mgreen27 / invoke-liveresponse Goto Github PK
View Code? Open in Web Editor NEWInvoke-LiveResponse
Home Page: https://mgreen27.github.io/posts/2018/01/14/Invoke-LiveResponse.html
License: MIT License
Invoke-LiveResponse
Home Page: https://mgreen27.github.io/posts/2018/01/14/Invoke-LiveResponse.html
License: MIT License
I have found another issue about the subject.
The code below in sbUser.ps1 has incorrect filename (UserClass.dat).
Copy-LiveResponse -path "$profile\AppData\Local\Microsoft\Windows" -dest "$out\AppData\Local\Microsoft\Windows" -filter "UserClass.dat" -forensic
It should be "UsrClass.dat".
And, I think the transaction files of UsrClass.dat registry (UsrClass.dat.LOG1 and .LOG2) should be copied too.
No really an issue but the project doesn't indicate a licence, would be nice to set one, so anyone can know what he can do with it !
Thanks in advance.
Currently fails due to change in reg path missing \STATE\ in field.
Old: HKLM:\SYSTEM\CurrentControlSet\Services\bam\UserSettings
New: HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\
Can be fixed by replacing old path with new
Working script
<#
.SYNOPSIS
Invoke-BAMParser.ps1 parses BAM entries from SYSTEM registry hive.
Name: Invoke-BAMParser.ps1
Version: 0.1
Author: Matt Green (@mgreen27)
.DESCRIPTION
Background Activity Moderator (BAM) Service has been included from Windows 10 1709
The BAM service key is an alternate evidence of execution source however in my testing I have noticed not all executables are populated.
Invoke-BAMParser.ps1 parses BAM entries from SYSTEM registry hive and returns the data in an easy to read format.
Currently only supported in Live Response mode (not against precollected files).
Default output sorted by entry time in decending order but can be changed with -SortUser switch
.EXAMPLE
Invoke-BAMParser.ps1
PS C:\WINDOWS\system32> C:\tools\Invoke-BAMParser.ps1
TimeUTC Item User Sid
------- ---- ---- ---
2018-04-15 02:17:13Z Microsoft.WindowsCalculator_8wekyb3d8bbwe DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:16:58Z Microsoft.WindowsStore_8wekyb3d8bbwe DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:16:57Z \Device\HarddiskVolume1\Windows\System32\ApplicationFrameHost.exe DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:13:02Z Microsoft.Windows.Cortana_cw5n1h2txyewy DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:11:27Z \Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe DFIR\Administrator S-1-5-21-204460083-2392015180-1890829323-500
2018-04-15 02:11:26Z \Device\HarddiskVolume1\Windows\System32\consent.exe NT AUTHORITY\SYSTEM S-1-5-18
2018-04-15 02:11:08Z \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmtoolsd.exe DFIR\matt S-1-5-21-204460083-2392015180-1890829323-1106
2018-04-15 02:10:59Z \Device\HarddiskVolume1\Windows\System32\dwm.exe Window Manager\DWM-1 S-1-5-90-0-1
<...SNIP...>
.EXAMPLE
Invoke-BAMParser.ps1 -SortSid
Output ordered by User Sid instead of time
.NOTES
References:
https://www.linkedin.com/pulse/alternative-prefetch-bam-costas-katsavounidis/
https://padawan-4n6.hatenablog.com/entry/2018/02/22/131110
https://padawan-4n6.hatenablog.com/entry/2018/03/07/191419
http://windowsir.blogspot.com.au/2018/03/new-and-updated-plugins-other-items.html
http://batcmd.com/windows/10/services/bam/
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory = $False)][Switch]$SortSid=$Null
)
# Set SortSid if set by switch
#$SortSid = $PSBoundParameters.ContainsKey('SortSid')
$Output=@()
$Users=$null
# MAIN
if (!(Get-PSDrive -Name HKLM -PSProvider Registry)){
Try{New-PSDrive -Name HKLM -PSProvider Registry -Root HKEY_LOCAL_MACHINE}
Catch{"Error Mounting HKEY_Local_Machine"}
}
Try{$Users = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\" -ErrorAction Stop| Select-Object -ExpandProperty PSChildName}
Catch{
"Error Parsing BAM Key. Likley unsupported Windows Version"
exit
}
Foreach ($Sid in $Users){
$Items = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\$Sid"-ErrorAction SilentlyContinue | Select-Object -ExpandProperty Property
# Enumerating User - will roll back to SID on error
Try{
$objSID = New-Object System.Security.Principal.SecurityIdentifier($Sid)
$User = $objSID.Translate( [System.Security.Principal.NTAccount])
$User = $User.Value
}
Catch{$User=""}
Foreach ($Item in $Items){
$Key = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\$Sid" | Select-Object -ExpandProperty $Item
If($key.length -eq 24){
$Hex=[System.BitConverter]::ToString($key[7..0]) -replace "-",""
$TimeUTC = Get-Date ([DateTime]::FromFileTimeUtc([Convert]::ToInt64($Hex, 16))) -Format u
# Setting up object for nicest output format
$Line = "" | Select TimeUTC, Item, User, Sid
$Line.TimeUTC = $TimeUTC
$Line.Item = $Item
$Line.User = $User
$Line.Sid = $Sid
$Output += $Line
}
}
}
# Sorting by User SID
If ($SortSid){$Output | Sort-Object Sid | Format-Table -AutoSize -Wrap}
Else{$Output | Sort-Object TimeUTC -Descending | Format-Table -AutoSize -Wrap}
[gc]::Collect()
There is a Typo in Invoke-LiveResponse.psm1 Line 618.
If(!use$SSL){
i think this should be If(!$useSSL){
This results in an error while Script execution.
I just submitted a PR (#11) that collected recycle bin artifacts (although I preserved your British nomenclature, lol). I noticed you incremented the version number before, so I gave this a minor version bump.
I have a few more changes nearly ready to go:
Do you want me to do minor version bumps for those as well?
And finally, I configured some VMs via Vagrant to perform compatibility tests on other PS versions. It's currently manual but better than testing in production. Are you interested in merging that, or should I keep it in my own repo?
I have found several errors in Invoke-LiveResponse.psm1 and sbEvtx.ps1.
[Invoke-LiveResponse.psm1]
Possibly the "-UNC" option doesn't accept "" and "" because the regex string is not correct at line 668.
These parameters perhaps contain the letter "-".
So, I think "\w" should be "[\w-]".
[sbEvtx.ps1]
This contains lines which aren't needed obviously.
Line 8, 18, and 27, these should be deleted.
When I try to perform a forensic copy (-Evtx -LocalOut "C:\tmp\"
), I get the following message: Error: Check UNC path and credentials. Unable to Map Y:
.
I've not kept up with the recent changes, but it looks like the error comes from sbPathUnc.ps1, which doesn't appear to have any capability to write data to the local drive.
sbPathUnc.py is getting called because a string value of $LocalOut
is ne
to $True
(see line 344 below). However, the other option of sbLocalPath.ps1 appears to be connected to the -WriteScriptBlock
switch - and won't help in this case. I'm not sure how to move forward with analysis from here.
What's the best way to run a forensic copy over the network and write the data to the disk of the analyzed system, per the original purpose of -LocalOut
? Thanks!
Invoke-LiveResponse/Invoke-LiveResponse.psm1
Lines 343 to 350 in 73a99ce
As of PR #41, McAfee Endpoint Security detects sbPSReflect.ps1
as HTool-PoshSec
and deletes it from the analyst machine. The module continues to return results, but without the SYSTEM capabilities and with the three error messages included below. The errors interfere with any wrapper scripts as well by triggering try/catch blocks.
Would obfuscating this .ps1 on disk be an option? (human) readability suffers but compatible functionality would improve.
get-content : Cannot find path 'C:\Users\<username>\Documents\WindowsPowerShell\Modules\Invoke-LiveResponse\Content
\Scriptblock\base\sbPSReflect.ps1' because it does not exist.
At C:\Users\<username>\Documents\WindowsPowerShell\Modules\Invoke-LiveResponse\Invoke-LiveResponse.psm1:354 char:72
+ ... k]::Create((get-content "$PSScriptRoot\Content\Scriptblock\base\sbPSR ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\<username>...sbPSReflect.ps1:String) [Get-Content], ItemNotFoundEx
ception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
Exception calling "Create" with "1" argument(s): "Object reference not set to an instance of an object."
At C:\Users\<username>\Documents\WindowsPowerShell\Modules\Invoke-LiveResponse\Invoke-LiveResponse.psm1:354 char:5
+ $sbPSReflect = [System.Management.Automation.ScriptBlock]::Create ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : NullReferenceException
You cannot call a method on a null-valued expression.
At C:\Users\<username>\Documents\WindowsPowerShell\Modules\Invoke-LiveResponse\Invoke-LiveResponse.psm1:356 char:5
+ $Scriptblock = [ScriptBlock]::Create($Scriptblock.ToString() + $s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.