Saturday, September 14, 2013

PowerShell for ForSec & Incident Response: A Brief Musing

I am a PowerShell noobie and know beyond next to nothing on PowerShell usage.

Not that I’m not trying to get up to speed. 

However it’s a slow climb up that learning mountain with my time being so tight at the moment.

In typical fashion, that hasn’t stopped my brain from chewing on the potential applications for PowerShell once I get more accomplished.

It struck me last week that PowerShell might be a useful tool (in some circumstances with knowledge aforethought of the impact using PowerShell on that system might have) for ForSec and Incident Response efforts. Having the “power” of PowerShell at our disposal once our enterprise goes Win7 on the desktops might allow expanded options where some third-party tools might be a challenge deploying.

So I hit the Google and here is what I found that looked worthy of investigation and additional reading and study.

Note: there were a number of additional websites I found that seemed -- in title at least -- to be applicable. However, I chose not to include them at this time as they seemed pretty new and the material on the (for now)  didn’t seem to be that useful. If they mature and grow, then I will add them in at a later time.

Live Response Using PowerShell - PDF link - SANS Institute Reading Room paper written by Sajeev Nair - August 2013.

Incident Management with PowerShell - video ~45 min - YouTube - Presentation by Matt Johnson & J. Wolfgang Goerlich of MWJ Computing - March 2013

The Power of PowerShell Remoting - SANS Computer Forensics and Incident Response blog - Mike Pilkington

Weekend Scripter: Using PowerShell to Aid in Security Forensics - Hey, Scripting Guy! Blog - Will Steele guest blogger

Use PowerShell to Aid in Security Forensics - Hey, Scripting Guy! Blog

toolsmith: Security Investigations with PowerShell - HolisticInfoSec blog post by Russ McRee

How to find running processes and their port number - Shay Levy - (added to post 09/15/2013) - Embedded in Russ McRee’s post above was a quick reference to this post which has some juicy material for you network guys.

Script Get-NetworkStatistics - netstat -ano with filtering - (added to post 09/15/2013) - Embedded in the comments of Shay Levy’s post was a link to this one as well offered by rambling cookie monster. Whew!

The rambling cookie monster’s site is darn sharp and has these tasty crumbs we can pick up and enjoy:

Tools to Grab Locked Files - Journey Into Incident Response - Corey Harrell - Post mentions “Invoke-NinjaCopy” which is a PowerShell script. More detailed info here: Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks - clymb3r

Powershell: Forensic Onliners - ldap389 blog. (added to post 09/15/2013) The post itself is great, but there is a reference to other PowerShell material near the top that you might overlook. Hit the whitepaper link below and browse to the section.

You can find a cool onliner that retrieves the events of the Account logon category in this Windows Logon Forensics whitepaper (chapter 6.4. Querying Events). The onliner fetchs the following events which occurred during the past five days:

  • A Kerberos authentication ticket (TGT) was requested.
  • The computer attempted to validate the credentials for an account.

Live forensics: prefetch and powershell - 8bits blog

Parsing Windows Eventlogs in Powershell - ISC Diary

PoshSec (PowerShell Security) - GitHub - (added to post 09/15/2013) - added after great comment tip from J Wolfgang Goerlich.

  • PoshSec Main Repository - GitHub - PoshSec Wiki - per that page:
  • Current Release Features

    This initial project release was based on SANS CSIS 20 Controls to assist an organization securing itself against digital attacks. The purpose of this release is to "baseline" an environment given the stated controls in the CSIS. The release is focused on the following controls:

    • Account Monitoring
    • Inventory of Authorized and Unauthorized Devices
    • Network Baseline

    Account Monitoring

    • accounts that do not expire
    • accounts that expire
    • list all accounts
    • disabled accounts
    • locked out accounts
    • passwords over expired date
    • disabled account access

    Inventory of Authorized and Unauthorized Devices

    • DNS Logging Status
    • Inventory

    Network Baseline

    • open ports


    This project started by Will Steele (@pen_test) and Matt Johnson (@mwjcomputing) has several goals:

    • Publish a PowerShell module to aid people in the use of PowerShell in regards to security.
    • Provide some guidance on how to use PowerShell in the information security space, on both the offensive and defensive side with blog posts and articles.
    • Be a location to obtain links to others using PowerShell in the information security space.
  • Getting Started with PoshSec - PoshSec Wiki.

Digital Forensic Case Leads : Flame On! The most sophisticated malware since...the last one, Higher Ed data breach and PowerShell forensics - SANS Computer Forensics and Incident Response blog - (added to post 09/15/2013) - buried near the bottom are these PS gems under the “Good Reads” section:

I suspect that just because there isn’t that much (yet) material in this area, doesn’t mean that PowerShell isn’t a worthwhile supplemental tool in these areas. Powershell is primarily used for system administration tools and tasks, but I bet that with time and development, some clever out-of-the-box thinkers can expand on how it can be leveraged. Particularly if it involves collecting and parsing out registry, activity logs, and file-system data remotely from live systems.

As the Hey, Scripting Guy! Ed Wilson posted in one of the aforementioned links:

RM, the key thing to remember, whether you are doing security forensics, Exchange Server administration, Office automation, or anything between, is that Windows PowerShell is Windows PowerShell is Windows PowerShell. This means that all of the Windows PowerShell best practices still apply. One of those Windows PowerShell best practices is to preserve the object. The object-oriented nature of Windows PowerShell is one of the revolutionary features of the language, and it is a major contributor to its ease-of-use.

Note   When doing any type of computer forensics, a major principle is to avoid making any changes to the system. Therefore, as a crucial first step, you should use a tool such as the Windows Sysinternals utility tool, Disk2vhd, so you can be assured of not changing things like file access times on the original system.

Therefore, in keeping with the object-oriented nature of Windows PowerShell, you want to use techniques that preserve the object for as long as possible.

So my question is this, do any of the ForSec/Incident Response readers of this blog know of any other recommended resources that would be useful to me and others in using PowerShell in these applications?

If you do, please drop a tip/recommendation or even a “sanitized to protect the guilty” case-study example in the comments.


--Claus V.


J Wolfgang Goerlich said...

Hello Claus,

Quite the list you've started. I agree: the application of PowerShell for forensics is ripe for innovation.

With respect to the talk Matt and I gave, we have further developed the idea into the PoshSec framework. The current release focuses on security controls and response. There is work underway to add specific DFIR capabilities.

Matt is also looking for volunteers for documenting and developing, if you are interested in collaborating.



Claus said...

@ J Wolfgang Goerlich - Thank you very much for saying so and sharing the PoshSec framework link.

I've added it into the post list with some details from the project page.