Captures a network trace (and event logs) from host (node) to container

Trace-NetTrafficToContainer.ps1

<#
.SYNOPSIS
   Utility captures information while attempting to run test container
.PARAMETER ContainerName
   Name of the container to create
.PARAMETER ContainerName
   Name of the container image to run
.PARAMETER WaitForContainerStartSec
   Number of seconds script should wait for container to start before capturing results
.NOTES
#>
[cmdletbinding()]
param(
  [string] $ContainerName = 'test-hw',
  [string] $ContainerImage = 'hello-world',
  [int] $WaitForContainerStartSec = 10,
  [ValidateScript({Test-Path -Path $_ -PathType Container})]
  [string] $OutputPath = $PSScriptRoot
)

$OutputPath = $OutputPath.TrimEnd('\')

# Collect some system information
Write-Verbose "[$(Get-Date -Format s)] Getting docker information..."
docker version --format "{{json .}}" | Out-File "$OutputPath\$($ENV:COMPUTERNAME)_Docker-Version.json"
docker system info --format "{{json .}}" | Out-File "$OutputPath\$($ENV:COMPUTERNAME)_Docker-Info.json"
(docker system df --format "{{json .}}" | ConvertFrom-Json) | Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Docker-Disk.csv" -Force
(docker image ls --no-trunc --format "{{json .}}" | ConvertFrom-Json) | Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Docker-Image-List.csv" -Force
Write-Verbose "[$(Get-Date -Format s)] Getting process list..."
Get-Process | Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Process-List.csv" -Force
Write-Verbose "[$(Get-Date -Format s)] Getting installed applications..."
Get-CimInstance -ClassName Win32_Product | Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Product-List.csv" -Force
Write-Verbose "[$(Get-Date -Format s)] Obtaining Windows Firewall Profile settings..."
Get-NetFirewallProfile -PolicyStore ActiveStore | Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_WinFirewall-Profile.csv" -Force
Write-Verbose "[$(Get-Date -Format s)] Obtaining Windows Firewall Policy registry settings..."
reg export HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall "$OutputPath\$($ENV:COMPUTERNAME)_WinFirewall-Policy.reg" /y
Write-Verbose "[$(Get-Date -Format s)] Listing filters..."
fltmc.exe | Out-File "$OutputPath\$($ENV:COMPUTERNAME)_fltmc.txt" -Force
Write-Verbose "[$(Get-Date -Format s)] Obtaining Group Policy settings..."
gpresult /SCOPE computer /H ("$OutputPath\$($ENV:COMPUTERNAME)_gpresult.html") /F

# Enable auditing and (attempt) to start container
Write-Verbose "[$(Get-Date -Format s)] Enabling auditing..."
$categoryList = '"System","Logon/Logoff","Object Access","Privilege Use","Detailed Tracking"'
$categoryList += ',"Account Management","DS Access","Account Logon"'
$categoryList += ',"Policy Change","Account Management","DS Access","Account Logon"'
auditpol.exe /set /category:$categoryList /success:enable /failure:enable
$containerRunOutputPath = Join-Path -Path $OutputPath -ChildPath "$($ENV:COMPUTERNAME)_Container-Run-Output.txt"
[string] $processToStart = 'cmd.exe'
[string[]] $dockerArgs = @('/c','docker.exe','container', 'run', '--rm', '--name', $ContainerName, $ContainerImage, '>', $containerRunOutputPath, '2>&1')
Write-Verbose "[$(Get-Date -Format s)] Starting w/command [$processToStart $dockerArgs])..."
$activityStart = Get-Date
# docker container run --rm --name $ContainerName hello-world
$dockerProcess = Start-Process -FilePath $processToStart -ArgumentList $dockerArgs -PassThru
$dockerProcess.WaitForExit(1000 * $WaitForContainerStartSec)
$activityEnd = Get-Date
Write-Verbose "[$(Get-Date -Format s)] Disabling auditing..." 
auditpol.exe /set /category:$categoryList /success:disable /failure:disable

# Collect diagnostic results
Write-Verbose "[$(Get-Date -Format s)] Capturing WFP state (after)..."
netsh wfp show state file = "$OutputPath\$($ENV:COMPUTERNAME)_wfpstate-after.xml" # $($ENV:COMPUTERNAME + '_wfpstate-after.xml')
Write-Verbose "[$(Get-Date -Format s)] Export Events..."
$logName = 'Security'
Get-EventLog $logName -After $activityStart -Before $activityEnd| Sort-Object -Property TimeGenerated |
Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Event-Log-$logName.csv" -Force
$logName = 'Application'
Get-EventLog $logName -After $activityStart -Before $activityEnd| Sort-Object -Property TimeGenerated |
Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Event-Log-$logName.csv" -Force
$logName = 'System'
Get-EventLog $logName -After $activityStart -Before $activityEnd| Sort-Object -Property TimeGenerated |
Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Event-Log-$logName.csv" -Force
$logName = 'Microsoft-Windows-Hyper-V-Compute-Operational'
Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{
  Logname=$logName
  StartTime=$activityStart
  EndTime=$activityEnd
} | Sort-Object -Property TimeCreated -Descending | Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Event-Log-$logName.csv"
$logName = 'Microsoft-Windows-Host-Network-Service-Admin'
Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{
    Logname=$logName
    StartTime=$activityStart
    EndTime=$activityEnd
  } | Sort-Object -Property TimeCreated -Descending | Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Event-Log-$logName.csv"
$logName = 'Microsoft-Windows-Host-Network-Service-Operational'
Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{
    Logname=$logName
    StartTime=$activityStart
    EndTime=$activityEnd
} | Sort-Object -Property TimeCreated -Descending | Export-Csv -NoTypeInformation -Path "$OutputPath\$($ENV:COMPUTERNAME)_Event-Log-$logName.csv"