped at the end, so that folder can be remotely collected. This script can also be used within Defender For Endpoint in a Live Response session (see below).

The DFIR script collects the following information when running as normal user:

  • Local IP Info
  • Open Connections
  • Aautorun Information (Startup Folder & Registry Run keys)
  • Active Users
  • Local Users
  • Connections Made From Office Applications
  • Active SMB Shares
  • RDP Sessions
  • Active Processes
  • Active USB Connections
  • Powershell History
  • DNS Cache
  • Installed Drivers
  • Installed Software
  • Running Services
  • Scheduled Tasks
  • Browser history and profile files

For the best experience run the script as admin, then the following items will also be collected:

  • Windows Security Events
  • Remotely Opened Files
  • Shadow Copies
  • MPLogs
  • Defender Exclusions
  • PowerShell History All Users

SIEM Import Functionality

The forensic artefacts are exported as CSV files, which allows responders to ingest them into their tooling.

Some example tools in which you can ingest the data are Sentinel, Splunk, Elastic or Azure Data Explorer.

This will allow you to perform filtering, aggregation and visualisation with your preferred query language.

The folder CSV Results (SIEM Import Data) includes all the CSV files containing the artefacts, the folder listing is shown below.

Name
----
ActiveUsers.csv
AutoRun.csv
ConnectedDevices.csv
DefenderExclusions.csv
DNSCache.csv
Drivers.csv
InstalledSoftware.csv
IPConfiguration.csv
LocalUsers.csv
NetworkShares.csv
OfficeConnections.csv
OpenTCPConnections.csv
PowerShellHistory.csv
Processes.csv
RDPSessions.csv
RemotelyOpenedFiles.csv
RunningServices.csv
ScheduledTasks.csv
ScheduledTasksRunInfo.csv
SecurityEvents.csv
ShadowCopy.csv
SMBShares.csv

DFIR Commands

The DFIR Commands page contains invidividual powershell commands that can be used during your incident response process. The follwing catagories are defined:

  • Connections
  • Persistence
  • Windows Security Events
  • Processes
  • User & Group Information
  • Applications
  • File Analysis
  • Collect IOC Information

Windows Usage

The script can be excuted by running the following command.

.\DFIR-Script.ps1

The script is unsigned, that could result in having to use the -ExecutionPolicy Bypass to run the script.

Powershell.exe -ExecutionPolicy Bypass .\DFIR-Script.ps1

DFIR Script | Defender For Endpoit Live Response Integration

It is possible to use the DFIR Script in combination with the Defender For Endpoint Live Repsonse.

Make sure that Live Response is setup (See DOCS). Since my script is usigned a setting change must be made to able to run the script.

There is a blog article available that explains more about how to leverage Custom Script in Live Response: Incident Response Part 3: Leveraging Live Response

To run unsigned scripts live Response:

  • Security.microsoft.com
  • Settings
  • Endpoints
  • Advanced Features
  • Make sure that Live Response is enabled
  • If you want to run this on a server enable live resonse for servers
  • Enable Live Response unsigened script execution

Execute script:

  • Go to the device page
  • Initiate Live Response session
  • Upload File to library to upload script
  • After uploading the script to the library execute: run DFIR-script.ps1 to start the script.
  • Execute getfile DFIR-DeviceName-yyyy-mm-dd to download the retrieved artifacts to your local machine for analysis.
Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Leave a Comment
Share
Published by
Tamil S
Tags: cybersecurityDFIRinformationsecuritykalilinuxkalilinuxtools
1 month ago

Recent Posts

BeVigil CLI – A Comprehensive Guide To OSINT API Integration

bevigil-cli provides a unified command line interface and python library for using BeVigil OSINT API. BeVigil…

20 hours ago

OSINT Inception | Links : Your Gateway To Open-Source Intelligence Resources

Explore the comprehensive world of Open-Source Intelligence (OSINT) with our curated list of active links…

20 hours ago

BBOT : The Next-Gen Recursive Internet Scanner For Ethical Hackers

BBOT (Bighuge BLS OSINT Tool) is a recursive internet scanner inspired by Spiderfoot, but designed to…

20 hours ago

Andriller CE (Community Edition) – A Comprehensive Guide To Mobile Forensics

Andriller - is software utility with a collection of forensic tools for smartphones. It performs…

20 hours ago

OSINT Toolkit – Empowering Security Analysts With Comprehensive Cyber Threat Intelligence

Designed as a full-stack web application, this tool amalgamates a plethora of services to streamline…

20 hours ago

The Arsenal : A Comprehensive Guide To Anti-Forensic Tools And Techniques

Tools and packages that are used for countering forensic activities, including encryption, steganography, and anything…

2 days ago