Lab 11: Incident Response Toolkit - squatchulator/Tech-Journal GitHub Wiki
incident_response.ps1
# Storyline: An incident response program tasked with pulling a variety of different
# system logs, saves the file hash of each, zips the folder, and creates a checksum
# of the zipped archive.
# Menu function that contains options for script
function menu() {
cls
Write-Host "Incident Response Program"
Write-Host "1. Running Processes"
Write-Host "2. Running Services"
Write-Host "3. Stopped Services"
Write-Host "4. TCP Network Sockets"
Write-Host "5. User Account Information"
Write-Host "6. Network Adapter Information"
Write-Host "7. Connected Devices"
Write-Host "8. Firewall Rules"
Write-Host "9. Threat Detection"
Write-Host "10. All The Above"
$selection = Read-Host "Please select an option above, or q to quit"
if ($selection -eq "1") {
cls
get_processes
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
if ($selection -eq "2") {
cls
get_services
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
elseif ($selection -eq "3") {
cls
get_stopped
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
elseif ($selection -eq "4") {
cls
tcp_sockets
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
elseif ($selection -eq "5") {
cls
user_account_info
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
elseif ($selection -eq "6") {
cls
network_info
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
elseif ($selection -eq "7") {
cls
connected_devices
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
elseif ($selection -eq "8") {
cls
firewall_rules
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
elseif ($selection -eq "9") {
cls
threat_detection
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
elseif ($selection -eq "10") {
cls
retrieve_all
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
elseif ($selection -match "^[qQ]$") {
break
}
else {
Write-Host "That is not a valid selection. Please enter a number from the list above."
sleep 2
menu
}
}
# Retrieves running processes and the path for each
function get_processes() {
Get-Process | Select-Object ProcessName, Path, ID | `
Export-Csv -Path "$pathtofile\running_processes.csv" -NoTypeInformation
}
# Retrieves all running services and the path to the executable controlling the service
function get_services() {
Get-Service | Export-Csv -Path "$pathtofile\running_services.csv" -NoTypeInformation
}
# Retrieves all stopped services
function get_stopped() {
Get-Service | Where-Object {$_.Status -eq 'Stopped' } | `
Export-Csv -Path "$pathtofile\stopped_services.csv" -NoTypeInformation
}
# Retrieves all TCP network sockets
function tcp_sockets() {
Get-NetTCPConnection | Export-Csv -Path "$pathtofile\tcp_sockets.csv" -NoTypeInformation
}
# Retrieves all user account information using WMI
function user_account_info() {
Get-WmiObject -Class Win32_UserAccount | `
Export-Csv -Path "$pathtofile\user_account_info.csv" -NoTypeInformation
}
# Retrieves all NetworkAdapterConfiguration information
function network_info() {
Get-WmiObject -Class Win32_NetworkAdapterConfiguration | `
Select-Object @{n='IPAddress';e={$_.IPAddress -join ', '}}, `
DHCPServer, @{n='DefaultIPGateway';e={$_.DefaultIPGateway -join ', '}}, `
@{n='DNSServerSearchOrder';e={$_.DNSServerSearchOrder -join ', '}} | `
Export-Csv -Path "$pathtofile\network_info.csv" -NoTypeInformation
}
# Retrieves all connected devices
function connected_devices() {
Get-PnpDevice | Export-Csv -Path "$pathtofile\connected_devices.csv" -NoTypeInformation
}
# Retrieves all firewall rules
function firewall_rules() {
Get-NetFirewallRule | Export-Csv -Path "$pathtofile\firewall_rules.csv" -NoTypeInformation
}
# Get reports of threats detected by Windows Anti-Virus
function threat_detection() {
Get-MpThreatDetection | Export-Csv -Path "$pathtofile\threat_detection.csv" -NoTypeInformation
}
# Create hashes of every file in the current directory
function create_hash() {
Get-ChildItem -Path "$pathtofile" -File | ForEach-Object {
$hash = Get-FileHash -Path $_.FullName -Algorithm SHA256
Write-Output ($hash.Hash + " " + $_.FullName) >> "$pathtofile\file_hashes.txt"
}
}
# Compresses the folder into a zip archive and puts the file hash in the original folder
function compress_archive() {
cd $pathtofile
cd ..
Compress-Archive -Path $pathtofile -DestinationPath "./incidentresponse.zip"
$hash = Get-FileHash -Path "./incidentresponse.zip" -Algorithm SHA256
Write-Output ($hash.Hash + " incidentresponse.zip") | Set-Content -Path "$pathtofile/checksum.txt"
}
# Retrieve all the logs listed above, and call the compress_archive() function to zip them and make file hashes
function retrieve_all() {
get_processes
get_services
get_stopped
tcp_sockets
user_account_info
network_info
connected_devices
firewall_rules
threat_detection
create_hash
compress_archive
Write-Host "Completed. Returning to menu..."
sleep 2
menu
}
cls
# Prompt that asks for location to save output above
$pathtofile = Read-Host "Please enter the path to save created .csv files to (NOTE: new folders will not be created. Choose an existing folder)"
menu