mgreen27 / invoke-liveresponse Goto Github PK
View Code? Open in Web Editor NEWInvoke-LiveResponse
Home Page: https://mgreen27.github.io/posts/2018/01/14/Invoke-LiveResponse.html
License: MIT License
invoke-liveresponse's People
Contributors
Stargazers
Watchers
Forkers
kthierrychristian securycore peterg75 hanshaze keepwatch znb insystemsco ehossam vitty84 raystyle beerandgin jessefmoore zhengmoxiao m00zh33 marciopocebon nvijatov blue-infosec trietptm-on-coding-algorithms benhe119 5l1v3r1 malwr-io 6un9-h0-dan yusufozturk stefanbulof timetology zha0 sima456invoke-liveresponse's Issues
UsrClass.dat haven't been copied
I have found another issue about the subject.
The code below in sbUser.ps1 has incorrect filename (UserClass.dat).
Copy-LiveResponse -path "$profile\AppData\Local\Microsoft\Windows" -dest "$out\AppData\Local\Microsoft\Windows" -filter "UserClass.dat" -forensic
It should be "UsrClass.dat".
And, I think the transaction files of UsrClass.dat registry (UsrClass.dat.LOG1 and .LOG2) should be copied too.
Licence
No really an issue but the project doesn't indicate a licence, would be nice to set one, so anyone can know what he can do with it !
Thanks in advance.
Get-BAMParser.ps1
Currently fails due to change in reg path missing \STATE\ in field.
Old: HKLM:\SYSTEM\CurrentControlSet\Services\bam\UserSettings
New: HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\
Can be fixed by replacing old path with new
Working script
<#
.SYNOPSIS
Invoke-BAMParser.ps1 parses BAM entries from SYSTEM registry hive.
Name: Invoke-BAMParser.ps1
Version: 0.1
Author: Matt Green (@mgreen27)
.DESCRIPTION
Background Activity Moderator (BAM) Service has been included from Windows 10 1709
The BAM service key is an alternate evidence of execution source however in my testing I have noticed not all executables are populated.
Invoke-BAMParser.ps1 parses BAM entries from SYSTEM registry hive and returns the data in an easy to read format.
Currently only supported in Live Response mode (not against precollected files).
Default output sorted by entry time in decending order but can be changed with -SortUser switch
.EXAMPLE
Invoke-BAMParser.ps1
PS C:\WINDOWS\system32> C:\tools\Invoke-BAMParser.ps1
TimeUTC Item User Sid
------- ---- ---- ---
2018-04-15 02:17:13Z Microsoft.WindowsCalculator_8wekyb3d8bbwe DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:16:58Z Microsoft.WindowsStore_8wekyb3d8bbwe DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:16:57Z \Device\HarddiskVolume1\Windows\System32\ApplicationFrameHost.exe DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:13:02Z Microsoft.Windows.Cortana_cw5n1h2txyewy DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:11:27Z \Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe DFIR\Administrator S-1-5-21-204460083-2392015180-1890829323-500
2018-04-15 02:11:26Z \Device\HarddiskVolume1\Windows\System32\consent.exe NT AUTHORITY\SYSTEM S-1-5-18
2018-04-15 02:11:08Z \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmtoolsd.exe DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:10:59Z \Device\HarddiskVolume1\Windows\System32\dwm.exe Window Manager\DWM-1 S-1-5-90-0-1
<...SNIP...>
.EXAMPLE
Invoke-BAMParser.ps1 -SortSid
Output ordered by User Sid instead of time
.NOTES
References:
https://www.linkedin.com/pulse/alternative-prefetch-bam-costas-katsavounidis/
https://padawan-4n6.hatenablog.com/entry/2018/02/22/131110
https://padawan-4n6.hatenablog.com/entry/2018/03/07/191419
http://windowsir.blogspot.com.au/2018/03/new-and-updated-plugins-other-items.html
http://batcmd.com/windows/10/services/bam/
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory = $False)][Switch]$SortSid=$Null
)
# Set SortSid if set by switch
#$SortSid = $PSBoundParameters.ContainsKey('SortSid')
$Output=@()
$Users=$null
# MAIN
if (!(Get-PSDrive -Name HKLM -PSProvider Registry)){
Try{New-PSDrive -Name HKLM -PSProvider Registry -Root HKEY_LOCAL_MACHINE}
Catch{"Error Mounting HKEY_Local_Machine"}
}
Try{$Users = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\" -ErrorAction Stop| Select-Object -ExpandProperty PSChildName}
Catch{
"Error Parsing BAM Key. Likley unsupported Windows Version"
exit
}
Foreach ($Sid in $Users){
$Items = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\$Sid"-ErrorAction SilentlyContinue | Select-Object -ExpandProperty Property
# Enumerating User - will roll back to SID on error
Try{
$objSID = New-Object System.Security.Principal.SecurityIdentifier($Sid)
$User = $objSID.Translate( [System.Security.Principal.NTAccount])
$User = $User.Value
}
Catch{$User=""}
Foreach ($Item in $Items){
$Key = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\$Sid" | Select-Object -ExpandProperty $Item
If($key.length -eq 24){
$Hex=[System.BitConverter]::ToString($key[7..0]) -replace "-",""
$TimeUTC = Get-Date ([DateTime]::FromFileTimeUtc([Convert]::ToInt64($Hex, 16))) -Format u
# Setting up object for nicest output format
$Line = "" | Select TimeUTC, Item, User, Sid
$Line.TimeUTC = $TimeUTC
$Line.Item = $Item
$Line.User = $User
$Line.Sid = $Sid
$Output += $Line
}
}
}
# Sorting by User SID
If ($SortSid){$Output | Sort-Object Sid | Format-Table -AutoSize -Wrap}
Else{$Output | Sort-Object TimeUTC -Descending | Format-Table -AutoSize -Wrap}
[gc]::Collect()
Typo in Invoke-LiveResponse.psm1
There is a Typo in Invoke-LiveResponse.psm1 Line 618.
If(!use$SSL){
i think this should be If(!$useSSL){
This results in an error while Script execution.
Extending Powershell-IR
I just submitted a PR (#11) that collected recycle bin artifacts (although I preserved your British nomenclature, lol). I noticed you incremented the version number before, so I gave this a minor version bump.
I have a few more changes nearly ready to go:
- Collecting registry transaction log files
- Permitting authentication using a prebuilt credential object (permitting the use of password safes or other methods for providing creds without humans typing them)
Do you want me to do minor version bumps for those as well?
And finally, I configured some VMs via Vagrant to perform compatibility tests on other PS versions. It's currently manual but better than testing in production. Are you interested in merging that, or should I keep it in my own repo?
Several errors in Invoke-LiveResponse.psm1 and sbEvtx.ps1
I have found several errors in Invoke-LiveResponse.psm1 and sbEvtx.ps1.
[Invoke-LiveResponse.psm1]
Possibly the "-UNC" option doesn't accept "" and "" because the regex string is not correct at line 668.
These parameters perhaps contain the letter "-".
So, I think "\w" should be "[\w-]".
[sbEvtx.ps1]
This contains lines which aren't needed obviously.
Line 8, 18, and 27, these should be deleted.
-LocalOut <path> isn't working in latest commit
When I try to perform a forensic copy (-Evtx -LocalOut "C:\tmp\"), I get the following message: Error: Check UNC path and credentials. Unable to Map Y:.
I've not kept up with the recent changes, but it looks like the error comes from sbPathUnc.ps1, which doesn't appear to have any capability to write data to the local drive.
sbPathUnc.py is getting called because a string value of $LocalOut is ne to $True (see line 344 below). However, the other option of sbLocalPath.ps1 appears to be connected to the -WriteScriptBlock switch - and won't help in this case. I'm not sure how to move forward with analysis from here.
What's the best way to run a forensic copy over the network and write the data to the disk of the analyzed system, per the original purpose of -LocalOut? Thanks!
Invoke-LiveResponse/Invoke-LiveResponse.psm1
Lines 343 to 350 in 73a99ce
sbPSReflect flagged/deleted by McAfee A/V
As of PR #41, McAfee Endpoint Security detects sbPSReflect.ps1 as HTool-PoshSec and deletes it from the analyst machine. The module continues to return results, but without the SYSTEM capabilities and with the three error messages included below. The errors interfere with any wrapper scripts as well by triggering try/catch blocks.
Would obfuscating this .ps1 on disk be an option? (human) readability suffers but compatible functionality would improve.
get-content : Cannot find path 'C:\Users\<username>\Documents\WindowsPowerShell\Modules\Invoke-LiveResponse\Content
\Scriptblock\base\sbPSReflect.ps1' because it does not exist.
At C:\Users\<username>\Documents\WindowsPowerShell\Modules\Invoke-LiveResponse\Invoke-LiveResponse.psm1:354 char:72
+ ... k]::Create((get-content "$PSScriptRoot\Content\Scriptblock\base\sbPSR ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\<username>...sbPSReflect.ps1:String) [Get-Content], ItemNotFoundEx
ception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
Exception calling "Create" with "1" argument(s): "Object reference not set to an instance of an object."
At C:\Users\<username>\Documents\WindowsPowerShell\Modules\Invoke-LiveResponse\Invoke-LiveResponse.psm1:354 char:5
+ $sbPSReflect = [System.Management.Automation.ScriptBlock]::Create ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : NullReferenceException
You cannot call a method on a null-valued expression.
At C:\Users\<username>\Documents\WindowsPowerShell\Modules\Invoke-LiveResponse\Invoke-LiveResponse.psm1:356 char:5
+ $Scriptblock = [ScriptBlock]::Create($Scriptblock.ToString() + $s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.