Moving On

In the next couple of weeks I will be moving onto a position with Cisco Talos as a Research Engineer. I'm very excited about the move and the chance to work with an awesome group of people. I can't wait to get started and the move has rekindled the love I once had for staying up late to learn some new techniques. So here is a script I created to grab useful IR info from a Windows box with PowerShell. I guess you could also use it to grab info while doing pentests as well. It's very generic and crude as I'm just starting to get into PowerShell.


#
# Name: Win_IR.ps1
# Desc: Powershell script for gathering useful information for
# performing IR on a Windows Host
#
# by: Tim Muniz
# Date: 20151221

get-date -format s
whoami
hostname

#Get Boot Time
systeminfo | select-string -pattern 'System Boot Time.*'

#Get Running Processes
Get-Process | Format-Table

#Get Registry Keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"

#Scheduled Tasks
Get-ScheduledTask | Format-Table

#Get Mount Points
net view \\localhost
net use

#Network Statistics
nbtstat -s | Format-Table
netstat -ano | Format-Table
arp -a | Format-Table
route print

#Search for Encrypted Files (only finds Windows Encrypted Files)
cipher /Y #EFS Enabled
cipher /s:c: | Select-String -pattern '^E .*'

#Get Active IP Network Information
Get-NetIPConfiguration | Format-Table

#Get Firewall States
Get-NetFirewallRule | Where { $_.action -eq "Allow" } | Select-Object Name,DisplayName,Enabled,Profile | Format-Table

#Get Installed Software
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

#Get local user accounts
Get-WmiObject -class win32_useraccount  | format-table -Property Fullname, name, sid

Comments

Post a Comment

Popular posts from this blog

And now for something completely different...

Over the course of my INFOSEC career I've worked in many different positions. IDS, network analysis, pentester, mobile application testing and a few others but one area has always stoked my interest. Vulnerability development is an area I wish I knew more about along with having a better grasp of reversing software. So over the next few months I've decided to try and fuel that interest by jumping into the world of fuzzing. I have chosen to start messing around with american fuzzy lop (AFL)  and see if I can find my first CVE. So here goes nothing.
Read more

Testing Joomla for CVE-2015-8562

Over the last couple of days I've been responding to question about Joomla's 0-day which has been gaining some attention lately. I decided to write a PowerShell script to check a Joomla server if it is running the at least 3.4.6 or 3.4.7. Hope you enjoy it and let me know your thoughts. ############################################################################################### # # Script: CheckJoomla.ps1 # By: Tim Muniz # Date: 20151222 # ############################################################################################### <# .SYNOPSIS This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .DESCRIPTION This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .PARAMETER target a host running Joomla to test. .PARAMETER Https To test a host running SSL/TLS.  This is an optional parameter. .EXAMPLE Check remote Joomla
Read more

Been awhile hasn't it.

It's been over a year since the last time I posted anything so I'll give a quick update. The whole AFL thing didn't pan out as much as I'd like as I never really made time for it. I did add another child into the world so I got that going for me. As for work, I'm still at Cisco Talos doing the Detection Response Team (DRT) stuff, basically creating rules for Snort and sigs for ClamAV. That's going ok, gets a little mundane at times as I'm a researcher by trade and love looking into different things, especially mobile stuff, but overall I feel it's going well. At least no one has told me otherwise. That's pretty much it for me over the last year so lets start on some new exciting info. I recently went to TROOPERS  for TROOPERS19 and it was awesome. For those that don't know, it is a computer security conference in Heidelberg, Germany that takes place in March time frame. The city of Heidelberg was beautiful and the content of the conference was
Read more