SYS320 Week 11 Lab - JadenGil/Jaden-Tech-Journal GitHub Wiki

# Define the function to save results to file function Save-ResultsToFile($results, $filename) { $results | Export-Csv -NoTypeInformation -Path $filename }

# Get the path to save the results $resultsPath = Read-Host "Enter the path to save the results (e.g. C:\Results)"

# Create the directory if it doesn't exist if (!(Test-Path $resultsPath)) { New-Item -ItemType Directory -Path $resultsPath | Out-Null }

# Get the running processes and their paths Get-Process | Select-Object Name, Path | Save-ResultsToFile -Filename "$resultsPath\RunningProcesses.csv"

# Get all registered services and their executable paths using WMI Get-WmiObject -Class Win32_Service | Select-Object Name, DisplayName, PathName | Save-ResultsToFile -Filename "$resultsPath\RegisteredServices.csv"

# Get all TCP network sockets Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State | Save-ResultsToFile -Filename "$resultsPath\TCPNetworkSockets.csv"

# Get all user account information using WMI Get-WmiObject -Class Win32_UserAccount | Select-Object Name, FullName, Description, AccountType | Save-ResultsToFile -Filename "$resultsPath\UserAccounts.csv"

# Get all network adapter configuration information Get-NetAdapter | Get-NetAdapterAdvancedProperty -RegistryKeyword * | Select-Object Name, DisplayName, DisplayValue | Save-ResultsToFile -Filename "$resultsPath\NetworkAdapterConfiguration.csv"

# Use Powershell cmdlets to save 4 other artifacts that would be useful in an incident # 1. Get event log entries related to security Get-EventLog -LogName Security -After (Get-Date).AddDays(-7) | Select-Object Index, TimeGenerated, EntryType, Source, Message | Save-ResultsToFile -Filename "$resultsPath\SecurityEventLog.csv"

# 2. Get the list of installed software Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, Publisher, InstallDate, DisplayVersion | Save-ResultsToFile -Filename "$resultsPath\InstalledSoftware.csv"

# 3. Get the list of scheduled tasks Get-ScheduledTask | Select-Object TaskName, TaskPath, TaskState, Triggers, Actions | Save-ResultsToFile -Filename "$resultsPath\ScheduledTasks.csv"

# 4. Get the list of running services and their statuses Get-Service | Select-Object Name, DisplayName, Status | Save-ResultsToFile -Filename "$resultsPath\RunningServices.csv"

# Get the checksum for each CSV file and save it to a file $checksums = Get-ChildItem -Path $resultsPath -Filter *.csv | ForEach-Object { [PSCustomObject]@{ Filename = $_.Name Checksum = (Get-FileHash $_.FullName -Algorithm SHA256).Hash } } $checksums | Export-Csv -NoTypeInformation -Path "$resultsPath\Checksums.csv"

Write-Host "Results have been saved to $resultsPath"