Moving On

In the next couple of weeks I will be moving onto a position with Cisco Talos as a Research Engineer. I'm very excited about the move and the chance to work with an awesome group of people. I can't wait to get started and the move has rekindled the love I once had for staying up late to learn some new techniques. So here is a script I created to grab useful IR info from a Windows box with PowerShell. I guess you could also use it to grab info while doing pentests as well. It's very generic and crude as I'm just starting to get into PowerShell.


#
# Name: Win_IR.ps1
# Desc: Powershell script for gathering useful information for
# performing IR on a Windows Host
#
# by: Tim Muniz
# Date: 20151221

get-date -format s
whoami
hostname

#Get Boot Time
systeminfo | select-string -pattern 'System Boot Time.*'

#Get Running Processes
Get-Process | Format-Table

#Get Registry Keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"

#Scheduled Tasks
Get-ScheduledTask | Format-Table

#Get Mount Points
net view \\localhost
net use

#Network Statistics
nbtstat -s | Format-Table
netstat -ano | Format-Table
arp -a | Format-Table
route print

#Search for Encrypted Files (only finds Windows Encrypted Files)
cipher /Y #EFS Enabled
cipher /s:c: | Select-String -pattern '^E .*'

#Get Active IP Network Information
Get-NetIPConfiguration | Format-Table

#Get Firewall States
Get-NetFirewallRule | Where { $_.action -eq "Allow" } | Select-Object Name,DisplayName,Enabled,Profile | Format-Table

#Get Installed Software
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

#Get local user accounts
Get-WmiObject -class win32_useraccount  | format-table -Property Fullname, name, sid

Comments

Popular posts from this blog

And now for something completely different...

Well I guess it's time to start this back up.

Been awhile hasn't it.