Quick powershell DFIR script

gistfile1.txt

param(
    [Parameter(Mandatory=$false)]
    [string]$SuspiciousPath,
    [string]$UserName,
    [switch]$Help
)

function Show-Help {
    Write-Host "Usage: .\script.ps1 [-SuspiciousPath] <path> [-UserName <username>] [-Help]"
    Write-Host "Investigate a suspicious file."
    Write-Host ""
    Write-Host "Options:"
    Write-Host "  -SuspiciousPath <path>   Path to the suspicious file (required)."
    Write-Host "  -UserName <username>     Manually specify the username for investigation."
    Write-Host "  -Help                    Show this help message."
    Write-Host ""
    Write-Host "Examples:"
    Write-Host "  .\script.ps1 -SuspiciousPath ""C:\Users\csanders\Downloads\suspicious.txt"""
    Write-Host "  .\script.ps1 -SuspiciousPath ""C:\Users\csanders\Downloads\suspicious.exe"" -UserName ""johndoe"""
    Exit
}

if ($Help -or !$SuspiciousPath) {
    Show-Help
}

# Rest of the script remains the same

# Get the file owner
$file = Get-Item $SuspiciousPath
$owner = (Get-Acl $SuspiciousPath).Owner
$extractedUserName = $owner.Split('\')[-1]

if ($UserName) {
    $user = $UserName
} else {
    Write-Host "File Owner: $extractedUserName"
    $proceed = Read-Host "Do you want to proceed with this user? (Y/N)"
    if ($proceed -eq "Y") {
        $user = $extractedUserName
    } else {
        $user = Read-Host "Enter the username manually"
    }
}

# Check file properties
Write-Host "Checking file properties..."
Write-Host "File Name: $($file.Name)"
Write-Host "File Size: $($file.Length) bytes"
Write-Host "Created: $($file.CreationTime)"
Write-Host "Modified: $($file.LastWriteTime)"

# Calculate file hash
$hash = Get-FileHash $SuspiciousPath -Algorithm SHA256
Write-Host "SHA256 Hash: $($hash.Hash)"

# Analyze the directory
Write-Host "Analyzing the directory..."
$directory = Split-Path $SuspiciousPath
Get-ChildItem $directory | Format-Table -AutoSize

# Review system logs
Write-Host "Reviewing system logs..."
Get-EventLog -LogName Security -InstanceId 4688 | Where-Object { $_.Message -like "*$($file.Name)*" }

# Investigate network activity
Write-Host "Investigating network activity..."
$startTime = (Get-Date).AddHours(-24)
$endTime = Get-Date
Get-NetTCPConnection | Where-Object { $_.CreationTime -ge $startTime -and $_.CreationTime -le $endTime }

# Examine persistence mechanisms
Write-Host "Examining persistence mechanisms..."
Get-CimInstance Win32_StartupCommand | Where-Object { $_.Command -like "*$($file.Name)*" }
Get-ScheduledTask | Where-Object { $_.Actions -like "*$($file.Name)*" }

# Analyze user activity
Write-Host "Analyzing user activity..."
Get-EventLog -LogName Security -InstanceId 4624 | Where-Object { $_.Message -like "*$user*" }

# Retrieve command execution history from ShellBags
Write-Host "Retrieving command execution history from ShellBags..."
$shellBagsPath = "HKCU:\Software\Microsoft\Windows\Shell\Bags"
$shellBagsItems = Get-ChildItem -Path $shellBagsPath -Recurse -ErrorAction SilentlyContinue
foreach ($item in $shellBagsItems) {
    $value = Get-ItemProperty -Path $item.PSPath -Name "Command" -ErrorAction SilentlyContinue
    if ($value -ne $null -and $value.Command -ne $null) {
        Write-Host "Command: $($value.Command)"
    }
}

# Scan for malware
Write-Host "Scanning for malware..."
Start-MpScan

# Investigate similar systems
Write-Host "Investigating similar systems..."
$computers = Get-ADComputer -Filter *
foreach ($computer in $computers) {
    Invoke-Command -ComputerName $computer.Name -ScriptBlock {
        Get-ChildItem -Path "C:\Users\" -Recurse -Include "$($using:file.Name)" -ErrorAction SilentlyContinue
    }
}